[Bug binutils/27801] New: [size] heap-buffer-overflow on bfd/mach-o.c:5934

[dkcjd2000 at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27801

            Bug ID: 27801
           Summary: [size] heap-buffer-overflow on bfd/mach-o.c:5934
           Product: binutils
           Version: 2.37 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: dkcjd2000 at gmail dot com
  Target Milestone: ---

Created attachment 13413
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13413&action=edit
crash test case

Hello,
I report a double free detected by address sanitizer.
I found this test input by fuzz testing.

The stack traces are as follows:
==3915==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000071
at pc 0x000001442705 bp 0x7fffffffe3a0 sp      0x7fffffffe398READ of size 8 at
0x604000000071 thread T0'
    #0 0x1442704 in bfd_mach_o_core_fetch_environment
...//subjects/binutils-gdb/bfd/mach-o.c:5934:11'
    #1 0x1442dae in bfd_mach_o_core_file_failing_command
...//subjects/binutils-gdb/bfd/mach-o.c:5978:9'
    #2 0x4ed8e6 in bfd_core_file_failing_command
...//subjects/binutils-gdb/bfd/corefile.c:58:10'
    #3 0x4c6d42 in display_bfd
...//subjects/binutils-gdb/binutils/size.c:352:18'
    #4 0x4c6824 in display_file
...//subjects/binutils-gdb/binutils/size.c:432:5'
    #5 0x4c6412 in main ...//subjects/binutils-gdb/binutils/size.c:258:7'
    #6 0x7ffff6e22bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310'
    #7 0x41be59 in _start (...//subjects_asan/size/size.san+0x41be59)'


You can reproduce the bug by executing
./size <test input>

I tested the subject on the latest version uploaded on git,
build with --disable-shared --disable-gdb --disable-libdecnumber --disable-ld
--enable-targets=all
configure options.

Thanks

-- 
You are receiving this mail because:
You are on the CC list for the bug.