You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reading symbols from doc2txt...done.
(gdb) run libdoc_numutils_getlong_22.overflow
Starting program: /var/normal/bin/doc2txt libdoc_numutils_getlong_22.overflow
*** Error in `/var/normal/bin/doc2txt': corrupted size vs. prev_size: 0x000000000064dfc0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80d36)[0x7ffff7a8dd36]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff7a9153c]
/var/normal/bin/doc2txt[0x400e52]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/var/normal/bin/doc2txt[0x400c99]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 08:01 526540 /var/normal/bin/doc2txt
0064b000-0064c000 r--p 0004b000 08:01 526540 /var/normal/bin/doc2txt
0064c000-0064d000 rw-p 0004c000 08:01 526540 /var/normal/bin/doc2txt
0064d000-0066e000 rw-p 00000000 00:00 0 [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 1053568 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 1053568 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 1053568 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1053530 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1053502 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fde000-7ffff7fe1000 rw-p 00000000 00:00 0
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1053502 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1053502 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2 0x00007ffff7a847ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a8dd36 in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=<optimized out>, str=0x7ffff7b9ac75 "corrupted size vs. prev_size", action=3) at malloc.c:5006
#4 _int_free (av=0x7ffff7dd1b20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4005
#5 0x00007ffff7a9153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#6 0x0000000000400e52 in main ()
Asan Debug Information
root@leon-virtual-machine:/var/asan/bin# ./doc2txt libdoc_numutils_getlong_22.overflow
=================================================================
==92310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f120 at pc 0x000000403238 bp 0x7ffe6888f220 sp 0x7ffe6888f210
READ of size 1 at 0x60200000f120 thread T0
#0 0x403237 in getlong /root/libdoc/numutils.c:22
#1 0x404053 in ole_init /root/libdoc/ole.c:176
#2 0x401d61 in analyze_format /root/libdoc/analyze.c:50
#3 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
#4 0x401715 in main /root/libdoc/example/main.c:24
#5 0x7f082402e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401498 in _start (/var/asan/bin/doc2txt+0x401498)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc/numutils.c:22 getlong
Shadow bytes around the buggy address:
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9e20: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==92310==ABORTING
Test Version
latest version, git clone https://github.com/uvoteam/libdoc
Environment
Ubuntu 16.04-x64, gcc version 5.4.0 20160609
Test Program and command
gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]
Gdb and Backtrace
Asan Debug Information
POC file
libdoc_numutils_getlong_22.zip
CREDIT
Zhao Liang, Huawei Weiran Labs
The text was updated successfully, but these errors were encountered: