Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan heap-buffer-overflow src/dfa/tcmd.cc:175 in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long) #238

Closed
fgeek opened this issue Jan 3, 2019 · 2 comments

Comments

@fgeek
Copy link

@fgeek fgeek commented Jan 3, 2019

Tested commit 2f3e597 and reproducer re2c-2019-001.zip. Have a nice new year!

00000000  25 25 0a 30 30 30 30 30  30 30 30 30 00 00 30 08  |%%.000000000..0.|
00000010  05 30 00 30 30 25 7b 0a  20 20 72 65 32 63 3a 66  |.0.00%{.  re2c:f|
00000020  6c 61 67 73 3a 54 3d 38  30 30 30 20 20 3b 20 20  |lags:T=8000  ;  |
00000030  2f 2f 30 30 30 30 30 30  30 30 0a 23 70 30 72 7b  |//00000000.#p0r{|
00000040  33 33 33 33 7d 0a 20 23  70 7b 30 30 30 30 1e 13  |3333}. #p{0000..|
00000050  30 30 30 30 30 30 20 30  30 7d 23 70 30 72 7b 33  |000000 00}#p0r{3|
00000060  33 33 33 7d 23 70 59 72  0a 23 70 7b 30 30 30 30  |333}#pYr.#p{0000|
00000070  30 30 30 30 3c 30 30 30  30 30 30 08 0a 30 2f 30  |0000<000000..0/0|
00000080  0d 14 26 30 30 30 30 30  30 30 30 30 30 30 30 30  |..&0000000000000|
00000090  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
*
00000160  30 7d 0a 20 23 70 7b 30  30 30 30 1e 30 30 30 30  |0}. #p{0000.0000|
00000170  30 30 30 20 30 30 7d 0a  20 23 70 30 72 7b 33 33  |000 00}. #p0r{33|
00000180  33 33 7d 0a 20 23 70 7b  30 30 30 30 1e 13 30 30  |33}. #p{0000..00|
00000190  30 30 30 30 20 30 30 7d  0a 20 23 70 30 72 7b 33  |0000 00}. #p0r{3|
000001a0  33 33 33 7d 0a 20 23 70  59 72 0a 23 70 7b 30 30  |333}. #pYr.#p{00|
000001b0  30 30 20 00 30 30 30 30  30 30 20 30 30 7d 0a 20  |00 .000000 00}. |
000001c0  23 70 30 72 6f 30 3a 3d  e5 e5 30 30 30 30 30 30  |#p0ro0:=..000000|
000001d0  30 30 30 30 30 30 30 30  30 08 0a 2a 2f           |000000000..*/|
000001dd
=================================================================
==6485==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000018d00 at pc 0x55e8e9ce41ad bp 0x7ffc0a627830 sp 0x7ffc0a627828
WRITE of size 4 at 0x621000018d00 thread T0
    #0 0x55e8e9ce41ac in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long) src/dfa/tcmd.cc:175
    #1 0x55e8e9cc85aa in final_actions src/dfa/find_state.cc:200
    #2 0x55e8e9cc85aa in re2c::find_state(re2c::determ_context_t&) src/dfa/find_state.cc:121
    #3 0x55e8e9c9b54d in re2c::dfa_t::dfa_t(re2c::nfa_t const&, re2c::opt_t const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, re2c::Warn&) src/dfa/determinization.cc:56
    #4 0x55e8e9d480e0 in ast_to_dfa src/compile.cc:69
    #5 0x55e8e9d480e0 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:176
    #6 0x55e8e9b3ff7e in main src/main.cc:31
    #7 0x7f209d82f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #8 0x55e8e9b41059 in _start (/home/hsalo/builds/re2c/2f3e597abce36fb7f41413373308b7f13fc98181/bin/re2c+0x1f059)

