Skip to content

Commit

Permalink
Do not increase tail before extension
Browse files Browse the repository at this point in the history 
It will confuse Expand_Series expects "tail" to be the actual size, and
cause a read beyond the allocated memory, or heap buffer overflow found
by address sanitizer of GCC:
=================================================================
==10856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a00000b201 at pc 0x47df61 bp 0x7fffffff2ca0 sp 0x7fffffff2c98
READ of size 1 at 0x62a00000b201 thread T0
    #0 0x47df60 in Expand_Series ../src/core/m-series.c:145
    #1 0x47e5a7 in Extend_Series ../src/core/m-series.c:187
    #2 0x466e0c in Scan_Quote ../src/core/l-scan.c:462
    #3 0x46a797 in Scan_Token ../src/core/l-scan.c:918
    #4 0x46e263 in Scan_Block ../src/core/l-scan.c:1188
    #5 0x46e722 in Scan_Code ../src/core/l-scan.c:1548
    #6 0x46e886 in Scan_Source ../src/core/l-scan.c:1568
    #7 0x4cb85c in Make_Block_Type ../src/core/t-block.c:306
    #8 0x4cd1b8 in T_Block ../src/core/t-block.c:608
    #9 0x4d042e in T_Datatype ../src/core/t-datatype.c:92
    #10 0x42e080 in Do_Act ../src/core/c-function.c:338
    #11 0x42e7e5 in Do_Action ../src/core/c-function.c:396
    #12 0x413628 in Do_Next ../src/core/c-do.c:884
    #13 0x41309b in Do_Next ../src/core/c-do.c:858
    #14 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #15 0x482dd2 in N_case ../src/core/n-control.c:349
    #16 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    #17 0x413628 in Do_Next ../src/core/c-do.c:884
    #18 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #19 0x42e869 in Do_Function ../src/core/c-function.c:415
    #20 0x413628 in Do_Next ../src/core/c-do.c:884
    #21 0x41309b in Do_Next ../src/core/c-do.c:858
    #22 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #23 0x42e869 in Do_Function ../src/core/c-function.c:415
    #24 0x413628 in Do_Next ../src/core/c-do.c:884
    #25 0x4115f2 in Do_Args ../src/core/c-do.c:669
    #26 0x414152 in Do_Next ../src/core/c-do.c:939
    #27 0x48201c in N_all ../src/core/n-control.c:261
    #28 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    #29 0x413628 in Do_Next ../src/core/c-do.c:884
    #30 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #31 0x491abc in Loop_Each ../src/core/n-loop.c:410
    #32 0x492a6c in N_foreach ../src/core/n-loop.c:546
    #33 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    #34 0x413628 in Do_Next ../src/core/c-do.c:884
    #35 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #36 0x42e869 in Do_Function ../src/core/c-function.c:415
    #37 0x413628 in Do_Next ../src/core/c-do.c:884
    #38 0x4115f2 in Do_Args ../src/core/c-do.c:669
    #39 0x414152 in Do_Next ../src/core/c-do.c:939
    #40 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #41 0x48459c in N_if ../src/core/n-control.c:619
    #42 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    #43 0x413628 in Do_Next ../src/core/c-do.c:884
    #44 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #45 0x491abc in Loop_Each ../src/core/n-loop.c:410
    #46 0x492a6c in N_foreach ../src/core/n-loop.c:546
    #47 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    #48 0x413628 in Do_Next ../src/core/c-do.c:884
    #49 0x414825 in Do_Blk ../src/core/c-do.c:1010
    #50 0x42e869 in Do_Function ../src/core/c-function.c:415
    #51 0x418fb4 in Apply_Block ../src/core/c-do.c:1474
    #52 0x4824fb in N_apply ../src/core/n-control.c:295
    rebol#53 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#54 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#55 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#56 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#57 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#58 0x485388 in N_unless ../src/core/n-control.c:763
    rebol#59 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#60 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#61 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#62 0x483eff in N_do ../src/core/n-control.c:523
    rebol#63 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#64 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#65 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#66 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#67 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#68 0x48459c in N_if ../src/core/n-control.c:619
    rebol#69 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#70 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#71 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#72 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130
    rebol#73 0x49314d in N_repeat ../src/core/n-loop.c:631
    rebol#74 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#75 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#76 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#77 0x42ee10 in Do_Closure ../src/core/c-function.c:459
    rebol#78 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#79 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#80 0x485388 in N_unless ../src/core/n-control.c:763
    rebol#81 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#82 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#83 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#84 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#85 0x418fb4 in Apply_Block ../src/core/c-do.c:1474
    rebol#86 0x4824fb in N_apply ../src/core/n-control.c:295
    rebol#87 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#88 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#89 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#90 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#91 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#92 0x485388 in N_unless ../src/core/n-control.c:763
    rebol#93 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#94 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#95 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#96 0x483eff in N_do ../src/core/n-control.c:523
    rebol#97 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#98 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#99 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#100 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#101 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#102 0x48459c in N_if ../src/core/n-control.c:619
    rebol#103 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#104 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#105 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#106 0x48f8cc in Loop_Integer ../src/core/n-loop.c:130
    rebol#107 0x49314d in N_repeat ../src/core/n-loop.c:631
    rebol#108 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#109 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#110 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#111 0x42ee10 in Do_Closure ../src/core/c-function.c:459
    rebol#112 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#113 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#114 0x485388 in N_unless ../src/core/n-control.c:763
    rebol#115 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#116 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#117 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#118 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#119 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#120 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#121 0x484cf1 in N_switch ../src/core/n-control.c:716
