AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:2455 in re2c::Scanner::lex_string(char) #234
Description
Tested commit: 8d5e57f
Tools: american fuzzy lop 2.52b, afl-utils
re2c-crashes-2018-12-06-003.txt
=================================================================
==5921==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62800000bf2d at pc 0x55c1d7099aa9 bp 0x7fff30c08fc0 sp 0x7fff30c08fb8
READ of size 1 at 0x62800000bf2d thread T0
#0 0x55c1d7099aa8 in re2c::Scanner::lex_string(char) src/ast/lex.cc:2455
#1 0x55c1d7099aa8 in re2c::Scanner::lex_code_in_braces() ../src/ast/lex.re:454
#2 0x55c1d70a4257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
#3 0x55c1d70b25ee in yylex src/ast/parser.ypp:246
#4 0x55c1d70b25ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
#5 0x55c1d70b7773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
#6 0x55c1d6fd68ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
#7 0x55c1d6dcda5c in main src/main.cc:31
#8 0x7ff5c8c412e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#9 0x55c1d6dcebd9 in _start (/home/afl/builds/re2c/8d5e57f409bb6a342688a0e6a34c78d54186aedd/bin/re2c+0x1ebd9)
0x62800000bf2d is located 0 bytes to the right of 15917-byte region [0x628000008100,0x62800000bf2d)
allocated by thread T0 here:
#0 0x7ff5c991fd70 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2d70)
#1 0x55c1d7071603 in re2c::Scanner::fill(unsigned int) src/ast/scanner.cc:47
#2 0x55c1d70971e0 in re2c::Scanner::lex_code_in_braces() src/ast/lex.cc:2252
#3 0x55c1d70a4257 in re2c::Scanner::scan(re2c::conopt_t const*) ../src/ast/lex.re:240
#4 0x55c1d70b25ee in yylex src/ast/parser.ypp:246
#5 0x55c1d70b25ee in yyparse(re2c::context_t&) src/ast/parser.cc:1215
#6 0x55c1d70b7773 in re2c::parse(re2c::Scanner&, std::vector<re2c::spec_t, std::allocator<re2c::spec_t> >&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, re2c::AST const*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, re2c::AST const*> > >&, re2c::Opt&) src/ast/parser.ypp:257
#7 0x55c1d6fd68ee in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:159
#8 0x55c1d6dcda5c in main src/main.cc:31
#9 0x7ff5c8c412e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/ast/lex.cc:2455 in re2c::Scanner::lex_string(char)
Shadow bytes around the buggy address:
0x0c507fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff97a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff97d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff97e0: 00 00 00 00 00[05]fa fa fa fa fa fa fa fa fa fa
0x0c507fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5921==ABORTING