Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lou_translate may suffer from a stack-buffer-overflow on a stack variable inbuf defined in translate_input. Relevant files are available here.
lou_translate
inbuf
translate_input
Command lines to trigger the crashes:
lou_translate hu-hu-g2.ctb < so_lou_translateString.c:358_1 lou_translate hu-hu-g2.ctb < so_lou_translateString.c:358_2 lou_translate afr-za-g1.ctb < so_lou_translateString.c:358_3 lou_translate afr-za-g1.ctb < so_lou_translateString.c:358_4 lou_translate zhcn-g2.ctb < so_lou_translateString.c:358_5 lou_translate zhcn-g2.ctb < so_lou_translateString.c:358_6
A sample ASAN output is like:
warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. warning: invalid UTF-8. Assuming Latin-1. ================================================================= ==20334==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd15a23240 at pc 0x7fae8e277c91 bp 0x7ffd15a1f6d0 sp 0x7ffd15a1f6c8 READ of size 2 at 0x7ffd15a23240 thread T0 #0 0x7fae8e277c90 in matchCurrentInput /home/exp/FOT/liblouis/liblouis/lou_translateString.c:358:7 #1 0x7fae8e2729b7 in passDoTest /home/exp/FOT/liblouis/liblouis/lou_translateString.c:745:14 #2 0x7fae8e2715ae in findForPassRule /home/exp/FOT/liblouis/liblouis/lou_translateString.c:206:7 #3 0x7fae8e2627b6 in makeCorrections /home/exp/FOT/liblouis/liblouis/lou_translateString.c:255:8 #4 0x7fae8e25f51c in _lou_translateWithTracing /home/exp/FOT/liblouis/liblouis/lou_translateString.c:1222:16 #5 0x7fae8e25d238 in lou_translate /home/exp/FOT/liblouis/liblouis/lou_translateString.c:1070:9 #6 0x7fae8e25d153 in lou_translateString /home/exp/FOT/liblouis/liblouis/lou_translateString.c:1062:9 #7 0x51338b in translate_input /home/exp/FOT/liblouis/tools/lou_translate.c:73:13 #8 0x512d3e in main /home/exp/FOT/liblouis/tools/lou_translate.c:199:2 #9 0x7fae8d26ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #10 0x41a209 in _start (/home/exp/FOT/liblouis/install/bin/lou_translate+0x41a209) Address 0x7ffd15a23240 is located in stack of thread T0 at offset 6336 in frame #0 0x512edf in translate_input /home/exp/FOT/liblouis/tools/lou_translate.c:53 This frame has 6 object(s): [32, 2080) 'charbuf' (line 54) [2208, 2216) 'outlen' (line 56) [2240, 6336) 'inbuf' (line 57) <== Memory access at offset 6336 overflows this variable [6464, 10560) 'transbuf' (line 58) [10688, 10692) 'inlen' (line 59) [10704, 10708) 'translen' (line 60) HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/exp/FOT/liblouis/liblouis/lou_translateString.c:358:7 in matchCurrentInput Shadow bytes around the buggy address: 0x100022b3c5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100022b3c640: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 0x100022b3c650: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 0x100022b3c660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100022b3c690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20334==ABORTING
The text was updated successfully, but these errors were encountered:
5e40896
No branches or pull requests
lou_translatemay suffer from a stack-buffer-overflow on a stack variableinbufdefined intranslate_input.Relevant files are available here.
Command lines to trigger the crashes:
A sample ASAN output is like:
The text was updated successfully, but these errors were encountered: