Menu
▾
▴
1 Attachments
#475 heap-buffer-overflow in astyle::ASEncoding::utf16ToUtf8
Hello.
I found a heap-buffer-overflow bug in astyle.
Please confirm.
Thanks.
Summary: heap-buffer-overflow
OS: CentOS 7 64bit
Version: Artistic Style Version 3.1 beta and Artistic Style Version 3.0.1
- Steps to reproduce:
- 1.Download the .POC files.
- 3.Execute the following command
- valgrind ./astyle $POC
==28771== Conditional jump or move depends on uninitialised value(s)
==28771== at 0x40BAA8: astyle::ASEncoding::utf8LengthFromUtf16(char const*, unsigned long, bool) const (astyle_main.cpp:3825)
==28771== by 0x40A15F: astyle::ASConsole::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_stringstream<char, std::char_traits<char>, std::allocator<char> >&) const (astyle_main.cpp:924)
==28771== by 0x409826: astyle::ASConsole::formatFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (astyle_main.cpp:572)
==28771== by 0x4122A6: astyle::ASConsole::processFiles() (astyle_main.cpp:2279)
==28771== by 0x41818B: main (astyle_main.cpp:4290)
==28771==
==28771== Conditional jump or move depends on uninitialised value(s)
==28771== at 0x40BC8A: astyle::ASEncoding::utf16ToUtf8(char*, unsigned long, bool, bool, char*) const (astyle_main.cpp:3984)
==28771== by 0x40A204: astyle::ASConsole::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_stringstream<char, std::char_traits<char>, std::allocator<char> >&) const (astyle_main.cpp:928)
==28771== by 0x409826: astyle::ASConsole::formatFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (astyle_main.cpp:572)
==28771== by 0x4122A6: astyle::ASConsole::processFiles() (astyle_main.cpp:2279)
==28771== by 0x41818B: main (astyle_main.cpp:4290)
==28771==
==28771== Conditional jump or move depends on uninitialised value(s)
==28771== at 0x40BD42: astyle::ASEncoding::utf16ToUtf8(char*, unsigned long, bool, bool, char*) const (astyle_main.cpp:4002)
==28771== by 0x40A204: astyle::ASConsole::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_stringstream<char, std::char_traits<char>, std::allocator<char> >&) const (astyle_main.cpp:928)
==28771== by 0x409826: astyle::ASConsole::formatFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (astyle_main.cpp:572)
==28771== by 0x4122A6: astyle::ASConsole::processFiles() (astyle_main.cpp:2279)
==28771== by 0x41818B: main (astyle_main.cpp:4290)
==28771==
=================================================================
==27599==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001fc at pc 0x0000004ff28d bp 0x7fff8b2e9f80 sp 0x7fff8b2e9f78
WRITE of size 1 at 0x6020000001fc thread T0
#0 0x4ff28c in astyle::ASEncoding::utf16ToUtf8(char*, unsigned long, bool, bool, char*) const /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:3730:11
#1 0x4fcde6 in astyle::ASConsole::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_stringstream<char, std::char_traits<char>, std::allocator<char> >&) const /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:826:29
#2 0x4fb69e in astyle::ASConsole::formatFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:560:26
#3 0x508232 in astyle::ASConsole::processFiles() /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:2042:4
#4 0x511e6e in main /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:3983:12
#5 0x7f9f805933f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
#6 0x429f99 in _start (/home/karas/test/astyle/build/clang/bin/astyled+0x429f99)
0x6020000001fc is located 0 bytes to the right of 12-byte region [0x6020000001f0,0x6020000001fc)
allocated by thread T0 here:
#0 0x4f6302 in operator new[](unsigned long, std::nothrow_t const&) /opt/media/clang_nightly/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:101:3
#1 0x4fcd5f in astyle::ASConsole::readFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_stringstream<char, std::char_traits<char>, std::allocator<char> >&) const /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:823:20
#2 0x4fb69e in astyle::ASConsole::formatFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:560:26
#3 0x508232 in astyle::ASConsole::processFiles() /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:2042:4
#4 0x511e6e in main /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:3983:12
#5 0x7f9f805933f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/test/astyle/build/clang/../../src/astyle_main.cpp:3730:11 in astyle::ASEncoding::utf16ToUtf8(char*, unsigned long, bool, bool, char*) const
Shadow bytes around the buggy address:
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8010: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x0c047fff8020: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
=>0x0c047fff8030: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00[04]
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27599==ABORTING
=================
[Acknowledgement]
This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]
The next release of astyle has been fuzz tested.
Changes were made to the encoding conversion functions.
Try this again using the astyle source files from the subversion repository.
Hello,
I tested it in revision 622 version.
The problem is reproduced in the 622 version.
The fuzz test should go on for a long time.
And it requires a lot of resources.
Thanks.
My Steps to reproduce:
Last edit: Gwan Yeong Kim 2017-12-26