From unknown Sun Jun 22 07:31:06 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#25011 <25011@debbugs.gnu.org> To: bug#25011 <25011@debbugs.gnu.org> Subject: Status: Bugs in PTX Utility Reply-To: bug#25011 <25011@debbugs.gnu.org> Date: Sun, 22 Jun 2025 14:31:06 +0000 retitle 25011 Bugs in PTX Utility reassign 25011 coreutils submitter 25011 Marcel B=C3=B6hme severity 25011 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 24 03:58:16 2016 Received: (at submit) by debbugs.gnu.org; 24 Nov 2016 08:58:16 +0000 Received: from localhost ([127.0.0.1]:39899 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9prD-0001Nv-S6 for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:16 -0500 Received: from eggs.gnu.org ([208.118.235.92]:45892) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9prB-0001Ne-Dx for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9pr5-0000wt-9U for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:08 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:39916) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c9pr5-0000wn-6R for submit@debbugs.gnu.org; Thu, 24 Nov 2016 03:58:07 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36829) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c9pr0-0005Z9-OY for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:58:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c9pqx-0000u5-OH for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:58:02 -0500 Received: from mail-pg0-x243.google.com ([2607:f8b0:400e:c05::243]:34296) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c9pqx-0000tj-ID for bug-coreutils@gnu.org; Thu, 24 Nov 2016 03:57:59 -0500 Received: by mail-pg0-x243.google.com with SMTP id e9so2943451pgc.1 for ; Thu, 24 Nov 2016 00:57:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=kzHzeFGcb/p0pIsyicwqlGxYxImez1YU7w4COxslVlM=; b=xrelCZVfzLOaNLu74fakUU3P2SkXzfMJQypJ0Z6o9ucy7rlInhRaGYZuOY32qxd8gT hMghLxqxMzeY9XvtLwJWAQ73ZdC68nRv1Gr01byIT8RN+SIucy4OaqUsClPjC24ksjzq 3dljb6yxh2gj/cgSlO0b74i1G7ew3nngCvsrXw2MP01+hTEINPDuB9MQKaFYuY1W9dK0 Lh0CdJwH3MifJfGc5muFhVriqXLm5sHs+/LHx+6Z1tg8eMu1sKb7rIbEiiTE+Zx5S1v9 id1wMssHalrzh7ijTgYYC3jOc1+eZA0Y6OlladG59mRtgqXA3nQ3OkgMS7asqjt3rw95 h5AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=kzHzeFGcb/p0pIsyicwqlGxYxImez1YU7w4COxslVlM=; b=hZwRT9Z47BQJwuaWGMXpk6xUlDSskiHq1lXSBjdN/TBpeaLS98Y/WaL5dtFlTCTb/g MoOBCukcwDfLcZ9DONw2ZBVtAGRlqXf4GSiz0DqBw2x+5L7d5tCttyYKFM5JKe0R32wy Fd2KdEFirSeCcYtkMr+G3mv8LdsXoj5U0IoVMznn0x8cpXgSG94ioNhaitHx3QaE92LV Oh6vLVUNqPHwPgXwwiKA2yWQFxgjynL68lEEZQHDNIv2JiQMEK6eNMBLCHhbPaHmO78R nf9t1ckjdKbpWlQPwX/5IvjmKxvGURoDqq7FOCmoX9ibKgZRAPjOezbAs16yLg3ZKRc4 7uKw== X-Gm-Message-State: AKaTC03MO3A17Hn8WWJ+RRlow+rXPzpFAPtE1QgtgNmITh85WHIljjlmluspHchIVTrMPg== X-Received: by 10.98.133.9 with SMTP id u9mr1229768pfd.137.1479977878006; Thu, 24 Nov 2016 00:57:58 -0800 (PST) Received: from r-39-99-25-172.comp.nus.edu.sg (ar10037.pc.nus.edu.sg. [137.132.178.164]) by smtp.gmail.com with ESMTPSA id c22sm40551761pgn.12.2016.11.24.00.57.56 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 24 Nov 2016 00:57:57 -0800 (PST) From: =?utf-8?Q?Marcel_B=C3=B6hme?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Bugs in PTX Utility Message-Id: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> Date: Thu, 24 Nov 2016 16:57:54 +0800 To: bug-coreutils@gnu.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Dear all, The following produces a crash for the version in trunk and preinstalled = version 8.21 on Ubuntu 14.04 x86_64. Below is also heap-buffer-overflow that doesn=E2=80=99t actually crash = but is flagged by ASAN as an invalid read of size 1. Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to = Van-Thuan Pham. $ ptx ptx ptx > /dev/null Segmentation fault ASAN says: =3D=3D47034=3D=3DERROR: AddressSanitizer: heap-use-after-free on address = 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8 READ of size 1 at 0x7f2b49433093 thread T0 #0 0x407b8a in define_all_fields ../src/ptx.c:1432 #1 0x407b8a in generate_all_output ../src/ptx.c:1778 #2 0x407b8a in main ../src/ptx.c:2153 #3 0x7f2b4db9af44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x409379 = (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region = [0x7f2b49430800,0x7f2b49c307e0) freed by thread T0 here: #0 0x7f2b4ed17710 in __interceptor_realloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 previously allocated by thread T0 here: #0 0x7f2b4ed17710 in __interceptor_realloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in = define_all_fields This is the other one: $ echo a > ~/a $ ptx -w1 -A ~/a =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D44013=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on = address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp = 0x7ffc327adb68 READ of size 1 at 0x60200000e818 thread T0 #0 0x4085cc in define_all_fields ../src/ptx.c:1411 #1 0x4085cc in generate_all_output ../src/ptx.c:1778 #2 0x4085cc in main ../src/ptx.c:2153 #3 0x7f9ef7044f44 in __libc_start_main = (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x409379 = (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) 0x60200000e818 is located 5 bytes to the right of 3-byte region = [0x60200000e810,0x60200000e813) allocated by thread T0 here: #0 0x7f9ef81c13a8 in __interceptor_malloc = (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) #1 0x4121ed in fread_file ../lib/read-file.c:73 SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in = define_all_fields Best regards, - Marcel= From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 24 10:04:49 2016 Received: (at 25011-done) by debbugs.gnu.org; 24 Nov 2016 15:04:49 +0000 Received: from localhost ([127.0.0.1]:40577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9vZx-00059k-A7 for submit@debbugs.gnu.org; Thu, 24 Nov 2016 10:04:49 -0500 Received: from mail.magicbluesmoke.com ([82.195.144.49]:54696) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c9vZw-00059c-6h for 25011-done@debbugs.gnu.org; Thu, 24 Nov 2016 10:04:48 -0500 Received: from [192.168.1.80] (unknown [109.79.46.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id DF991949C; Thu, 24 Nov 2016 15:04:46 +0000 (GMT) Subject: Re: bug#25011: Bugs in PTX Utility To: =?UTF-8?Q?Marcel_B=c3=b6hme?= , 25011-done@debbugs.gnu.org References: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Thu, 24 Nov 2016 15:04:46 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <4FE2966D-DF45-4892-A6F9-599433E3C997@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 25011-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On 24/11/16 08:57, Marcel Böhme wrote: > Dear all, > > The following produces a crash for the version in trunk and preinstalled version 8.21 on Ubuntu 14.04 x86_64. > Below is also heap-buffer-overflow that doesn’t actually crash but is flagged by ASAN as an invalid read of size 1. > > Both bugs were found by AFLFast, a fork of AFL. Thanks goes out to Van-Thuan Pham. > > > $ ptx ptx ptx > /dev/null > Segmentation fault > > ASAN says: > ==47034==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2b49433093 at pc 0x000000407b8b bp 0x7ffcfc738bb0 sp 0x7ffcfc738ba8 > READ of size 1 at 0x7f2b49433093 thread T0 > #0 0x407b8a in define_all_fields ../src/ptx.c:1432 > #1 0x407b8a in generate_all_output ../src/ptx.c:1778 > #2 0x407b8a in main ../src/ptx.c:2153 > #3 0x7f2b4db9af44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) > > 0x7f2b49433093 is located 10387 bytes inside of 8388576-byte region [0x7f2b49430800,0x7f2b49c307e0) > freed by thread T0 here: > #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) > #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 > > previously allocated by thread T0 here: > #0 0x7f2b4ed17710 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2710) > #1 0x414a75 in xrealloc ../lib/xmalloc.c:61 > > SUMMARY: AddressSanitizer: heap-use-after-free ../src/ptx.c:1432 in define_all_fields > > > This is the other one: > $ echo a > ~/a > $ ptx -w1 -A ~/a > ================================================================= > ==44013==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e818 at pc 0x0000004085cd bp 0x7ffc327adb70 sp 0x7ffc327adb68 > READ of size 1 at 0x60200000e818 thread T0 > #0 0x4085cc in define_all_fields ../src/ptx.c:1411 > #1 0x4085cc in generate_all_output ../src/ptx.c:1778 > #2 0x4085cc in main ../src/ptx.c:2153 > #3 0x7f9ef7044f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #4 0x409379 (/home/ubuntu/subjects/coreutils/obj-asan/src/ptx+0x409379) > > 0x60200000e818 is located 5 bytes to the right of 3-byte region [0x60200000e810,0x60200000e813) > allocated by thread T0 here: > #0 0x7f9ef81c13a8 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc23a8) > #1 0x4121ed in fread_file ../lib/read-file.c:73 > > SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/ptx.c:1411 in define_all_fields Right, line_width can go negative. I'll clean up something like this and push. thanks! diff --git a/src/ptx.c b/src/ptx.c index c3b60df..d189678 100644 --- a/src/ptx.c +++ b/src/ptx.c @@ -1235,6 +1235,8 @@ fix_output_parameters (void) if ((auto_reference || input_reference) && !right_reference) line_width -= reference_max_width + gap_size; + if (line_width < 0) + line_width = 0; /* The output lines, minimally, will contain from left to right a left context, a gap, and a keyword followed by the right context with no From unknown Sun Jun 22 07:31:06 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 23 Dec 2016 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator