[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remaining memory corruption bugs in readline
|
From: |
Chet Ramey |
|
Subject: |
Re: Remaining memory corruption bugs in readline |
|
Date: |
Fri, 9 Jun 2017 17:59:34 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 |
On 6/8/17 11:34 AM, Chet Ramey wrote:
> On 6/8/17 11:09 AM, dualbus wrote:
>> On Fri, Jun 02, 2017 at 12:07:34AM -0500, dualbus wrote:
>> [...]
>>> #1 _rl_get_char_len / update_line
>> [...]
>>> ==5781==ERROR: AddressSanitizer: heap-buffer-overflow on address
>>> 0x61900000cc80 at pc 0x7f400d00b063 bp 0x7ffcbce72250 sp 0x7ffcbce71a00
>>> READ of size 851 at 0x61900000cc80 thread T0
>>> #0 0x7f400d00b062 (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
>>> #1 0x559b50a04821 in _rl_get_char_len
>>> ../../../bash/lib/readline/mbutil.c:223
>>> #2 0x559b50a048e0 in _rl_compare_chars
>>> ../../../bash/lib/readline/mbutil.c:252
>>> #3 0x559b509db526 in update_line
>>> ../../../bash/lib/readline/display.c:1664
>> [...]
>>
>> I have been looking at this specific example for some time now.
>>
>> The problem is that _rl_get_char_len assumes it's being called with a
>> \0-terminated string, but under some cases (that I haven't been able to
>> figure out), there's no \0 at the end, so the strlen reads more than it
>> should.
>
> I've been traveling and have not looked at this.
It's an off-by-one error.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/