Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:2253 in re2c::Scanner::lex_code_in_braces() #233

Closed
fgeek opened this issue Dec 6, 2018 · 2 comments

Comments

@fgeek
Copy link

commented Dec 6, 2018

Tested commit: 8d5e57f
Tools: american fuzzy lop 2.52b, afl-utils
re2c-crashes-2018-12-06-002.txt

=================================================================
==11732==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000013c47 at pc 0x559e181e09bc bp 0x7ffc5cb7a5a0 sp 0x7ffc5cb7a598
READ of size 1 at 0x62d000013c47 thread T0
    #0 0x559e181e09bb in re2c::Scanner::lex_code_in_braces() src/ast/lex.cc:2253
    #1 0x559e181e9257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #2 0x559e181f75ee in yylex src/ast/parser.ypp:246
    #3 0x559e181f75ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #4 0x559e181fc773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #5 0x559e1811b8ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #6 0x559e17f12a5c in main src/main.cc:31
    #7 0x7fef1455d2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x559e17f13bd9 in _start (/home/afl/builds/re2c/8d5e57f409bb6a342688a0e6a34c78d54186aedd/bin/re2c+0x1ebd9)

0x62d000013c47 is located 0 bytes to the right of 38983-byte region [0x62d00000a400,0x62d000013c47)
allocated by thread T0 here:
    #0 0x7fef1523bd70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x559e181b6603 in re2c::Scanner::fill(unsigned int) src/ast/scanner.cc:47
    #2 0x559e181dc1e0 in re2c::Scanner::lex_code_in_braces() src/ast/lex.cc:2252
    #3 0x559e181e9257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #4 0x559e181f75ee in yylex src/ast/parser.ypp:246
    #5 0x559e181f75ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #6 0x559e181fc773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #7 0x559e1811b8ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #8 0x559e17f12a5c in main src/main.cc:31
    #9 0x7fef1455d2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:2253 in re2c::Scanner::lex_code_in_braces()
Shadow bytes around the buggy address:
  0x0c5a7fffa730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffa780: 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa
  0x0c5a7fffa790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11732==ABORTING

skvadrik added a commit that referenced this issue Dec 6, 2018

Lexer: use YYMAXFILL padding and don't forget to shift tag variables …
…in YYFILL.

This fixes bug #232, #233 and #234.
Found by american fuzzy lop (thanks to Henri Salo).
@skvadrik

This comment has been minimized.

Copy link
Owner

commented Dec 6, 2018

Pushed a fix: 2f3e597. This also fixes #232 and #234.

@fgeek

This comment has been minimized.

Copy link
Author

commented Dec 8, 2018

Fix confirmed.

@fgeek fgeek closed this Dec 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.