onetrueawk/awk

out-of-bounds read for empty CCL

millert opened this issue · 1 comments

millert commented

Running testdir/t.re2 with -fsanitize=address exposes a problem where an empty UTF-8 string is stored but later accessed as a UTF-32 string.

==3469646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001290 at pc 0x562edf01cd76 bp 0x7ffd32ea3b90 sp 0x7ffd32ea3b80
READ of size 4 at 0x602000001290 thread T0
    #0 0x562edf01cd75 in member /home/millert/awk.millert/b.c:590
    #1 0x562edf01e61c in cgoto /home/millert/awk.millert/b.c:1423
    #2 0x562edf01fa54 in match /home/millert/awk.millert/b.c:642
    #3 0x562edf031988 in matchop /home/millert/awk.millert/run.c:815
    #4 0x562edf02edfd in execute /home/millert/awk.millert/run.c:166
    #5 0x562edf0302b0 in relop /home/millert/awk.millert/run.c:892
    #6 0x562edf02edfd in execute /home/millert/awk.millert/run.c:166
    #7 0x562edf036764 in pastat /home/millert/awk.millert/run.c:1635
    #8 0x562edf02edfd in execute /home/millert/awk.millert/run.c:166
    #9 0x562edf02f102 in program /home/millert/awk.millert/run.c:198
    #10 0x562edf02edfd in execute /home/millert/awk.millert/run.c:166
    #11 0x562edf03b5f4 in run /home/millert/awk.millert/run.c:141
    #12 0x562edf022015 in main /home/millert/awk.millert/main.c:230
    #13 0x7f7734023a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #14 0x7f7734023b48 in __libc_start_main_impl ../csu/libc-start.c:360
    #15 0x562edf016b64 in _start (/home/millert/awk.millert/a.out+0x13b64) (BuildId: 5d9a6a6abce7e8da74c5c8232229af6ba5d6668a)

0x602000001291 is located 0 bytes after 1-byte region [0x602000001290,0x602000001291)
allocated by thread T0 here:
    #0 0x7f77344841b8 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454
    #1 0x562edf0244a4 in tostring /home/millert/awk.millert/tran.c:526
    #2 0x562edf01e1cd in primary /home/millert/awk.millert/b.c:948
    #3 0x562edf01deb5 in concat /home/millert/awk.millert/b.c:968
    #4 0x562edf01df35 in regexp /home/millert/awk.millert/b.c:902
    #5 0x562edf01e2f9 in reparse /home/millert/awk.millert/b.c:894
    #6 0x562edf01f566 in mkdfa /home/millert/awk.millert/b.c:228
    #7 0x562edf02134c in makedfa /home/millert/awk.millert/b.c:193
    #8 0x562edf018bc1 in yyparse /home/millert/awk.millert/awkgram.y:285
    #9 0x562edf021f4c in main /home/millert/awk.millert/main.c:219
    #10 0x7f7734023a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

I've amended #196 to include a fix for this, since it is a related problem. If you prefer, can create a separate PR for it.

plan9 commented

thanks todd, no need for a seperate PR.