Global-buffer-overflow on keywordCode function
Hanseltu opened this issue · 1 comments
Hanseltu commented
Hi,
We found a possible buffer overflow, please check the attached file for reproduction.
$cd build/example
$./unqlitec input.sql
=================================================================
==19666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555555686a36 at pc 0x5555555d8d5c bp 0x7fffffffb480 sp 0x7fffffffb470
READ of size 1 at 0x555555686a36 thread T0
#0 0x5555555d8d5b in keywordCode /experiments/unqlite-reproduce/unqlite.c:26441
#1 0x5555555d4be9 in jx9TokenizeInput /experiments/unqlite-reproduce/unqlite.c:25961
#2 0x5555555e94c9 in SyLexTokenizeInput /experiments/unqlite-reproduce/unqlite.c:28831
#3 0x5555555da268 in jx9Tokenize /experiments/unqlite-reproduce/unqlite.c:26630
#4 0x5555555c00a1 in jx9CompileScript /experiments/unqlite-reproduce/unqlite.c:20612
#5 0x555555580890 in ProcessScript /experiments/unqlite-reproduce/unqlite.c:7545
#6 0x555555580d5f in jx9_compile /experiments/unqlite-reproduce/unqlite.c:7615
#7 0x555555576c1b in unqlite_compile /experiments/unqlite-reproduce/unqlite.c:4466
#8 0x555555573b2f in execute_sql_commands /experiments/unqlite-reproduce/example/unqlite.c:51
#9 0x5555555742d8 in main /experiments/unqlite-reproduce/example/unqlite.c:101
#10 0x7ffff6a48c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#11 0x5555555736a9 in _start (/periments/unqlite-reproduce/build/example/unqlitec+0x1f6a9)
0x555555686a36 is located 15 bytes to the right of global variable '*.LC1152' defined in '/experiments/unqlite-reproduce/unqlite.c' (0x555555686a20) of size 7
'*.LC1152' is ascii string '_FILES'
0x555555686a36 is located 42 bytes to the left of global variable 'aHash' defined in '/experiments/unqlite-reproduce/unqlite.c:26407:30' (0x555555686a60) of size 59
SUMMARY: AddressSanitizer: global-buffer-overflow /experiments/unqlite-reproduce/unqlite.c:26441 in keywordCode
Shadow bytes around the buggy address:
0x0aab2aac8cf0: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
0x0aab2aac8d00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aab2aac8d10: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0aab2aac8d20: 00 00 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
0x0aab2aac8d30: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 04
=>0x0aab2aac8d40: f9 f9 f9 f9 07 f9[f9]f9 f9 f9 f9 f9 00 00 00 00
0x0aab2aac8d50: 00 00 00 03 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
0x0aab2aac8d60: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 00 00
0x0aab2aac8d70: 00 00 00 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9
0x0aab2aac8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0aab2aac8d90: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19666==ABORTING
Building instruction cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_C_FLAGS="-g -fsanitize=address" ..
GCC version gcc-7.5.0
OS: x86_64 ubuntu 18.04
Git version of unqlite 957c377cb691a4f617db9aba5cc46d90425071e2 (master)
Reproducible files unqlite-reproduce.zip
Thanks,
Haoxin