From unknown Sun Jun 22 11:42:30 2025 X-Loop: help-debbugs@gnu.org Subject: bug#25011: Bugs in PTX Utility Resent-From: Marcel =?UTF-8?Q?B=C3=B6hme?= Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Thu, 24 Nov 2016 08:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 25011 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 25011@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.14799778965331 (code B ref -1); Thu, 24 Nov 2016 08:59:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Nov 2016 08:58:16 +0000 Received: from localhost ([127.0.0.1]:39899 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9prD-0001Nv-S6 for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:16 -0500 Received: from eggs.gnu.org ([208.118.235.92]:45892) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9prB-0001Ne-Dx for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9pr5-0000wt-9U for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:08 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:39916) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c9pr5-0000wn-6R for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9pr0-0005Z9-OY for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:58:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9pqx-0000u5-OH for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:58:02 -0500 Received: from mail-pg0-x243.google.com ([2607:f8b0:400e:c05::243]:34296) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c9pqx-0000tj-ID for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:57:59 -0500 Received: by mail-pg0-x243.google.com with SMTP id e9so2943451pgc.1 for ; Thu, 24 Nov 2016 00:57:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=kzHzeFGcb/p0pIsyicwqlGxYxImez1YU7w4COxslVlM=; b=xrelCZVfzLOaNLu74fakUU3P2SkXzfMJQypJ0Z6o9ucy7rlInhRaGYZuOY32qxd8gT hMghLxqxMzeY9XvtLwJWAQ73ZdC68nRv1Gr01byIT8RN+SIucy4OaqUsClPjC24ksjzq 3dljb6yxh2gj/cgSlO0b74i1G7ew3nngCvsrXw2MP01+hTEINPDuB9MQKaFYuY1W9dK0 Lh0CdJwH3MifJfGc5muFhVriqXLm5sHs+/LHx+6Z1tg8eMu1sKb7rIbEiiTE+Zx5S1v9 id1wMssHalrzh7ijTgYYC3jOc1+eZA0Y6OlladG59mRtgqXA3nQ3OkgMS7asqjt3rw95 h5AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=kzHzeFGcb/p0pIsyicwqlGxYxImez1YU7w4COxslVlM=; b=hZwRT9Z47BQJwuaWGMXpk6xUlDSskiHq1lXSBjdN/TBpeaLS98Y/WaL5dtFlTCTb/g MoOBCukcwDfLcZ9DONw2ZBVtAGRlqXf4GSiz0DqBw2x+5L7d5tCttyYKFM5JKe0R32wy Fd2KdEFirSeCcYtkMr+G3mv8LdsXoj5U0IoVMznn0x8cpXgSG94ioNhaitHx3QaE92LV Oh6vLVUNqPHwPgXwwiKA2yWQFxgjynL68lEEZQHDNIv2JiQMEK6eNMBLCHhbPaHmO78R nf9t1ckjdKbpWlQPwX/5IvjmKxvGURoDqq7FOCmoX9ibKgZRAPjOezbAs16yLg3ZKRc4 7uKw== X-Gm-Message-State: AKaTC03MO3A17Hn8WWJ+RRlow+rXPzpFAPtE1QgtgNmITh85WHIljjlmluspHchIVTrMPg== X-Received: by 10.98.133.9 with SMTP id u9mr1229768pfd.137.1479977878006; Thu, 24 Nov 2016 00:57:58 -0800 (PST) Received: from r-39-99-25-172.comp.nus.edu.sg (ar10037.pc.nus.edu.sg. [137.132.178.164]) by smtp.gmail.com with ESMTPSA id c22sm40551761pgn.12.2016.11.24.00.57.56 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 24 Nov 2016 00:57:57 -0800 (PST) From: Marcel =?UTF-8?Q?B=C3=B6hme?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> Date: Thu, 24 Nov 2016 16:57:54 +0800 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Dear all, The following produces a crash for the version in trunk and preinstalled = version 8.21 on Ubuntu 14.04 x86_64. Below is also heap-buffer-overflow that doesn=E2=80=99t actually crash = but is flagged by ASAN as an invalid read of size 1. Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to = Van-Thuan Pham. $ ptx ptx ptx > /dev/null Segmentation fault ASAN says: =3D=3D47034=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8 READ of size 1 at 0x7f2b49433093 thread T0 #0 0x407b8a in define_all_fields ../src/ptx.c:1432 #1 0x407b8a in generate_all_output ../src/ptx.c:1778 #2 0x407b8a in main ../src/ptx.c:2153 #3 0x7f2b4db9af44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x409379 = (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region = [0x7f2b49430800,0x7f2b49c307e0) freed by thread T0 here: #0 0x7f2b4ed17710 in __interceptor_realloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 previously allocated by thread T0 here: #0 0x7f2b4ed17710 in __interceptor_realloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in = define_all_fields This is the other one: $ echo a > ~/a $ ptx -w1 -A ~/a =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D44013=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on = address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp = 0x7ffc327adb68 READ of size 1 at 0x60200000e818 thread T0 #0 0x4085cc in define_all_fields ../src/ptx.c:1411 #1 0x4085cc in generate_all_output ../src/ptx.c:1778 #2 0x4085cc in main ../src/ptx.c:2153 #3 0x7f9ef7044f44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x409379 = (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) 0x60200000e818 is located 5 bytes to the right of 3-byte region = [0x60200000e810,0x60200000e813) allocated by thread T0 here: #0 0x7f9ef81c13a8 in __interceptor_malloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x4121ed in fread_file ../lib/read-file.c:73 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in = define_all_fields Best regards, - Marcel= From unknown Sun Jun 22 11:42:30 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Marcel =?UTF-8?Q?B=C3=B6hme?