    rebol#122 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#123 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#124 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#125 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#126 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#127 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#128 0x48459c in N_if ../src/core/n-control.c:619
    rebol#129 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#130 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#131 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#132 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#133 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#134 0x41309b in Do_Next ../src/core/c-do.c:858
    rebol#135 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#136 0x484280 in N_either ../src/core/n-control.c:595
    rebol#137 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#138 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#139 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#140 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#141 0x419631 in Apply_Function ../src/core/c-do.c:1518
    rebol#142 0x419918 in Apply_Func ../src/core/c-do.c:1545
    rebol#143 0x48d102 in N_wake_up ../src/core/n-io.c:415
    rebol#144 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#145 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#146 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#147 0x4133c9 in Do_Next ../src/core/c-do.c:877
    rebol#148 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#149 0x492b66 in N_loop ../src/core/n-loop.c:590
    rebol#150 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#151 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#152 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#153 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#154 0x419631 in Apply_Function ../src/core/c-do.c:1518
    rebol#155 0x419918 in Apply_Func ../src/core/c-do.c:1545
    rebol#156 0x42fef7 in Awake_System ../src/core/c-port.c:198
    rebol#157 0x43012a in Wait_Ports ../src/core/c-port.c:231
    rebol#158 0x48cd62 in N_wait ../src/core/n-io.c:374
    rebol#159 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#160 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#161 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#162 0x4133c9 in Do_Next ../src/core/c-do.c:877
    rebol#163 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#164 0x4133c9 in Do_Next ../src/core/c-do.c:877
    rebol#165 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#166 0x4929a7 in N_forever ../src/core/n-loop.c:527
    rebol#167 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#168 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#169 0x4152ff in Try_Block ../src/core/c-do.c:1077
    rebol#170 0x48507e in N_try ../src/core/n-control.c:740
    rebol#171 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#172 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#173 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#174 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#175 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#176 0x4133c9 in Do_Next ../src/core/c-do.c:877
    rebol#177 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#178 0x4133c9 in Do_Next ../src/core/c-do.c:877
    rebol#179 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#180 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#181 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#182 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#183 0x48459c in N_if ../src/core/n-control.c:619
    rebol#184 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#185 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#186 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#187 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#188 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#189 0x41309b in Do_Next ../src/core/c-do.c:858
    rebol#190 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#191 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#192 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#193 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#194 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#195 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#196 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#197 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#198 0x48201c in N_all ../src/core/n-control.c:261
    rebol#199 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#200 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#201 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#202 0x491abc in Loop_Each ../src/core/n-loop.c:410
    rebol#203 0x492a6c in N_foreach ../src/core/n-loop.c:546
    rebol#204 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#205 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#206 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#207 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#208 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#209 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#210 0x485388 in N_unless ../src/core/n-control.c:763
    rebol#211 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#212 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#213 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#214 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#215 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#216 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#217 0x48459c in N_if ../src/core/n-control.c:619
    rebol#218 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#219 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#220 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#221 0x42ee10 in Do_Closure ../src/core/c-function.c:459
    rebol#222 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#223 0x4115f2 in Do_Args ../src/core/c-do.c:669
    rebol#224 0x414152 in Do_Next ../src/core/c-do.c:939
    rebol#225 0x48201c in N_all ../src/core/n-control.c:261
    rebol#226 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#227 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#228 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#229 0x491abc in Loop_Each ../src/core/n-loop.c:410
    rebol#230 0x492a6c in N_foreach ../src/core/n-loop.c:546
    rebol#231 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#232 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#233 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#234 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#235 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#236 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#237 0x48459c in N_if ../src/core/n-control.c:619
    rebol#238 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#239 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#240 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#241 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#242 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#243 0x41309b in Do_Next ../src/core/c-do.c:858
    rebol#244 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#245 0x42e869 in Do_Function ../src/core/c-function.c:415
    rebol#246 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#247 0x414825 in Do_Blk ../src/core/c-do.c:1010
    rebol#248 0x48459c in N_if ../src/core/n-control.c:619
    rebol#249 0x42dbb7 in Do_Native ../src/core/c-function.c:289
    rebol#250 0x413628 in Do_Next ../src/core/c-do.c:884
    rebol#251 0x414825 in Do_Blk ../src/core/c-do.c:1010

