[prev in list] [next in list] [prev in thread] [next in thread]
List: ncurses-bug
Subject: Re: Bug: heap-buffer-overflow of function one_one_mapping
From: "bugreporting () qiushi ! ac ! cn" <bugreporting () qiushi ! ac ! cn>
Date: 2019-10-12 2:40:46
Message-ID: 2019101210404605538549 () qiushi ! ac ! cn+85DD25134FA62BC2
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Sorry that I wrongly post the valgrind report for poc1 to the mail for poc5, I will \
post it again (removing useless lines) for better tracking.
Step 13/19 : RUN valgrind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc1 || exit 0
---> Running in bce32ed27872
==6== Invalid read of size 1
==6== at 0x4409DC: one_one_mapping (dump_entry.c:1399)
==6== by 0x4409DC: purged_acs (dump_entry.c:1425)
==6== by 0x4409DC: dump_entry (dump_entry.c:1587)
==6== by 0x4045BA: main (tic.c:1039)
==6== Address 0x520c54e is 0 bytes after a block of size 1,742 alloc'd
==6== at 0x4C2DB8F: malloc (in \
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6== by 0x4F847F: \
_nc_wrap_entry (alloc_entry.c:177) ==6== by 0x4BB4F5: _nc_parse_entry \
(parse_entry.c:601) ==6== by 0x4A892B: _nc_read_entry_source (comp_parse.c:225)
==6== by 0x4037C8: main (tic.c:961)
==6==
infotocap: JE10JPYZY0KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5 \
SDR4DVG3W6WU5I82SHPLZCC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W \
64123X6QQQIBXL7KQ3DXM0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WV \
AANHM0EH0J81MAKX3D48DVAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GF \
JFRDM2GNJR2B22O6R8DN9X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437 \
HEU3AWJEO89ZCM512BNMGB9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X \
entry is 1684 bytes long ==6== Invalid read of size 8
==6== at 0x44F5E7: _nc_find_entry (comp_hash.c:70)
==6== by 0x42D90D: nametrans (dump_entry.c:174)
==6== by 0x40556F: put_translate (tic.c:339)
==6== by 0x40556F: main (tic.c:1033)
==6== Address 0x524ac70 is 206,112 bytes inside an unallocated block of size \
4,110,480 in arena "client" ==6==
==6== Invalid read of size 1
==6== at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)
==6== by 0x44CF30: compare_info_names (comp_captab.c:3393)
==6== by 0x44F5ED: _nc_find_entry (comp_hash.c:70)
==6== by 0x42D90D: nametrans (dump_entry.c:174)
==6== by 0x40556F: put_translate (tic.c:339)
==6== by 0x40556F: main (tic.c:1033)
==6== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6==
==6==
==6== Process terminating with default action of signal 11 (SIGSEGV)
==6== Access not within mapped region at address 0x0
==6== at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)
==6== by 0x44CF30: compare_info_names (comp_captab.c:3393)
==6== by 0x44F5ED: _nc_find_entry (comp_hash.c:70)
==6== by 0x42D90D: nametrans (dump_entry.c:174)
==6== by 0x40556F: put_translate (tic.c:339)
==6== by 0x40556F: main (tic.c:1033)
==6== If you believe this happened as a result of a stack
==6== overflow in your program's main thread (unlikely but
==6== possible), you can try to increase the size of the
==6== main thread stack using the --main-stacksize= flag.
==6== The main thread stack size used in this run was 8388608.
==6== HEAP SUMMARY:
==6== in use at exit: 51,866 bytes in 35 blocks
==6== total heap usage: 56 allocs, 21 frees, 79,904 bytes allocated
==6==
==6== Searching for pointers to 35 not-freed blocks
==6== Checked 106,600 bytes
==6==
==6== LEAK SUMMARY:
==6== definitely lost: 0 bytes in 0 blocks
==6== indirectly lost: 0 bytes in 0 blocks
==6== possibly lost: 0 bytes in 0 blocks
==6== still reachable: 51,866 bytes in 35 blocks
==6== suppressed: 0 bytes in 0 blocks
==6== Rerun with --leak-check=full to see details of leaked memory
==6==
==6== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
==6==
==6== 1 errors in context 1 of 3:
==6== Invalid read of size 1
==6== at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)
==6== by 0x44CF30: compare_info_names (comp_captab.c:3393)
==6== by 0x44F5ED: _nc_find_entry (comp_hash.c:70)
==6== by 0x42D90D: nametrans (dump_entry.c:174)
==6== by 0x40556F: put_translate (tic.c:339)
==6== by 0x40556F: main (tic.c:1033)
==6== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==6==
==6==
==6== 1 errors in context 2 of 3:
==6== Invalid read of size 8
==6== at 0x44F5E7: _nc_find_entry (comp_hash.c:70)
==6== by 0x42D90D: nametrans (dump_entry.c:174)
==6== by 0x40556F: put_translate (tic.c:339)
==6== by 0x40556F: main (tic.c:1033)
==6== Address 0x524ac70 is 206,112 bytes inside an unallocated block of size \
4,110,480 in arena "client" ==6==
==6==
==6== 1 errors in context 3 of 3:
==6== Invalid read of size 1
==6== at 0x4409DC: one_one_mapping (dump_entry.c:1399)
==6== by 0x4409DC: purged_acs (dump_entry.c:1425)
==6== by 0x4409DC: dump_entry (dump_entry.c:1587)
==6== by 0x4045BA: main (tic.c:1039)
==6== Address 0x520c54e is 0 bytes after a block of size 1,742 alloc'd
==6== at 0x4C2DB8F: malloc (in \
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6== by 0x4F847F: \
_nc_wrap_entry (alloc_entry.c:177) ==6== by 0x4BB4F5: _nc_parse_entry \
(parse_entry.c:601) ==6== by 0x4A892B: _nc_read_entry_source (comp_parse.c:225)
==6== by 0x4037C8: main (tic.c:961)
==6==
==6== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
/bin/bash: line 1: 6 Segmentation fault valgrind -v /tmp/noasan/infotocap \
fuzzpoc/infotocap_poc1
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=us-ascii"><style>body { line-height: 1.5; }body { font-size: 10.5pt; \
font-family: 'Microsoft YaHei UI'; color: rgb(0, 0, 0); line-height: 1.5; \
}</style></head><body> <div><span></span>Sorry that I wrongly post the valgrind \
report for poc1 to the mail for poc5, I will post it again (removing useless lines) \
for better tracking.</div><div><br></div><div><span style="font-family: "" \
microsoft="" yahei="" ui'";="" font-size:="" 14px;="" color:="" rgb(0,="" 0,="" \
0);="" background-color:="" rgba(0,="" font-weight:="" normal;="" font-style:="" \
normal;text-decoration:="" \
none;'="">Step 13/19 : RUN valgrind -v /tmp/noasan/infot \
ocap fuzzpoc/infotocap_poc1 || exit 0<br> ---> Runnin \
g in bce32ed27872<br>==6== Invalid read of size 1<b \
r>==6== at 0x4409DC: one_one_mapping (dump_entry \