0x621000018d00 is located 0 bytes to the right of 4096-byte region [0x621000017d00,0x621000018d00)
allocated by thread T0 here:
    #0 0x7f209e50cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55e8e9ce3ccc in slab_allocator_t<4294967295u, 4096u, 8ul>::alloc(unsigned long) src/util/slab_allocator.h:50
    #2 0x55e8e9ce3ccc in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long) src/dfa/tcmd.cc:168
    #3 0x55e8e9cc85aa in final_actions src/dfa/find_state.cc:200
    #4 0x55e8e9cc85aa in re2c::find_state(re2c::determ_context_t&) src/dfa/find_state.cc:121
    #5 0x55e8e9c9b54d in re2c::dfa_t::dfa_t(re2c::nfa_t const&, re2c::opt_t const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, re2c::Warn&) src/dfa/determinization.cc:56
    #6 0x55e8e9d480e0 in ast_to_dfa src/compile.cc:69
    #7 0x55e8e9d480e0 in re2c::compile(re2c::Scanner&, re2c::Output&, re2c::Opt&) src/compile.cc:176
    #8 0x55e8e9b3ff7e in main src/main.cc:31
    #9 0x7f209d82f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/dfa/tcmd.cc:175 in re2c::tcpool_t::make_add(re2c::tcmd_t*, int, int, re2c::tag_history_t const&, unsigned int, unsigned long)
Shadow bytes around the buggy address:
  0x0c427fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb1a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6485==ABORTING
skvadrik added a commit that referenced this issue Jan 4, 2019
…of large allocation size.

This fixes bug #238.
Found by american fuzzy lop (thanks to Henri Salo).
@skvadrik
Copy link
Owner

@skvadrik skvadrik commented Jan 4, 2019

Pushed a fix: fa91229

@fgeek Happy new year to you as well, and thanks for all the bug reports!

skvadrik added a commit that referenced this issue Jan 4, 2019
@fgeek
Copy link
Author

@fgeek fgeek commented Jan 5, 2019

Fix confirmed.

@fgeek fgeek closed this Jan 5, 2019
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Sep 20, 2020
2.0.3 (2020-08-22)
~~~~~~~~~~~~~~~~~~

- Fix issues when building re2c as a CMake subproject
  (`#302 <https://github.com/skvadrik/re2c/pull/302>`_:

- Final corrections in the SIMPA article "RE2C: A lexer generator based on
  lookahead-TDFA", https://doi.org/10.1016/j.simpa.2020.100027

2.0.2 (2020-08-08)
~~~~~~~~~~~~~~~~~~

- Enable re2go building by default.

- Package CMake files into release tarball.

2.0.1 (2020-07-29)
~~~~~~~~~~~~~~~~~~

- Updated version for CMake build system (forgotten in release 2.0).

- Added a short article about re2c for the Software Impacts journal.

2.0 (2020-07-20)
~~~~~~~~~~~~~~~~

- Added new code generation backend for Go and a new ``re2go`` program
  (`#272 <https://github.com/skvadrik/re2c/issues/272>`_: Go support).
  Added option ``--lang <c | go>``.

- Added CMake build system as an alternative to Autotools
  (`#275 <https://github.com/skvadrik/re2c/pull/275>`_:
  Add a CMake build system (thanks to ligfx),
  `#244 <https://github.com/skvadrik/re2c/issues/244>`_: Switching to CMake).

- Changes in generic API:

  + Removed primitives ``YYSTAGPD`` and ``YYMTAGPD``.
  + Added primitives ``YYSHIFT``, ``YYSHIFTSTAG``, ``YYSHIFTMTAG``
    that allow to express fixed tags in terms of generic API.
  + Added configurations ``re2c:api:style`` and ``re2c:api:sigil``.
  + Added named placeholders in interpolated configuration strings.

- Changes in reuse mode (``-r, --reuse`` option):

  + Do not reset API-related configurations in each `use:re2c` block
    (`#291 <https://github.com/skvadrik/re2c/issues/291>`_:
    Defines in rules block are not propagated to use blocks).
  + Use block-local options instead of last block options.
  + Do not accumulate options from rules/reuse blocks in whole-program options.
  + Generate non-overlapping YYFILL labels for reuse blocks.
  + Generate start label for each reuse block in storable state mode.

