GNU bug report logs -
#22127
Segfault / null pointer access in function str_append_modified()
Previous Next
Reported by: Hanno Böck <hanno <at> hboeck.de>
Date: Thu, 10 Dec 2015 01:02:07 UTC
Severity: normal
Tags: fixed
Done: Assaf Gordon <assafgordon <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
With a malformed input (see attachmend) sed can crash in the function
str_append_modified()
Test:
echo|./sed -f sed-nullptr-str_append_modified
Seems to be a null pointer access.
This only seems to happen in the git code of sed and not in 4.2.2.
This is the stack trace from address sanitizer:
==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
#0 0x7fd77e298c15 in wcrtomb /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
#1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
#2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
#3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
#4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
#5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
#6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
#7 0x7fd77e21b62f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
#8 0x4191a8 in _start (/tmp/sed+0x4191a8)
This was found with the help of american fuzzy lop.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno <at> hboeck.de
GPG: BBB51E42
[sed-nullptr-str_append_modified (application/octet-stream, attachment)]
[Message part 3 (application/pgp-signature, inline)]
This bug report was last modified 8 years and 100 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.