Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSan may incorrectly report buffer overflow due to undefined behavior #51

Closed
kcwu opened this issue Nov 27, 2016 · 2 comments
Closed

MSan may incorrectly report buffer overflow due to undefined behavior #51

kcwu opened this issue Nov 27, 2016 · 2 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Nov 27, 2016
edited
Loading

I cannot recall the exact case confusing MSan. Something like this:

short bar[N];
short foo[len];  // len=0;

MSan may report buffer overflow when access bar.

Build w3m with clang -fsanitize=undefined

case1

00000000: 3c74 6162 6c65 3e30 3c74 643e            <table>0<td>

$ w3m.ubsan -T text/html -dump case1
table.c:1222:18: runtime error: variable length array bound evaluates to non-positive value 0

case2

00000000: 3c74 6162 6c65 3e                        <table>

$ w3m.ubsan -T text/html -dump case2
table.c:1574:20: runtime error: variable length array bound evaluates to non-positive value 0

I don't know they are security related or not. But since MSan may be confused. I think they are worth to fix.

This is found by afl-fuzz.
@kcwu kcwu changed the title ASan may incorrectly report buffer overflow due to undefined behavior MSan may incorrectly report buffer overflow due to undefined behavior Dec 10, 2016
@kcwu
Copy link
Contributor Author

kcwu commented Dec 10, 2016

Ah, should be MSan, not ASan. I modified the text of description. I will add concrete case later.

@rkta rkta mentioned this issue Sep 1, 2021
Merged
@tats
Copy link
Owner

tats commented Sep 5, 2021

Fixed with #192

@tats tats closed this as completed Sep 5, 2021
bptato pushed a commit to bptato/w3m that referenced this issue Jul 29, 2023
@rkta @bptato
Ensure VLA size is at least one
6bddd6f 
Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind
and opening the 'opions panel' reports:
table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0
table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0
table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0

'maxcell' is initialized to -1 which results in a size of 0 during the
first iteration. Though the array is only accessed if maxcell >= 0,
using a variable length array with a size < 1 is undefined behaviour
(see e.g. C99 6.7.5.2,p5).

This closes issue tats#51 .
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats