On Wed, Dec 9, 2015 at 3:42 AM, Hanno Böck wrote: > Hi, > > With a malformed input (see attachmend) sed can crash in the function > str_append_modified() > > Test: > echo|./sed -f sed-nullptr-str_append_modified > > Seems to be a null pointer access. > This only seems to happen in the git code of sed and not in 4.2.2. > > This is the stack trace from address sanitizer: > ==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0) > #0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89 > #1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11 > #2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11 > #3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078 > #4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513 > #5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681 > #6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17 > #7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289 > #8 0x4191a8 in _start (/tmp/sed+0x4191a8) > > > This was found with the help of american fuzzy lop. Thank you for the report. I've reduced it to the following one-liner (demonstrating failure with an ASAN-enabled binary), and have attached a patch: $ echo > k; LC_ALL=en_US.utf8 sed/sed $(printf 's/^/\\L\233\375\134\200/') k ================================================================= ==3335==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000edb2 at pc 0x000000446933 bp 0x7ffd73a42ee0 sp 0x7ffd73a42690 WRITE of size 6 at 0x60600000edb2 thread T0 #0 0x446932 in __interceptor_wcrtomb ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751 #1 0x4dc393 in str_append_modified /home/j/w/co/sed/sed/execute.c:273 #2 0x4e08e2 in append_replacement /home/j/w/co/sed/sed/execute.c:992 #3 0x4e1272 in do_subst /home/j/w/co/sed/sed/execute.c:1078 #4 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513 #5 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681 #6 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362 #7 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f) #8 0x406d18 in _start (/home/j/w/co/sed/sed/sed+0x406d18) 0x60600000edb2 is located 0 bytes to the right of 50-byte region [0x60600000ed80,0x60600000edb2) allocated by thread T0 here: #0 0x4a2050 in __interceptor_calloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:54 #1 0x4e59d3 in ck_malloc /home/j/w/co/sed/sed/utils.c:398 #2 0x4dc4e9 in line_init /home/j/w/co/sed/sed/execute.c:288 #3 0x4dc75f in line_reset /home/j/w/co/sed/sed/execute.c:306 #4 0x4e0d37 in do_subst /home/j/w/co/sed/sed/execute.c:1023 #5 0x4e2d09 in execute_program /home/j/w/co/sed/sed/execute.c:1513 #6 0x4e359a in process_files /home/j/w/co/sed/sed/execute.c:1681 #7 0x4d446a in main /home/j/w/co/sed/sed/sed.c:362 #8 0x7f5541c7f57f in __libc_start_main (/lib64/libc.so.6+0x2057f) SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:2751 in __interceptor_wcrtomb Shadow bytes around the buggy address: 0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fff9db0: 00 00 00 00 00 00[02]fa fa fa fa fa 00 00 00 00 0x0c0c7fff9dc0: 00 00 02 fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c7fff9dd0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff9de0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd 0x0c0c7fff9df0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa