fuzzing crash (stack overflow) in `simplecpp::Macro::expandHashHash()`
Opened this issue · 0 comments
firewave commented
#define foo(intp)f##oo(intp
foo(f##oo(intp))
==200327== at 0x129A34: __gnu_cxx::__aligned_membuf<simplecpp::Macro const*>::_M_addr() (aligned_buffer.h:65)
==200327== by 0x129A24: __gnu_cxx::__aligned_membuf<simplecpp::Macro const*>::_M_ptr() (aligned_buffer.h:73)
==200327== by 0x1297A8: std::_Rb_tree_node<simplecpp::Macro const*>::_M_valptr() (stl_tree.h:235)
==200327== by 0x129664: std::_Rb_tree_node<simplecpp::Macro const*>* std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_M_clone_node<false, std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Alloc_node>(std::_Rb_tree_node<simplecpp::Macro const*>*, std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Alloc_node&) (stl_tree.h:647)
==200327== by 0x1293FC: std::_Rb_tree_node<simplecpp::Macro const*>* std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_M_copy<false, std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Alloc_node>(std::_Rb_tree_node<simplecpp::Macro const*>*, std::_Rb_tree_node_base*, std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Alloc_node&) (stl_tree.h:1896)
==200327== by 0x129365: std::_Rb_tree_node<simplecpp::Macro const*>* std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_M_copy<false, std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Alloc_node>(std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> > const&, std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Alloc_node&) (stl_tree.h:892)
==200327== by 0x129262: std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_M_copy(std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> > const&) (stl_tree.h:903)
==200327== by 0x129070: std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::_Rb_tree(std::_Rb_tree<simplecpp::Macro const*, simplecpp::Macro const*, std::_Identity<simplecpp::Macro const*>, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> > const&) (stl_tree.h:941)
==200327== by 0x12901C: std::set<simplecpp::Macro const*, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> >::set(std::set<simplecpp::Macro const*, std::less<simplecpp::Macro const*>, std::allocator<simplecpp::Macro const*> > const&) (stl_set.h:225)
==200327== by 0x1249C2: simplecpp::Token::Token(simplecpp::Token const&) (simplecpp.h:103)
==200327== by 0x1378BA: simplecpp::Macro::appendTokens(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:1770)
==200327== by 0x134284: simplecpp::Macro::expandHashHash(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2227)
==200327== by 0x137578: simplecpp::Macro::appendTokens(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:1750)
==200327== by 0x132643: simplecpp::Macro::expandToken(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2026)
==200327== by 0x134364: simplecpp::Macro::expandHashHash(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2232)
==200327== by 0x137578: simplecpp::Macro::appendTokens(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:1750)
==200327== by 0x132643: simplecpp::Macro::expandToken(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2026)
==200327== by 0x134364: simplecpp::Macro::expandHashHash(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2232)
==200327== by 0x137578: simplecpp::Macro::appendTokens(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:1750)
==200327== by 0x132643: simplecpp::Macro::expandToken(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2026)
==200327== by 0x134364: simplecpp::Macro::expandHashHash(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, simplecpp::Macro, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, simplecpp::Macro> > > const&, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<simplecpp::Token const*, std::allocator<simplecpp::Token const*> > const&) const (simplecpp.cpp:2232)
[...]