GNU bug report logs - #25023
Bug PR utility with -S option

Previous Next

Full log

View this message in rfc822 format

From: Marcel Böhme <boehme.marcel <at> gmail.com>
To: 25023 <at> debbugs.gnu.org
Subject: bug#25023: Bug PR utility with -S option
Date: Fri, 25 Nov 2016 10:36:47 +0800

Dear all,

The following input to PR does not crash the program but ASAN reports a buffer overflow.
The bug was found with AFLFast, a fork of AFL. Thanks also to Van-Thuan Pham.

$ echo a > a
$ pr "-S$(printf "\t\t\t")" a -m a > /dev/null

=================================================================
==102438==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000041b622 at pc 0x00000040506b bp 0x7ffc95917160 sp 0x7ffc95917158
READ of size 1 at 0x00000041b622 thread T0
    #0 0x40506a in print_sep_string ../src/pr.c:2241
    #1 0x407ec4 in read_line ../src/pr.c:2493
    #2 0x40985c in print_page ../src/pr.c:1802
    #3 0x40985c in print_files ../src/pr.c:1618
    #4 0x4036e0 in main ../src/pr.c:1136
    #5 0x7ff29fa67f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x404209  (/home/ubuntu/subjects/coreutils_fixed/obj-asan/src/pr+0x404209)

0x00000041b622 is located 62 bytes to the left of global variable '*.LC12' defined in '../src/pr.c' (0x41b660) of size 4
  '*.LC12' is ascii string '%*d'
0x00000041b622 is located 0 bytes to the right of global variable '*.LC11' defined in '../src/pr.c' (0x41b620) of size 2
  '*.LC11' is ascii string ' '
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/pr.c:2241 in print_sep_string

Best regards,
- Marcel

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.