Menu
▾
▴
1 Attachments
#2090 Out-of-bounds read in the 'set font' option of the pcl5 terminal
Version:
gnuplot 5.2 patchlevel 5
Description:
The 'set font' option cause an out-of-bounds read when using the pcl5 terminal.
Steps to reproduce (payload is attached):
gnuplot <payload>
ASAN-Report:
-------- STDERR --------
"/tmp/tmpz6ejmz84/69d3f4349dd0f3ce", line 1: warning: S is not a string variable
=================================================================
==15530==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001d13 at pc 0x7ffbe50c6d41 bp 0x7ffcb8a97480 sp 0x7ffcb8a96c28
READ of size 2 at 0x602000001d13 thread T0
#0 0x7ffbe50c6d40 in __interceptor_strchr /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:618
#1 0x5623bab8fdab in fontpath_handler /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/variable.c:491
#2 0x5623baa57692 in set_fontpath /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:2717
#3 0x5623baa4135b in set_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:283
#4 0x5623ba8b560d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
#5 0x5623ba8b44fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
#6 0x5623ba9a5f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
#7 0x5623ba9d4de7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
#8 0x7ffbe22e9222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#9 0x5623ba8890ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)
0x602000001d13 is located 0 bytes to the right of 3-byte region [0x602000001d10,0x602000001d13)
allocated by thread T0 here:
#0 0x7ffbe510e019 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x5623ba8891eb in gp_alloc /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/alloc.c:74
#2 0x5623ba889253 in gp_realloc /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/alloc.c:100
#3 0x5623bab8fc6f in fontpath_handler /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/variable.c:481
#4 0x5623baa57692 in set_fontpath /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:2717
#5 0x5623baa4135b in set_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:283
#6 0x5623ba8b560d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
#7 0x5623ba8b44fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
#8 0x5623ba9a5f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
#9 0x5623ba9d4de7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
#10 0x7ffbe22e9222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
SUMMARY: AddressSanitizer: heap-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:618 in __interceptor_strchr
Shadow bytes around the buggy address:
0x0c047fff8350: fa fa 05 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
0x0c047fff8360: fa fa 05 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
0x0c047fff8370: fa fa 05 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
0x0c047fff8380: fa fa 05 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
0x0c047fff8390: fa fa 05 fa fa fa 03 fa fa fa fd fa fa fa 03 fa
=>0x0c047fff83a0: fa fa[03]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15530==ABORTING
-------- STDOUT --------
Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars
Diff:
Diff:
pcl5 is a red herring.
The error is in the font path lookup code, which is used only by post.trm. This routine was already scheduled to be removed or replaced, so I will not take the time to figure out how to fix the current code.