bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #61258] use-after-free in pspp at i18n.c:499

From: Irfan Ariq
Subject: PSPP-BUG: [bug #61258] use-after-free in pspp at i18n.c:499
Date: Thu, 30 Sep 2021 16:24:02 -0400 (EDT)
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 
URL:
  <https://savannah.gnu.org/bugs/?61258>

                 Summary: use-after-free in pspp at i18n.c:499
                 Project: PSPP
            Submitted by: irfanariq
            Submitted on: Thu 30 Sep 2021 08:24:00 PM UTC
                Category: None
                Severity: 5 - Average
                  Status: None
             Assigned to: None
             Open/Closed: Open
                 Release: None
         Discussion Lock: Any
                  Effort: 0.00

    _______________________________________________________

Details:

Hello,

We are currently working on fuzz testing feature, and we found a
**use-after-free** on `pspp`.

The stack traces are as follow:
```st
==29418==ERROR: AddressSanitizer: heap-use-after-free on address
0x6030000062b0 at pc 0x7ff09c01c66e bp 0x7ffe378290b0 sp 0x7ffe37828858
READ of size 2 at 0x6030000062b0 thread T0
    #0 0x7ff09c01c66d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
    #1 0x7ff09b945efc in utf8_encoding_concat_len src/libpspp/i18n.c:499
    #2 0x7ff09b946032 in utf8_encoding_trunc_len src/libpspp/i18n.c:530
    #3 0x7ff09b8cf228 in dict_add_document_line src/data/dictionary.c:1518
    #4 0x7ff09b8cf062 in dict_set_documents src/data/dictionary.c:1475
    #5 0x7ff09bcec536 in merge_dictionary
src/language/data-io/combine-files.c:540
    #6 0x7ff09bceab32 in combine_files
src/language/data-io/combine-files.c:268
    #7 0x7ff09bce9f33 in cmd_match_files
src/language/data-io/combine-files.c:134
    #8 0x7ff09bbf2d63 in do_parse_command src/language/command.c:233
    #9 0x7ff09bbf2809 in cmd_parse_in_state src/language/command.c:147
    #10 0x7ff09bbf28d9 in cmd_parse src/language/command.c:162
    #11 0x5564ac75be30 in main src/ui/terminal/main.c:136
```
The full stack trace is attached.

**Step to reproduce**

We configured `pspp` using `CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g
-O0 -fsanitize=address" ./configure --prefix=$(pwd)/ --without-cairo
--without-perl-module` and built in using `make -j10`, and run it with:

```
./pspp -o /dev/null -O format=odt <attached file>
```
The input file is attached.

**Environment**
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- pspp version: [pspp
1.4.1](http://mirror.yongbok.net/gnu/pspp/pspp-1.4.1.tar.gz)

Thank you.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Thu 30 Sep 2021 08:24:00 PM UTC  Name: full_stacktrace_poc_7.zip  Size:
1KiB   By: irfanariq

<http://savannah.gnu.org/bugs/download.php?file_id=52006>
-------------------------------------------------------
Date: Thu 30 Sep 2021 08:24:00 PM UTC  Name: input_pspp_poc_7.zip  Size: 791B 
 By: irfanariq

<http://savannah.gnu.org/bugs/download.php?file_id=52007>

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61258>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]