Skip to content

AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:3413 in re2c::Scanner::set_sourceline() #232

Closed
Closed
AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:3413 in re2c::Scanner::set_sourceline()#232
@fgeek

Description

@fgeek
fgeek
opened on Dec 3, 2018

Tested commit: 8d5e57f
Tools: american fuzzy lop 2.52b, afl-utils
re2c-2018-12-03.txt
ps. Should I sent these via email or some other channel?

=================================================================
==21325==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000bd99 at pc 0x5575db11289c bp 0x7fff97747240 sp 0x7fff97747238
READ of size 1 at 0x62600000bd99 thread T0
    #0 0x5575db11289b in re2c::Scanner::set_sourceline() src/ast/lex.cc:3413
    #1 0x5575db11dd08 in re2c::Scanner::lex_code_in_braces() ../src/ast/lex.re:449
    #2 0x5575db127257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #3 0x5575db1355ee in yylex src/ast/parser.ypp:246
    #4 0x5575db1355ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #5 0x5575db13a773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #6 0x5575db0598ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #7 0x5575dae50a5c in main src/main.cc:31
    #8 0x7f1d699992e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #9 0x5575dae51bd9 in _start (/home/hsalo/builds/re2c/8d5e57f409bb6a342688a0e6a34c78d54186aedd/bin/re2c+0x1ebd9)

0x62600000bd99 is located 0 bytes to the right of 11417-byte region [0x626000009100,0x62600000bd99)
allocated by thread T0 here:
    #0 0x7f1d6a677d70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x5575db0f4603 in re2c::Scanner::fill(unsigned int) src/ast/scanner.cc:47
    #2 0x5575db11aa04 in re2c::Scanner::lex_string(char) src/ast/lex.cc:2454
    #3 0x5575db11aa04 in re2c::Scanner::lex_code_in_braces() ../src/ast/lex.re:454
    #4 0x5575db127257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #5 0x5575db1355ee in yylex src/ast/parser.ypp:246
    #6 0x5575db1355ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #7 0x5575db13a773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #8 0x5575db0598ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #9 0x5575dae50a5c in main src/main.cc:31
    #10 0x7f1d699992e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:3413 in re2c::Scanner::set_sourceline()
Shadow bytes around the buggy address:
  0x0c4c7fff9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff97a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff97b0: 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21325==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions