On 25/11/16 02:36, Marcel Böhme wrote:
> Dear all,
> 
> The following input to PR does not crash the program but ASAN reports a buffer overflow.
> The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham.
> 
> $ echo a > a
> $ pr "-S$(printf "\t\t\t")" a -m a > /dev/null
> 
> =================================================================
> ==102438==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp 0x7ffc95917158
> READ of size 1 at 0x00000041b622 thread T0
>     #0 0x40506a in print_sep_string ../src/pr.c:2241
>     #1 0x407ec4 in read_line ../src/pr.c:2493
>     #2 0x40985c in print_page ../src/pr.c:1802
>     #3 0x40985c in print_files ../src/pr.c:1618
>     #4 0x4036e0 in main ../src/pr.c:1136
>     #5 0x7ff29fa67f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>     #6 0x404209  (/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209)
> 
> 0x00000041b622 is located 62 bytes to the left of global variable '*.LC12' defined in '../src/pr.c' (0x41b660) of size 4
>   '*.LC12' is ascii string '%*d'
> 0x00000041b622 is located 0 bytes to the right of global variable '*.LC11' defined in '../src/pr.c' (0x41b620) of size 2
>   '*.LC11' is ascii string ' '
> SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in print_sep_string

Fixed in that attached.

thanks!