- Changes in start-conditions mode (``-c, --start-conditions`` option):

  + Allow to use normal (non-conditional) blocks in `-c` mode
    (`#263 <https://github.com/skvadrik/re2c/issues/263>`_:
    allow mixing conditional and non-conditional blocks with -c,
    `#296 <https://github.com/skvadrik/re2c/issues/296>`_:
    Conditions required for all lexers when using '-c' option).
  + Generate condition switch in every re2c block
    (`#295 <https://github.com/skvadrik/re2c/issues/295>`_:
    Condition switch generated for only one lexer per file).

- Changes in the generated labels:

  + Use ``yyeof`` label prefix instead of ``yyeofrule``.
  + Use ``yyfill`` label prefix instead of ``yyFillLabel``.
  + Decouple start label and initial label (affects label numbering).

- Removed undocumented configuration ``re2c🎏o``, ``re2c🎏output``.

- Changes in ``re2c🎏t``, ``re2c🎏type-header`` configuration:
  filename is now relative to the output file directory.

- Added option ``--case-ranges`` and configuration ``re2c🎏case-ranges``.

- Extended fixed tags optimization for the case of fixed-counter repetition.

- Fixed bugs related to EOF rule:

  + `#276 <https://github.com/skvadrik/re2c/issues/276>`_:
    Example 01_fill.re in docs is broken
  + `#280 <https://github.com/skvadrik/re2c/issues/280>`_:
    EOF rules with multiple blocks
  + `#284 <https://github.com/skvadrik/re2c/issues/284>`_:
    mismatched YYBACKUP and YYRESTORE
    (Add missing fallback states with EOF rule)

- Fixed miscellaneous bugs:

  + `#286 <https://github.com/skvadrik/re2c/issues/286>`_:
    Incorrect submatch values with fixed-length trailing context.
  + `#297 <https://github.com/skvadrik/re2c/issues/297>`_:
    configure error on ubuntu 18.04 / cmake 3.10

- Changed bootstrap process (require explicit configuration flags and a path to
  re2c executable to regenerate the lexers).

- Added internal options ``--posix-prectable <naive | complex>``.

- Added debug option ``--dump-dfa-tree``.

- Major revision of the paper "Efficient POSIX submatch extraction on NFA".

----
1.3x
----

1.3 (2019-12-14)
~~~~~~~~~~~~~~~~

- Added option: ``--stadfa``.

- Added warning: ``-Wsentinel-in-midrule``.

- Added generic API primitives:

  + ``YYSTAGPD``
  + ``YYMTAGPD``

- Added configurations:

  + ``re2c:sentinel = 0;``
  + ``re2c:define:YYSTAGPD = "YYSTAGPD";``
  + ``re2c:define:YYMTAGPD = "YYMTAGPD";``

- Worked on reproducible builds
  (`#258 <https://github.com/skvadrik/re2c/pull/258>`_:
  Make the build reproducible).

----
1.2x
----

1.2.1 (2019-08-11)
~~~~~~~~~~~~~~~~~~

- Fixed bug `#253 <https://github.com/skvadrik/re2c/issues/253>`_:
  re2c should install unicode_categories.re somewhere.

- Fixed bug `#254 <https://github.com/skvadrik/re2c/issues/254>`_:
  Turn off re2c:eof = 0.

