Menu

#2095 Out-of-bounds read in EEPIC_put_text when passing 'str' of length 0

None
closed-fixed
nobody
None
2019-01-02
2018-11-19
Nils Bars
No

Version:
gnuplot 5.2 patchlevel 5

Description:
Out-of-bounds read in EEPIC_put_text when passing 'str' of length 0.

Steps to reproduce (payload is attached):

gnuplot <payload>

ASAN-Report:

-------- STDERR --------
"+", line 63: warning: iconv failed to convert degree sign
=================================================================
==21421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000027af at pc 0x55565638d9f8 bp 0x7fff6b672240 sp 0x7fff6b672230
READ of size 1 at 0x6020000027af thread T0
    #0 0x55565638d9f7 in EEPIC_put_text ../term/eepic.trm:441
    #1 0x55565630b320 in write_multiline /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/term.c:802
    #2 0x5556561544db in write_label /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gadgets.c:791
    #3 0x5556560ff9c4 in draw_titles /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/boundary.c:1428
    #4 0x55565618f5b4 in do_plot /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/graphics.c:607
    #5 0x555656255385 in eval_plots /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot2d.c:3423
    #6 0x55565622a048 in plotrequest /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot2d.c:301
    #7 0x55565610d106 in plot_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:1849
    #8 0x55565610860d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
    #9 0x5556561074fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
    #10 0x5556561f8f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
    #11 0x555656227de7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
    #12 0x7f652b09f222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #13 0x5556560dc0ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)

0x6020000027af is located 1 bytes to the left of 1-byte region [0x6020000027b0,0x6020000027b1)
allocated by thread T0 here:
    #0 0x7f652de0cf01 in __interceptor_strdup /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cc:405
    #1 0x5556563c8d98 in gp_strdup /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/util.c:381
    #2 0x55565613c535 in push /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/eval.c:550
    #3 0x5556561d594d in f_pushc /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/internal.c:104
    #4 0x55565613cd72 in execute_at /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/eval.c:679
    #5 0x55565613ceed in evaluate_at /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/eval.c:707
    #6 0x55565621daa4 in const_express /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/parse.c:169
    #7 0x55565621d946 in const_string_express /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/parse.c:153
    #8 0x5556563c8c6c in try_to_get_string /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/util.c:352
    #9 0x5556562cc178 in set_xyzlabel /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:5894
    #10 0x555656295034 in set_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/set.c:594
    #11 0x55565610860d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
    #12 0x5556561074fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
    #13 0x5556561f8f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
    #14 0x55565610c570 in load_command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:1585
    #15 0x55565610860d in command /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:629
    #16 0x5556561074fe in do_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:419
    #17 0x5556561f8f22 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:447
    #18 0x555656227de7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
    #19 0x7f652b09f222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../term/eepic.trm:441 in EEPIC_put_text
Shadow bytes around the buggy address:
  0x0c047fff84a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 01 fa
  0x0c047fff84b0: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff84c0: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff84d0: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff84e0: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
=>0x0c047fff84f0: fa fa fd fa fa[fa]01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff8500: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff8510: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff8520: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff8530: fa fa fd fa fa fa 01 fa fa fa fd fa fa fa 01 fa
  0x0c047fff8540: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21421==ABORTING

Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars

1 Attachments
bdaf3a8a1de0d1c5.payload

Discussion

  • Nils Bars

    Nils Bars - 2018-11-19
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -88,3 +88,9 @@
   Right alloca redzone:    cb
 ==21421==ABORTING
 ~~~
+
+Credits:
+Tim Blazytko
+Cornelius Aschermann
+Sergej Schumilo
+Nils Bars
    • Group: -->
    • Priority: -->
     

  • Ethan Merritt

    Ethan Merritt - 2018-11-20
    • status: open --> pending-fixed
     

  • Ethan Merritt

    Ethan Merritt - 2018-11-20

    fixed in 5.2 and 5.3

     

  • Ethan Merritt

    Ethan Merritt - 2019-01-02
    • Status: pending-fixed --> closed-fixed
     

Log in to post a comment.