0x62a00000b201 is located 1 bytes to the right of 20480-byte region [0x62a000006200,0x62a00000b200)
allocated by thread T0 here:
    #0 0x7ffff6f58b1f in malloc (/usr/lib/libasan.so.1+0x54b1f)
    #1 0x47924a in Make_Mem ../src/core/m-pools.c:121
    #2 0x47a9ff in Make_Series ../src/core/m-pools.c:406
    #3 0x4aee84 in Make_Unicode ../src/core/s-make.c:59
    #4 0x4bb797 in Init_Mold ../src/core/s-mold.c:1425
    #5 0x40da64 in Init_Core ../src/core/b-init.c:940
    #6 0x4055e0 in RL_Init ../src/core/a-lib.c:124
    #7 0x580aa2 in main ../src/os/host-main.c:154
    #8 0x7ffff5719fff in __libc_start_main (/usr/lib/libc.so.6+0x1ffff)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/m-series.c:145 Expand_Series
Shadow bytes around the buggy address:
  0x0c547fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c547fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c547fff9640:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c547fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:
  • Loading branch information
@zsx
zsx committed May 13, 2014
1 parent 4a78de3 commit 3d7484c
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/core/l-scan.c
View file
Expand Up @@ -459,7 +459,9 @@

*UNI_SKIP(buf, buf->tail) = chr;

if (++(buf->tail) >= SERIES_REST(buf)) Extend_Series(buf, 1);
if (SERIES_LEN(buf) >= SERIES_REST(buf)) Extend_Series(buf, 1);

buf->tail ++;
}

src++; // Skip ending quote or brace.
Expand Down

1 comment on commit 3d7484c

@Oldes
Copy link

@Oldes Oldes commented on 3d7484c Jun 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zsx You should use this fix (with related 2e56b0c) also a few lines later in the Scan_Item function, where it is the same case, but much harder to find in real use case.

r3/src/core/l-scan.c

Lines 535 to 537 in 3885339

*UNI_SKIP(buf, buf->tail) = c; // not affected by Extend_Series
if (++(buf->tail) >= SERIES_REST(buf)) Extend_Series(buf, 1);

Please sign in to comment.