= Subject: bug#25011: closed (Re: bug#25011: Bugs in PTX Utility) Message-ID: References: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> X-Gnu-PR-Message: they-closed 25011 X-Gnu-PR-Package: coreutils Reply-To: 25011@debbugs.gnu.org Date: Thu, 24 Nov 2016 15:05:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1479999902-19851-1" This is a multi-part message in MIME format... ------------=_1479999902-19851-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #25011: Bugs in PTX Utility which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 25011@debbugs.gnu.org. --=20 25011: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D25011 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1479999902-19851-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 25011-done) by debbugs.gnu.org; 24 Nov 2016 15:04:49 +0000 Received: from localhost ([127.0.0.1]:40577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9vZx-00059k-A7 for submit@debbugs.gnu.org; Thu, 24 Nov 2016 10:04:49 -0500 Received: from mail.magicbluesmoke.com ([82.195.144.49]:54696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9vZw-00059c-6h for 25011-done@debbugs.gnu.org; Thu, 24 Nov 2016 10:04:48 -0500 Received: from [192.168.1.80] (unknown [109.79.46.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id DF991949C; Thu, 24 Nov 2016 15:04:46 +0000 (GMT) Subject: Re: bug#25011: Bugs in PTX Utility To: =?UTF-8?Q?Marcel_B=c3=b6hme?= , 25011-done@debbugs.gnu.org References: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Thu, 24 Nov 2016 15:04:46 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25011-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On 24/11/16 08:57, Marcel Böhme wrote: > Dear all, > > The following produces a crash for the version in trunk and preinstalled version 8.21 on Ubuntu 14.04 x86_64. > Below is also heap-buffer-overflow that doesn’t actually crash but is flagged by ASAN as an invalid read of size 1. > > Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan Pham. > > > $ ptx ptx ptx > /dev/null > Segmentation fault > > ASAN says: > ==47034==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8 > READ of size 1 at 0x7f2b49433093 thread T0 > #0 0x407b8a in define_all_fields ../src/ptx.c:1432 > #1 0x407b8a in generate_all_output ../src/ptx.c:1778 > #2 0x407b8a in main ../src/ptx.c:2153 > #3 0x7f2b4db9af44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) > > 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region [0x7f2b49430800,0x7f2b49c307e0) > freed by thread T0 here: > #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) > #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 > > previously allocated by thread T0 here: > #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) > #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 > > SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in define_all_fields > > > This is the other one: > $ echo a > ~/a > $ ptx -w1 -A ~/a > ================================================================= > ==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68 > READ of size 1 at 0x60200000e818 thread T0 > #0 0x4085cc in define_all_fields ../src/ptx.c:1411 > #1 0x4085cc in generate_all_output ../src/ptx.c:1778 > #2 0x4085cc in main ../src/ptx.c:2153 > #3 0x7f9ef7044f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) > > 0x60200000e818 is located 5 bytes to the right of 3-byte region [0x60200000e810,0x60200000e813) > allocated by thread T0 here: > #0 0x7f9ef81c13a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) > #1 0x4121ed in fread_file ../lib/read-file.c:73 > > SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in define_all_fields Right, line_width can go negative. I'll clean up something like this and push. thanks! diff --git a/src/ptx.c b/src/ptx.c index c3b60df..d189678 100644 --- a/src/ptx.c +++ b/src/ptx.c @@ -1235,6 +1235,8 @@ fix_output_parameters (void) if ((auto_reference || input_reference) && !right_reference) line_width -= reference_max_width + gap_size; + if (line_width < 0) + line_width = 0; /* The output lines, minimally, will contain from left to right a left context, a gap, and a keyword followed by the right context with no ------------=_1479999902-19851-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 24 Nov 2016 08:58:16 +0000 Received: from localhost ([127.0.0.1]:39899 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9prD-0001Nv-S6 for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:16 -0500 Received: from eggs.gnu.org ([208.118.235.92]:45892) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9prB-0001Ne-Dx for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9pr5-0000wt-9U for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:08 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:39916) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c9pr5-0000wn-6R for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9pr0-0005Z9-OY for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:58:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9pqx-0000u5-OH for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:58:02 -0500 Received: from mail-pg0-x243.google.com ([2607:f8b0:400e:c05::243]:34296) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c9pqx-0000tj-ID for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:57:59 -0500 Received: by mail-pg0-x243.google.com with SMTP id e9so2943451pgc.1 for ; Thu, 24 Nov 2016 00:57:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=kzHzeFGcb/p0pIsyicwqlGxYxImez1YU7w4COxslVlM=; b=xrelCZVfzLOaNLu74fakUU3P2SkXzfMJQypJ0Z6o9ucy7rlInhRaGYZuOY32qxd8gT hMghLxqxMzeY9XvtLwJWAQ73ZdC68nRv1Gr01byIT8RN+SIucy4OaqUsClPjC24ksjzq 3dljb6yxh2gj/cgSlO0b74i1G7ew3nngCvsrXw2MP01+hTEINPDuB9MQKaFYuY1W9dK0 Lh0CdJwH3MifJfGc5muFhVriqXLm5sHs+/LHx+6Z1tg8eMu1sKb7rIbEiiTE+Zx5S1v9 id1wMssHalrzh7ijTgYYC3jOc1+eZA0Y6OlladG59mRtgqXA3nQ3OkgMS7asqjt3rw95 h5AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=kzHzeFGcb/p0pIsyicwqlGxYxImez1YU7w4COxslVlM=; b=hZwRT9Z47BQJwuaWGMXpk6xUlDSskiHq1lXSBjdN/TBpeaLS98Y/WaL5dtFlTCTb/g MoOBCukcwDfLcZ9DONw2ZBVtAGRlqXf4GSiz0DqBw2x+5L7d5tCttyYKFM5JKe0R32wy Fd2KdEFirSeCcYtkMr+G3mv8LdsXoj5U0IoVMznn0x8cpXgSG94ioNhaitHx3QaE92LV Oh6vLVUNqPHwPgXwwiKA2yWQFxgjynL68lEEZQHDNIv2JiQMEK6eNMBLCHhbPaHmO78R nf9t1ckjdKbpWlQPwX/5IvjmKxvGURoDqq7FOCmoX9ibKgZRAPjOezbAs16yLg3ZKRc4 7uKw== X-Gm-Message-State: AKaTC03MO3A17Hn8WWJ+RRlow+rXPzpFAPtE1QgtgNmITh85WHIljjlmluspHchIVTrMPg== X-Received: by 10.98.133.9 with SMTP id u9mr1229768pfd.137.1479977878006; Thu, 24 Nov 2016 00:57:58 -0800 (PST) Received: from r-39-99-25-172.comp.nus.edu.sg (ar10037.pc.nus.edu.sg. [137.132.178.164]) by smtp.gmail.com with ESMTPSA id c22sm40551761pgn.12.2016.11.24.00.57.56 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 24 Nov 2016 00:57:57 -0800 (PST) From: =?utf-8?Q?Marcel_B=C3=B6hme?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Bugs in PTX Utility Message-Id: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> Date: Thu, 24 Nov 2016 16:57:54 +0800 To: bug-coreutils@gnu.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Dear all, The following produces a crash for the version in trunk and preinstalled = version 8.21 on Ubuntu 14.04 x86_64. Below is also heap-buffer-overflow that doesn=E2=80=99t actually crash = but is flagged by ASAN as an invalid read of size 1. Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to = Van-Thuan Pham. $ ptx ptx ptx > /dev/null Segmentation fault ASAN says: =3D=3D47034=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8 READ of size 1 at 0x7f2b49433093 thread T0 #0 0x407b8a in define_all_fields ../src/ptx.c:1432 #1 0x407b8a in generate_all_output ../src/ptx.c:1778 #2 0x407b8a in main ../src/ptx.c:2153 #3 0x7f2b4db9af44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x409379 = (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region = [0x7f2b49430800,0x7f2b49c307e0) freed by thread T0 here: #0 0x7f2b4ed17710 in __interceptor_realloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 previously allocated by thread T0 here: #0 0x7f2b4ed17710 in __interceptor_realloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in = define_all_fields This is the other one: $ echo a > ~/a $ ptx -w1 -A ~/a =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D44013=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on = address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp = 0x7ffc327adb68 READ of size 1 at 0x60200000e818 thread T0 #0 0x4085cc in define_all_fields ../src/ptx.c:1411 #1 0x4085cc in generate_all_output ../src/ptx.c:1778 #2 0x4085cc in main ../src/ptx.c:2153 #3 0x7f9ef7044f44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x409379 = (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) 0x60200000e818 is located 5 bytes to the right of 3-byte region = [0x60200000e810,0x60200000e813) allocated by thread T0 here: #0 0x7f9ef81c13a8 in __interceptor_malloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x4121ed in fread_file ../lib/read-file.c:73 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in = define_all_fields Best regards, - Marcel= ------------=_1479999902-19851-1--