bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

realloc: start and end chunk sizes differ - rl_extend_line_buffer in lib


From: Eduardo A . Bustamante López
Subject: realloc: start and end chunk sizes differ - rl_extend_line_buffer in lib/readline/util.c
Date: Sun, 6 Jan 2019 19:18:27 -0800
User-agent: Mutt/1.10.1 (2018-07-13)

Found by fuzzing with AFL

debian@debian-fuzz:/mnt$ cat -A rl_extend_line_buffer 
000000000000000000000000000000^[^?000000000000000^?^X^E^_^Y^Y^Y00000000000000000000000000000000^Y^Y^Y^Y^Y

debian@debian-fuzz:/mnt$ base64 < rl_extend_line_buffer 
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwG38wMDAwMDAwMDAwMDAwMDB/GAUfGRkZMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAZGRkZGQ==

(gdb) r
Starting program: /home/debian/build-gdb/bash --noprofile --norc -c PATH=\ 
read\ -e\ \<\ rl_extend_line_buffer
hi
00000000000000
[Detaching after fork from child process 21638]
/home/debian/build-gdb/bash: emacs: No such file or directory
^@^@00000000000000000000000000000^@00000000000000000000000000000^@00000000000000000000000000000^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@00000000000000000000000000000^@00000000000000000000000000000^@00000000000000000000000000000^@00000000000000000000000000000
malloc: unknown:0: assertion botched
malloc: 0x555555769408: allocated: last allocated from unknown:0
realloc: start and end chunk sizes differ
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7df4535 in __GI_abort () at abort.c:79
#2  0x00005555555b39b5 in programming_error (format=0x555555686c98 "realloc: 
start and end chunk sizes differ") at ../bash-5.0-rc1/error.c:175
#3  0x00005555556651dc in xbotch (mem=0x555555769408, e=8, s=0x555555686c98 
"realloc: start and end chunk sizes differ", file=0x0, line=0) at 
../../../bash-5.0-rc1/lib/malloc/malloc.c:354
#4  0x0000555555666993 in internal_realloc (mem=0x555555769408, n=512, 
file=0x0, line=0, flags=0) at ../../../bash-5.0-rc1/lib/malloc/malloc.c:1091
#5  0x00005555556670c8 in realloc (mem=0x555555769408, nbytes=512) at 
../../../bash-5.0-rc1/lib/malloc/malloc.c:1381
#6  0x00005555555fff94 in xrealloc (pointer=0x555555769408, bytes=512) at 
../bash-5.0-rc1/xmalloc.c:135
#7  0x00005555556547d8 in rl_extend_line_buffer (len=273) at 
../../../bash-5.0-rc1/lib/readline/util.c:169
#8  0x00005555556594a5 in rl_insert_text (string=0x55555576d888 '0' <repeats 30 
times>) at ../../../bash-5.0-rc1/lib/readline/text.c:95
#9  0x0000555555655a81 in rl_yank (count=1, key=25) at 
../../../bash-5.0-rc1/lib/readline/kill.c:494
#10 0x0000555555639ed4 in _rl_dispatch_subseq (key=25, map=0x5555556ab200 
<emacs_standard_keymap>, got_subseq=0) at 
../../../bash-5.0-rc1/lib/readline/readline.c:852
#11 0x0000555555639c4b in _rl_dispatch (key=-136275877, map=0x5555556ab200 
<emacs_standard_keymap>) at ../../../bash-5.0-rc1/lib/readline/readline.c:798
#12 0x00005555556398ce in readline_internal_char () at 
../../../bash-5.0-rc1/lib/readline/readline.c:632
#13 0x0000555555639929 in readline_internal_charloop () at 
../../../bash-5.0-rc1/lib/readline/readline.c:659
#14 0x0000555555639949 in readline_internal () at 
../../../bash-5.0-rc1/lib/readline/readline.c:671
#15 0x0000555555639367 in readline (prompt=0x555555680f84 "") at 
../../../bash-5.0-rc1/lib/readline/readline.c:377
#16 0x0000555555611bcf in edit_line (p=0x555555680f84 "", itext=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:1107
#17 0x00005555556108f8 in read_builtin (list=0x0) at 
../../bash-5.0-rc1/builtins/../../bash-5.0-rc1/builtins/read.def:566
#18 0x00005555555a5afa in execute_builtin (builtin=0x55555560fa73 
<read_builtin>, words=0x555555764dc8, flags=0, subshell=0) at 
../bash-5.0-rc1/execute_cmd.c:4706
#19 0x00005555555a6aa2 in execute_builtin_or_function (words=0x555555764dc8, 
builtin=0x55555560fa73 <read_builtin>, var=0x0, redirects=0x555555764b48, 
fds_to_close=0x555555764a48, flags=0)
    at ../bash-5.0-rc1/execute_cmd.c:5214
#20 0x00005555555a5365 in execute_simple_command 
(simple_command=0x5555557648c8, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x555555764a48) at ../bash-5.0-rc1/execute_cmd.c:4476
#21 0x000055555559e9f4 in execute_command_internal (command=0x555555764888, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555764a48) at 
../bash-5.0-rc1/execute_cmd.c:842
#22 0x000055555560858a in parse_and_execute (string=0x555555764008 "PATH= read 
-e < rl_extend_line_buffer", from_file=0x5555556690f0 "-c", flags=4)
    at ../../bash-5.0-rc1/builtins/evalstring.c:436
#23 0x000055555558564a in run_one_command (command=0x7fffffffe294 "PATH= read 
-e < rl_extend_line_buffer") at ../bash-5.0-rc1/shell.c:1426
#24 0x0000555555584789 in main (argc=5, argv=0x7fffffffdff8, 
env=0x7fffffffe028) at ../bash-5.0-rc1/shell.c:741



reply via email to

[Prev in Thread] Current Thread [Next in Thread]