heap out of bounds memory access in find_node

bug-texinfo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heap out of bounds memory access in find_node_separator

From:	Hanno Böck
Subject:	heap out of bounds memory access in find_node_separator
Date:	Sat, 21 Jan 2017 18:03:34 +0100

Hi,

The attached file causes an out of bounds memory read in texinfo (test
with ginfo -f [file] -o -). This was found with the fuzzing tool
american fuzzy lop.
You need a memory safety tool like address sanitizer
(-fsanitize=address in CFLAGS) to see this bug.

Here's a stack trace from address sanitizer:

==31399==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200004bb4f at pc 0x00000055180f bp 0x7ffd8696cf80 sp 0x7ffd8696cf78
READ of size 1 at 0x60200004bb4f thread T0
    #0 0x55180e in find_node_separator /f/texinfo/trunk/info/search.c:473:11
    #1 0x55180e in find_file_section /f/texinfo/trunk/info/search.c:551
    #2 0x544ba6 in build_tags_and_nodes /f/texinfo/trunk/info/nodes.c:90:20
    #3 0x549402 in info_load_file /f/texinfo/trunk/info/nodes.c:755:5
    #4 0x548c0d in info_find_file /f/texinfo/trunk/info/nodes.c:665:17
    #5 0x54a533 in info_get_node_with_defaults 
/f/texinfo/trunk/info/nodes.c:988:19
    #6 0x56de02 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3764:10
    #7 0x56dad2 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3727:11
    #8 0x531e19 in main /f/texinfo/trunk/info/info.c:1073:7
    #9 0x7fd420ae678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41a598 in _start (/old-ram1/texinfo/ginfo+0x41a598)

0x60200004bb4f is located 1 bytes to the left of 16-byte region 
[0x60200004bb50,0x60200004bb60)
allocated by thread T0 here:
    #0 0x4ca6f8 in malloc (/old-ram1/texinfo/ginfo+0x4ca6f8)
    #1 0x59090e in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13
    #2 0x518c87 in filesys_read_info_file /f/texinfo/trunk/info/filesys.c:321:18
    #3 0x548db2 in info_load_file /f/texinfo/trunk/info/nodes.c:728:14
    #4 0x548c0d in info_find_file /f/texinfo/trunk/info/nodes.c:665:17
    #5 0x54a533 in info_get_node_with_defaults 
/f/texinfo/trunk/info/nodes.c:988:19
    #6 0x56de02 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3764:10
    #7 0x56dad2 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3727:11
    #8 0x531e19 in main /f/texinfo/trunk/info/info.c:1073:7
    #9 0x7fd420ae678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41a598 in _start (/old-ram1/texinfo/ginfo+0x41a598)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/f/texinfo/trunk/info/search.c:473:11 in find_node_separator

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

heap-oob-find_node_separator.info
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

heap out of bounds memory access in find_node_separator, Hanno Böck <=
- Re: heap out of bounds memory access in find_node_separator, Gavin Smith, 2017/01/21

Prev by Date: Re: Windows style improvements
Next by Date: Re: heap out of bounds memory access in find_node_separator
Previous by thread: Re: Invalid memory read / heap out of bounds in parse_top_node_line()
Next by thread: Re: heap out of bounds memory access in find_node_separator
Index(es):
- Date
- Thread