[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tic crashes on very long tc/use clauses
|
From: |
Gabriel Ravier |
|
Subject: |
tic crashes on very long tc/use clauses |
|
Date: |
Sat, 21 Jan 2023 17:01:20 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 |
Running tic -I on the attached testcase results in the following crash,
on my build of tic with the sanitizer enabled:
$ /tmp/tmp.b0oTaxphz4/progs/tic -I minimized-crash1
"minimized-crash1", line 1, col 606, terminal '0': Very long string
found. Missing separator?
"minimized-crash1", line 1, col 4098, terminal '0': Missing separator
=================================================================
==916757==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7f8322f03020 at pc 0x0000004b42c0 bp 0x7fffb24fc9e0 sp 0x7fffb24fc1a0
WRITE of size 4097 at 0x7f8322f03020 thread T0
#0 0x4b42bf in __interceptor_vsprintf
(/tmp/tmp.b0oTaxphz4/progs/tic+0x4b42bf) (BuildId:
678826baa1a6c16c2883a73cb51d20331e19a005)
#1 0x4b4656 in __sprintf_chk
(/tmp/tmp.b0oTaxphz4/progs/tic+0x4b4656) (BuildId:
678826baa1a6c16c2883a73cb51d20331e19a005)
#2 0x596c5e in dump_uses
/home/gravier/src/libraries/user-interface/text/curses/ncurses/progs/dump_entry.c:1661:5
#3 0x51b05d in main
/home/gravier/src/libraries/user-interface/text/curses/ncurses/progs/tic.c:1060:4
#4 0x7f83246c750f in __libc_start_call_main
/usr/src/debug/glibc-2.36-9.fc37.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7f83246c75c8 in __libc_start_main@GLIBC_2.2.5
/usr/src/debug/glibc-2.36-9.fc37.x86_64/csu/../csu/libc-start.c:381:3
#6 0x41f6f4 in _start (/tmp/tmp.b0oTaxphz4/progs/tic+0x41f6f4)
(BuildId: 678826baa1a6c16c2883a73cb51d20331e19a005)
Address 0x7f8322f03020 is located in stack of thread T0 at offset 4128
in frame
#0 0x596acf in dump_uses
/home/gravier/src/libraries/user-interface/text/curses/ncurses/progs/dump_entry.c:1656
This frame has 1 object(s):
[32, 4128) 'buffer' (line 1657) <== Memory access at offset 4128
overflows this variable
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/tmp/tmp.b0oTaxphz4/progs/tic+0x4b42bf) (BuildId:
678826baa1a6c16c2883a73cb51d20331e19a005) in __interceptor_vsprintf
Shadow bytes around the buggy address:
0x0ff0e45d85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d85e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d85f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff0e45d8600: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x0ff0e45d8610: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d8620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d8630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d8640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0e45d8650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==916757==ABORTING
This appears to be due to wrong handling of extremely long tc/use clauses.
minimized-crash1
Description: Text document
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- tic crashes on very long tc/use clauses,
Gabriel Ravier <=