bug-texinfo
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Invalid memory read / heap out of bounds in parse_top_node_line()


From: Gavin Smith
Subject: Re: Invalid memory read / heap out of bounds in parse_top_node_line()
Date: Sat, 21 Jan 2017 14:40:31 +0000

On 18 October 2016 at 10:51, Hanno Böck <address@hidden> wrote:
> Hi,
>
> The attached file will cause an out of bounds heap read in the
> function parse_top_node_line.
> To see this you need a memory safety detection tool like valgrind or
> address sanitizer (add "-fsanitize=address" to CFLAGS+LDFLAGS).
>
> This was found with the tool american fuzzy lop.
>
>
> Here's a stack trace from address sanitizer (latest svn code):
>
> ==4818==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x60200000dd9d at pc 0x00000051c1dd bp 0x7fff7ca0ad10 sp 0x7fff7ca0ad08
> READ of size 1 at 0x60200000dd9d thread T0
>     #0 0x51c1dc in parse_top_node_line 
> /f/texinfo/trunk/info/info-utils.c:1174:11
>     #1 0x51c1dc in scan_node_contents /f/texinfo/trunk/info/info-utils.c:1646
>     #2 0x53d816 in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1445:11
>     #3 0x53bada in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1486:10
>     #4 0x53bada in info_get_node_of_file_buffer 
> /f/texinfo/trunk/info/nodes.c:1110
>     #5 0x53b289 in info_get_node_with_defaults 
> /f/texinfo/trunk/info/nodes.c:993:14
>     #6 0x55ef41 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3765:10
>     #7 0x55ec52 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3728:11
>     #8 0x5227b0 in main /f/texinfo/trunk/info/info.c:1027:7
>     #9 0x7f2aa5adc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
>     #10 0x419b28 in _start (/r/texinfo/ginfo+0x419b28)
>
> 0x60200000dd9d is located 0 bytes to the right of 13-byte region 
> [0x60200000dd90,0x60200000dd9d)
> allocated by thread T0 here:
>     #0 0x4c1758 in malloc (/r/texinfo/ginfo+0x4c1758)
>     #1 0x58254e in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13

Thanks for the report, I've committed a fix.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]