heap use after free in find_node

bug-texinfo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heap use after free in find_node_separator()

From:	Hanno Böck
Subject:	heap use after free in find_node_separator()
Date:	Sun, 22 Jan 2017 13:33:58 +0100

The attached file will cause a heap use after free bug int he function
find_node_separator().

Stack trace from address sanitizer:

==13898==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000dd52 
at pc 0x0000005523ec bp 0x7ffc983fad30 sp 0x7ffc983fad28
READ of size 1 at 0x60400000dd52 thread T0
    #0 0x5523eb in find_node_separator /f/texinfo/trunk/info/search.c:473:11
    #1 0x5523eb in find_node_in_binding /f/texinfo/trunk/info/search.c:591
    #2 0x54d674 in adjust_nodestart /f/texinfo/trunk/info/nodes.c:1198:18
    #3 0x54b8af in find_node_from_tag /f/texinfo/trunk/info/nodes.c:1238:15
    #4 0x54b8af in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1411
    #5 0x54ade9 in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1490:10
    #6 0x54ade9 in info_get_node_of_file_buffer 
/f/texinfo/trunk/info/nodes.c:1114
    #7 0x54a5f3 in info_get_node_with_defaults 
/f/texinfo/trunk/info/nodes.c:997:14
    #8 0x56dea2 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3764:10
    #9 0x56db72 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3727:11
    #10 0x531e19 in main /f/texinfo/trunk/info/info.c:1073:7
    #11 0x7f8a26ac078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #12 0x41a598 in _start (/old-ram1/texinfo/ginfo+0x41a598)

0x60400000dd52 is located 2 bytes inside of 47-byte region 
[0x60400000dd50,0x60400000dd7f)
freed by thread T0 here:
    #0 0x4ca540 in __interceptor_cfree.localalias.1 
(/old-ram1/texinfo/ginfo+0x4ca540)
    #1 0x548ca8 in info_find_file /f/texinfo/trunk/info/nodes.c:671:3
    #2 0x54a5c3 in info_get_node_with_defaults 
/f/texinfo/trunk/info/nodes.c:992:19
    #3 0x56dea2 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3764:10
    #4 0x56db72 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3727:11
    #5 0x531e19 in main /f/texinfo/trunk/info/info.c:1073:7
    #6 0x7f8a26ac078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #7 0x41a598 in _start (/old-ram1/texinfo/ginfo+0x41a598)

previously allocated by thread T0 here:
    #0 0x4ca6f8 in malloc (/old-ram1/texinfo/ginfo+0x4ca6f8)
    #1 0x5912b0 in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13
    #2 0x5912b0 in xmemdup /f/texinfo/trunk/gnulib/lib/xmalloc.c:113
    #3 0x5912b0 in xstrdup /f/texinfo/trunk/gnulib/lib/xmalloc.c:121
    #4 0x5489f3 in info_find_file /f/texinfo/trunk/info/nodes.c:634:16
    #5 0x54a5c3 in info_get_node_with_defaults 
/f/texinfo/trunk/info/nodes.c:992:19
    #6 0x56dea2 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3764:10
    #7 0x56db72 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3727:11
    #8 0x531e19 in main /f/texinfo/trunk/info/info.c:1073:7
    #9 0x7f8a26ac078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41a598 in _start (/old-ram1/texinfo/ginfo+0x41a598)

SUMMARY: AddressSanitizer: heap-use-after-free 
/f/texinfo/trunk/info/search.c:473:11 in find_node_separator

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: address@hidden
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

texinfo-uaf-find_node_separator.info
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

heap use after free in find_node_separator(), Hanno Böck <=
- Re: heap use after free in find_node_separator(), Gavin Smith, 2017/01/23

Prev by Date: Re: out of bounds heap read in scan_node_contents
Next by Date: heap out of bounds read in scan_reference_target
Previous by thread: out of bounds heap read in scan_node_contents
Next by thread: Re: heap use after free in find_node_separator()
Index(es):
- Date
- Thread