GNU bug report logs - #16171
ptx: heap buffer overrun, when run with two file arguments

Previous Next

Package: coreutils;

Reported by: Jim Meyering <jim <at> meyering.net>

Date: Tue, 17 Dec 2013 02:24:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Pádraig Brady <P <at> draigBrady.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: 16171 <at> debbugs.gnu.org
Subject: bug#16171: ptx: heap buffer overrun, when run with two file arguments
Date: Tue, 17 Dec 2013 10:29:28 +0000

On 12/17/2013 02:22 AM, Jim Meyering wrote:
> Hi,
> 
> I built like this using just-built 4.9.0 20131216
> (but it probably would work as well with 4.8.x):
> 
>   make check AM_CFLAGS='-ggdb3 -static-libasan -fsanitize=address'
>          AM_LDFLAGS='-fsanitize=address -static-libasan -lpthread -ldl'
> 
> and then I ran this,
> 
>   echo a > a && echo b > b &&
>   ./ptx -g1 -w1 a b 2>&1 | asan_symbolize.py -d
> 
> and include its output below.
> That output shows a heap-read overrun bug that arises
> because ptx was designed to process only one input file, yet
> was later extended to process more than, but without some
> important adjustments.
> 
> The underlying problem is that swallow_file_in_memory (called from main)
> is setting the contents of the global text_buffer for the first file,
> then updating it (clobbering old value) for the second file.
> Yet, some pointers to the initial buffer have been squirreled away
> and later, one of them (keyafter) is presumed to point into
> the new "text_buffer", which it does not.  The subsequent
> SKIP_WHITE_BACKWARDS use backs up "cursor" until it is goes
> out of bounds.

Nice. This is a good illustration how test coverage
can be leveraged by (future) run time checks.

I see it here too (as the only failure in make check with -fsanitize=address

$ rpm -q gcc
gcc-4.8.2-1.fc20.x86_64
$ yum install libasan  # http://bugzilla.redhat.com/991003
$ rm src/ptx.o
$ make check AM_CFLAGS='-fsanitize=address' TESTS=tests/misc/ptx.pl SUBDIRS=. VERBOSE=yes
$ failure identified in tests/test-suite.log ...
$ src/ptx -g1 -w1 <(echo a) <(echo b) | asan_symbolize.py -d

thanks!
Pádraig.
This bug report was last modified 11 years and 82 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.