1.2 (2019-08-02)
~~~~~~~~~~~~~~~~

- Added EOF rule ``$`` and configuration ``re2c:eof``.

- Added ``/*!include:re2c ... */`` directive and ``-I`` option.

- Added ``/*!header:re2c:on*/`` and ``/*!header:re2c:off*/`` directives.

- Added ``--input-encoding <ascii | utf8>`` option.

  + `#237 <https://github.com/skvadrik/re2c/issues/237>`_:
    Handle non-ASCII encoded characters in regular expressions
  + `#250 <https://github.com/skvadrik/re2c/issues/250>`_
    UTF8 enoding

- Added include file with a list of definitions for Unicode character classes.

  + `#235 <https://github.com/skvadrik/re2c/issues/235>`_:
    Unicode character classes

- Added ``--location-format <gnu | msvc>`` option.

  + `#195 <https://github.com/skvadrik/re2c/issues/195>`_:
    Please consider using Gnu format for error messages

- Added ``--verbose`` option that prints "success" message if re2c exits
  without errors.

- Added configurations for options:

  + ``-o --output`` (specify output file)
  + ``-t --type-header`` (specify header file)

- Removed configurations for internal/debug options.

- Extended ``-r`` option: allow to mix multiple ``/*!rules:re2c*/``,
  ``/*!use:re2c*/`` and ``/*!re2c*/`` blocks.

  + `#55 <https://github.com/skvadrik/re2c/issues/55>`_:
    allow standard re2c blocks in reuse mode

- Fixed ``-F --flex-support`` option: parsing and operator precedence.

  + `#229 <https://github.com/skvadrik/re2c/issues/229>`_:
    re2c option -F (flex syntax) broken
  + `#242 <https://github.com/skvadrik/re2c/issues/242>`_:
    Operator precedence with --flex-syntax is broken

- Changed difference operator ``/`` to apply before encoding expansion of
  operands.

  + `#236 <https://github.com/skvadrik/re2c/issues/236>`_:
    Support range difference with variable-length encodings

- Changed output generation of output file to be atomic.

  + `#245 <https://github.com/skvadrik/re2c/issues/245>`_:
    re2c output is not atomic

- Authored research paper "Efficient POSIX Submatch Extraction on NFA"
  together with Dr Angelo Borsotti.

- Added experimental libre2c library (``--enable-libs`` configure option) with
  the following algorithms:

  + TDFA with leftmost-greedy disambiguation
  + TDFA with POSIX disambiguation (Okui-Suzuki algorithm)
  + TNFA with leftmost-greedy disambiguation
  + TNFA with POSIX disambiguation (Okui-Suzuki algorithm)
  + TNFA with lazy POSIX disambiguation (Okui-Suzuki algorithm)
  + TNFA with POSIX disambiguation (Kuklewicz algorithm)
  + TNFA with POSIX disambiguation (Cox algorithm)

- Added debug subsystem (``--enable-debug`` configure option) and new debug
  options:

  + ``-dump-cfg`` (dump control flow graph of tag variables)
  + ``-dump-interf`` (dump interference table of tag variables)
  + ``-dump-closure-stats`` (dump epsilon-closure statistics)

- Added internal options:

  + ``--posix-closure <gor1 | gtop>`` (switch between shortest-path algorithms
    used for the construction of POSIX closure)

- Fixed a number of crashes found by American Fuzzy Lop fuzzer:

  + `#226 <https://github.com/skvadrik/re2c/issues/226>`_,
    `#227 <https://github.com/skvadrik/re2c/issues/227>`_,
    `#228 <https://github.com/skvadrik/re2c/issues/228>`_,
    `#231 <https://github.com/skvadrik/re2c/issues/231>`_,
    `#232 <https://github.com/skvadrik/re2c/issues/232>`_,
    `#233 <https://github.com/skvadrik/re2c/issues/233>`_,
    `#234 <https://github.com/skvadrik/re2c/issues/234>`_,
    `#238 <https://github.com/skvadrik/re2c/issues/238>`_

- Fixed handling of newlines:

  + correctly parse multi-character newlines CR LF in ``#line`` directives