.c:1399)<br>==6== by 0x4409DC: purged_acs (dump_ \
entry.c:1425)<br>==6== by 0x4409DC: dump_entry ( \
dump_entry.c:1587)<br>==6== by 0x4045BA: main (t \
ic.c:1039)<br>==6== Address 0x520c54e is 0 bytes a \
fter a block of size 1,742 alloc'd<br>==6== & \
nbsp; at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_me \
mcheck-amd64-linux.so)<br>==6== by 0x4F847F: _nc_wrap \
_entry (alloc_entry.c:177)<br>==6== by 0x4BB4F5:  \
;_nc_parse_entry (parse_entry.c:601)<br>==6== by 0x4A \
892B: _nc_read_entry_source (comp_parse.c:225)<br>==6== &nb \
sp;by 0x4037C8: main (tic.c:961)<br>==6==<br>infotocap: JE10JPYZY0 \
KHHP5FIR1DBKQT1E66TKOBH3SH7ZYOREACE6FN24I0ZBGMQM2XLEDU3I6H5YUWJE5SDR4DVG3W6WU5I82SHPLZ \
CC6W2HLWKPAM5FJFDWZZJIF6UKF8WW4CXU1Y4G29DRZ1A2ECW9OC8E9YZS7JGCQ0W64123X6QQQIBXL7KQ3DXM \
0BFY6Q812JEJ3E2FJPGJ9P4TQJ33Z6HKCDV49L4GYY2DIH9614IFMKHNSKEBLC9WVAANHM0EH0J81MAKX3D48D \
VAX0LR2SMRA5Q8NCN9MAEKXCBIK8GGBCIPJ325R33I5XPCX1R3239A0MHC2E480GFJFRDM2GNJR2B22O6R8DN9 \
X7ZPD8XX9YJLNF083ZZWAVEI7Y4AHBX8TCLMA5KYOCJ4O5ASVERDE0J0KNMVDO437HEU3AWJEO89ZCM512BNMG \
B9VNDB3J95ZPZ7J409YF7C1ZX7UVQJ9VBZX3KYINC52TI7PV2N1NFUJFJIHVTOMSAWS7219X entry&nb \
sp;is 1684 bytes long<br>==6== Invalid read of size \
8<br>==6== at 0x44F5E7: _nc_find_entry (co \
mp_hash.c:70)<br>==6== by 0x42D90D: nametrans (d \
ump_entry.c:174)<br>==6== by 0x40556F: put_translate& \
nbsp;(tic.c:339)<br>==6== by 0x40556F: main (tic \
.c:1033)<br>==6== Address 0x524ac70 is 206,112 bytes&nb \
sp;inside an unallocated block of size 4,110,480 in \
arena "client"<br>==6==<br>==6== Invalid read of size&n \
bsp;1<br>==6== at 0x4ED9570: __strcmp_sse2_unaligned& \
nbsp;(strcmp-sse2-unaligned.S:24)<br>==6== by 0x44CF30:&nb \
sp;compare_info_names (comp_captab.c:3393)<br>==6== by&nbs \
p;0x44F5ED: _nc_find_entry (comp_hash.c:70)<br>==6== \
by 0x42D90D: nametrans (dump_entry.c:174)<br>==6== &nb \
sp;by 0x40556F: put_translate (tic.c:339)<br>==6== &nb \
sp;by 0x40556F: main (tic.c:1033)<br>==6== Address 0x0& \
nbsp;is not stack'd, malloc'd or (recently) free'd<br>== \
6==<br>==6==<br>==6== Process terminating with default action \
of signal 11 (SIGSEGV)<br>==6== Access not w \
ithin mapped region at address 0x0<br>==6== \
at 0x4ED9570: __strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24 \
)<br>==6== by 0x44CF30: compare_info_names (comp \
_captab.c:3393)<br>==6== by 0x44F5ED: _nc_find_entry& \
nbsp;(comp_hash.c:70)<br>==6== by 0x42D90D: nametrans \
(dump_entry.c:174)<br>==6== by 0x40556F: put_tr \
anslate (tic.c:339)<br>==6== by 0x40556F: main&n \
bsp;(tic.c:1033)<br>==6== If you believe this happened& \
nbsp;as a result of a stack<br>==6== overflow  \
;in your program's main thread (unlikely but<br>==6==&nb \
sp; possible), you can try to increase the siz \
e of the<br>==6== main thread stack using the \
--main-stacksize= flag.<br>==6== The main thread \
stack size used in this run was 8388608.</span></div><div><span \
style="font-family: "" microsoft="" yahei="" ui'";="" font-size:="" 14px;="" \
