Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:2455 in re2c::Scanner::lex_string(char) #234

Closed
fgeek opened this issue Dec 6, 2018 · 2 comments

Comments

@fgeek
Copy link

commented Dec 6, 2018

Tested commit: 8d5e57f
Tools: american fuzzy lop 2.52b, afl-utils
re2c-crashes-2018-12-06-003.txt

=================================================================
==5921==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62800000bf2d at pc 0x55c1d7099aa9 bp 0x7fff30c08fc0 sp 0x7fff30c08fb8
READ of size 1 at 0x62800000bf2d thread T0
    #0 0x55c1d7099aa8 in re2c::Scanner::lex_string(char) src/ast/lex.cc:2455
    #1 0x55c1d7099aa8 in re2c::Scanner::lex_code_in_braces() ../src/ast/lex.re:454
    #2 0x55c1d70a4257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #3 0x55c1d70b25ee in yylex src/ast/parser.ypp:246
    #4 0x55c1d70b25ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #5 0x55c1d70b7773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #6 0x55c1d6fd68ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #7 0x55c1d6dcda5c in main src/main.cc:31
    #8 0x7ff5c8c412e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #9 0x55c1d6dcebd9 in _start (/home/afl/builds/re2c/8d5e57f409bb6a342688a0e6a34c78d54186aedd/bin/re2c+0x1ebd9)

0x62800000bf2d is located 0 bytes to the right of 15917-byte region [0x628000008100,0x62800000bf2d)
allocated by thread T0 here:
    #0 0x7ff5c991fd70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
    #1 0x55c1d7071603 in re2c::Scanner::fill(unsigned int) src/ast/scanner.cc:47
    #2 0x55c1d70971e0 in re2c::Scanner::lex_code_in_braces() src/ast/lex.cc:2252
    #3 0x55c1d70a4257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
    #4 0x55c1d70b25ee in yylex src/ast/parser.ypp:246
    #5 0x55c1d70b25ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
    #6 0x55c1d70b7773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
    #7 0x55c1d6fd68ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
    #8 0x55c1d6dcda5c in main src/main.cc:31
    #9 0x7ff5c8c412e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:2455 in re2c::Scanner::lex_string(char)
Shadow bytes around the buggy address:
  0x0c507fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff97a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff97d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff97e0: 00 00 00 00 00[05]fa fa fa fa fa fa fa fa fa fa
  0x0c507fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5921==ABORTING
@skvadrik

This comment has been minimized.

Copy link
Owner

commented Dec 6, 2018

Pushed a fix: 2f3e597. This also fixes #232 and #233.

@fgeek

This comment has been minimized.

Copy link
Author

commented Dec 8, 2018

Fix confirmed.

@fgeek fgeek closed this Dec 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.