  + consistently convert all newlines in the generated file to Unix-style LF

- Changed default tarball format from .gz to .xz.

  + `#221 <https://github.com/skvadrik/re2c/issues/221>`_:
    big source tarball

- Fixed a number of other bugs and resolved issues:

  + `#2 <https://github.com/skvadrik/re2c/issues/2>`_: abort
  + `#6 <https://github.com/skvadrik/re2c/issues/6>`_: segfault
  + `#10 <https://github.com/skvadrik/re2c/issues/10>`_:
    lessons/002_upn_calculator/calc_002 doesn't produce a useful example program
  + `#44 <https://github.com/skvadrik/re2c/issues/44>`_:
    Access violation when translating the attached file
  + `#49 <https://github.com/skvadrik/re2c/issues/49>`_:
    wildcard state \000 rules makes lexer behave weard
  + `#98 <https://github.com/skvadrik/re2c/issues/98>`_:
    Transparent handling of #line directives in input files
  + `#104 <https://github.com/skvadrik/re2c/issues/104>`_:
    Improve const-correctness
  + `#105 <https://github.com/skvadrik/re2c/issues/105>`_:
    Conversion of pointer parameters into references
  + `#114 <https://github.com/skvadrik/re2c/issues/114>`_:
    Possibility of fixing bug 2535084
  + `#120 <https://github.com/skvadrik/re2c/issues/120>`_:
    condition consisting of default rule only is ignored
  + `#167 <https://github.com/skvadrik/re2c/issues/167>`_:
    Add word boundary support
  + `#168 <https://github.com/skvadrik/re2c/issues/168>`_:
    Wikipedia's article on re2c
  + `#180 <https://github.com/skvadrik/re2c/issues/180>`_:
    Comment syntax?
  + `#182 <https://github.com/skvadrik/re2c/issues/182>`_:
    yych being set by YYPEEK () and then not used
  + `#196 <https://github.com/skvadrik/re2c/issues/196>`_:
    Implicit type conversion warnings
  + `#198 <https://github.com/skvadrik/re2c/issues/198>`_:
    no match for ‘operator!=’ in ‘i != std::vector<_Tp, _Alloc>::rend() [with _Tp = re2c::bitmap_t, _Alloc = std::allocator<re2c::bitmap_t>]()’
  + `#210 <https://github.com/skvadrik/re2c/issues/210>`_:
    How to build re2c in windows?
  + `#215 <https://github.com/skvadrik/re2c/issues/215>`_:
    A memory read overrun issue in s_to_n32_unsafe.cc
  + `#220 <https://github.com/skvadrik/re2c/issues/220>`_:
    src/dfa/dfa.h: simplify constructor to avoid g++-3.4 bug
  + `#223 <https://github.com/skvadrik/re2c/issues/223>`_:
    Fix typo
  + `#224 <https://github.com/skvadrik/re2c/issues/224>`_:
    src/dfa/closure_posix.cc: pack() tweaks
  + `#225 <https://github.com/skvadrik/re2c/issues/225>`_:
    Documentation link is broken in libre2c/README
  + `#230 <https://github.com/skvadrik/re2c/issues/230>`_:
    Changes for upcoming Travis' infra migration
  + `#239 <https://github.com/skvadrik/re2c/issues/239>`_:
    Push model example has wrong re2c invocation, breaks guide
  + `#241 <https://github.com/skvadrik/re2c/issues/241>`_:
    Guidance on how to use re2c for full-duplex command & response protocol
  + `#243 <https://github.com/skvadrik/re2c/issues/243>`_:
    A code generated for period (.) requires 4 bytes
  + `#246 <https://github.com/skvadrik/re2c/issues/246>`_:
    Please add a license to this repo
  + `#247 <https://github.com/skvadrik/re2c/issues/247>`_:
    Build failure on current Cygwin, probably caused by force-fed c++98 mode
  + `#248 <https://github.com/skvadrik/re2c/issues/248>`_:
    distcheck still looks for README
  + `#251 <https://github.com/skvadrik/re2c/issues/251>`_:
    Including what you use is find, but not without inclusion guards

- Updated documentation and website.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants