Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix heap-buffer-overflow on binary paths containing non-ascii characters
Before this commit running
edb --run /home/ivan/Документы/a.out (Документы means "Documents" in Russian)
would cause heap-buffer-overflow in edb:
=================================================================
==26208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030004bd19b at pc 0x7f933a072274 bp 0x7ffd5dc26860 sp 0x7ffd5dc26010
WRITE of size 36 at 0x6030004bd19b thread T0
#0 0x7f933a072273
eteran#1 0x7f93242f2796 in strcpy bits/string_fortified.h:90
eteran#2 0x7f93242f2796 in DebuggerCorePlugin::Unix::execute_process(QString const&, QString const&, QList<QByteArray> const&) plugins/DebuggerCore/unix/Unix.cpp:179
eteran#3 0x7f93241d6dc5 in DebuggerCorePlugin::DebuggerCore::open(QString const&, QString const&, QList<QByteArray> const&, QString const&) plugins/DebuggerCore/unix/linux/DebuggerCore.cpp:925
eteran#4 0x62b26a in Debugger::commonOpen(QString const&, QList<QByteArray> const&) src/Debugger.cpp:3013
eteran#5 0x62cdde in Debugger::execute(QString const&, QList<QByteArray> const&) src/Debugger.cpp:3033
eteran#6 0xc5fa4d in start_debugger src/main.cpp:122
eteran#7 0xc634c8 in main src/main.cpp:255
eteran#8 0x7f93371b9b8d in __libc_start_main
eteran#9 0x4b7879 in _start
0x6030004bd19b is located 0 bytes to the right of 27-byte region [0x6030004bd180,0x6030004bd19b)
allocated by thread T0 here:
#0 0x7f933a10df40 in operator new[](unsigned long)
eteran#1 0x7f93242f2239 in DebuggerCorePlugin::Unix::execute_process(QString const&, QString const&, QList<QByteArray> const&) plugins/DebuggerCore/unix/Unix.cpp:178
SUMMARY: AddressSanitizer: heap-buffer-overflow (libasan.so.5+0x52273)
Shadow bytes around the buggy address:
0x0c068008f9e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c068008f9f0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c068008fa00: 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd fd fa
0x0c068008fa10: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
0x0c068008fa20: 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
=>0x0c068008fa30: 00 00 00[03]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068008fa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068008fa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068008fa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068008fa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068008fa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
The problem was caused by the fact that the buffer size is computed as
a string length in UTF-16 codeunits, but is written with UTF-8 (technically
currect system encoding) codeunits, so its length should equal to
the length of string in UTF-8 codeunits.- Loading branch information