color:="" rgb(0,="" 0,="" 0);="" background-color:="" rgba(0,="" font-weight:="" \
normal;="" font-style:="" normal;text-decoration:="" \
none;'=""><br>==6== HEAP SUMMARY:<br>==6== in&n \
bsp;use at exit: 51,866 bytes in 35 blocks<br>==6== \
total heap usage: 56 allocs, 21 frees, \
79,904 bytes allocated<br>==6==<br>==6== Searching for \
pointers to 35 not-freed blocks<br>==6== Checked 106,600 \
bytes<br>==6==<br>==6== LEAK SUMMARY:<br>==6== \
definitely lost: 0 bytes in 0 blocks<br>==6==   \
; indirectly lost: 0 bytes in 0 blocks<br>==6 \
== possibly lost: 0 bytes in&nb \
sp;0 blocks<br>==6== still reachable: 51,866&nbs \
p;bytes in 35 blocks<br>==6== \
suppressed: 0 bytes in 0 blocks<br>==6== Rer \
un with --leak-check=full to see details of leaked& \
nbsp;memory<br>==6==<br>==6== ERROR SUMMARY: 3 errors from&nb \
sp;3 contexts (suppressed: 0 from 0)<br>==6==<br>==6== 1 \
errors in context 1 of 3:<br>==6== Invalid re \
ad of size 1<br>==6== at 0x4ED9570: __ \
strcmp_sse2_unaligned (strcmp-sse2-unaligned.S:24)<br>==6== &nbs \
p;by 0x44CF30: compare_info_names (comp_captab.c:3393)<br>==6== &n \
bsp; by 0x44F5ED: _nc_find_entry (comp_hash.c:70)<br>==6==&n \
bsp; by 0x42D90D: nametrans (dump_entry.c:174)<br>==6= \
= by 0x40556F: put_translate (tic.c:339)<br>==6= \
= by 0x40556F: main (tic.c:1033)<br>==6== & \
nbsp;Address 0x0 is not stack'd, malloc'd or (recen \
tly) free'd<br>==6==<br>==6==<br>==6== 1 errors in context&nb \
sp;2 of 3:<br>==6== Invalid read of size 8<br>==6== \
at 0x44F5E7: _nc_find_entry (comp_hash.c:70)<br \
>==6== by 0x42D90D: nametrans (dump_entry.c:174) \
> <br>==6== by 0x40556F: put_translate (tic.c:33 \
> 9)<br>==6== by 0x40556F: main (tic.c:1033)<br> \
> ==6== Address 0x524ac70 is 206,112 bytes inside& \
> nbsp;an unallocated block of size 4,110,480 in ar \
> ena "client"<br>==6==<br>==6==<br>==6== 1 errors in context \
> 3 of 3:<br>==6== Invalid read of size 1<br> \
> ==6== at 0x4409DC: one_one_mapping (dump_entry \
> .c:1399)<br>==6== by 0x4409DC: purged_acs (dum \
> p_entry.c:1425)<br>==6== by 0x4409DC: dump_entry&nb \
> sp;(dump_entry.c:1587)<br>==6== by 0x4045BA: main&n \
> bsp;(tic.c:1039)<br>==6== Address 0x520c54e is 0 byte \
> s after a block of size 1,742 alloc'd<br>==6==&nb \
> sp; at 0x4C2DB8F: malloc (in /usr/lib/valgrind/ \
> vgpreload_memcheck-amd64-linux.so)<br>==6== by 0x4F847F: \
> _nc_wrap_entry (alloc_entry.c:177)<br>==6== by&nbs \
> p;0x4BB4F5: _nc_parse_entry (parse_entry.c:601)<br>==6== \
> by 0x4A892B: _nc_read_entry_source (comp_parse.c:225)<br>==6==& \
> nbsp; by 0x4037C8: main (tic.c:961)<br>==6==<br>==6= \
> = ERROR SUMMARY: 3 errors from 3 contexts (s \
> uppressed: 0 from 0)<br>/bin/bash: line 1:   \
> ; 6 Segmentation fault valgr \
> ind -v /tmp/noasan/infotocap fuzzpoc/infotocap_poc1<br></span></div>
</body></html>
[Attachment #6 (text/plain)]
_______________________________________________
Bug-ncurses mailing list
Bug-ncurses@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-ncurses
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic