Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow in xv_mgcsfx.c read_mgcsfx() #13

Open
mal359 opened this issue Dec 12, 2023 · 1 comment
Open

AddressSanitizer: heap-buffer-overflow in xv_mgcsfx.c read_mgcsfx() #13

mal359 opened this issue Dec 12, 2023 · 1 comment

Comments

@mal359
Copy link

mal359 commented Dec 12, 2023
edited
Loading

System Info: Debian Sid x86_64, GCC 13.1, xv latest master

=================================================================
==1589884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005bbe at pc 0x7ff0140d64cb bp 0x7ffd3c9263c0 sp 0x7ffd3c925b80
READ of size 16 at 0x602000005bbe thread T0
    #0 0x7ff0140d64ca in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:933
    #1 0x7ff0140d6e28 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:964
    #2 0x7ff0140d6e28 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:959
    #3 0x561e5be27c6d in read_mgcsfx.constprop.0 (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x264c6d) (BuildId: 262b11d9ad1aa62086c1191cd0ff61e588a69f83)
    #4 0x561e5be2a037 in init_mgcsfx (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x267037) (BuildId: 262b11d9ad1aa62086c1191cd0ff61e588a69f83)
    #5 0x561e5be2bf9c in CreateMGCSFXW (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x268f9c) (BuildId: 262b11d9ad1aa62086c1191cd0ff61e588a69f83)
    #6 0x561e5bc3990e in main (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x7690e) (BuildId: 262b11d9ad1aa62086c1191cd0ff61e588a69f83)
    #7 0x7ff0139e2b89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7ff0139e2c44 in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x561e5bc3ca30 in _start (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x79a30) (BuildId: 262b11d9ad1aa62086c1191cd0ff61e588a69f83)

0x602000005bbe is located 0 bytes after 14-byte region [0x602000005bb0,0x602000005bbe)
allocated by thread T0 here:
    #0 0x7ff0140ea5bf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x561e5be28300 in read_mgcsfx.constprop.0 (/home/matt/jasper/xv/tmp_cmake/xv/src/xv+0x265300) (BuildId: 262b11d9ad1aa62086c1191cd0ff61e588a69f83)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:933 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x602000005900: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
  0x602000005980: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x602000005a00: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x602000005a80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 04 fa
  0x602000005b00: fa fa fd fa fa fa 00 03 fa fa fd fa fa fa 00 fa
=>0x602000005b80: fa fa fd fa fa fa 00[06]fa fa fd fa fa fa fd fa
  0x602000005c00: fa fa 04 fa fa fa fd fa fa fa 00 05 fa fa fd fa
  0x602000005c80: fa fa 00 03 fa fa fd fa fa fa fa fa fa fa fa fa
  0x602000005d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000005d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000005e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1589884==ABORTING
@mal359 mal359 changed the title AddressSanitizer: heap-buffer-overflow in xv_mgcsfx.c AddressSanitizer: heap-buffer-overflow in xv_mgcsfx.c read_mgcsfx() Dec 12, 2023
@william8000
Copy link
Contributor

@mal359 If this still happens, can you provide an image that triggers it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@william8000 @mal359