#2096 Out-of-bounds read in load_file()

[Nils Bars]

Version:
gnuplot 5.2 patchlevel 5

Description:
Out-of-bounds read in load_file() when processing 'gp_input_line' of length 0.

Steps to reproduce (payload is attached):

gnuplot <payload>

ASAN-Report:

-------- STDERR --------
bind: cannot parse �6
=================================================================
==14252==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000e67f at pc 0x559464de3848 bp 0x7fffb0648c80 sp 0x7fffb0648c70
READ of size 1 at 0x61900000e67f thread T0
    #0 0x559464de3847 in load_file /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:378
    #1 0x559464e12de7 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:654
    #2 0x7f7a5f6b6222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #3 0x559464cc70ed in _start (/home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/gnuplot+0xf20ed)

0x61900000e67f is located 1 bytes to the left of 1024-byte region [0x61900000e680,0x61900000ea80)
allocated by thread T0 here:
    #0 0x7f7a624db019 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x559464cc71eb in gp_alloc /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/alloc.c:74
    #2 0x559464cf1b76 in extend_input_line /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/command.c:197
    #3 0x559464e135fb in init_memory /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:874
    #4 0x559464e12446 in main /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/plot.c:441
    #5 0x7f7a5f6b6222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nils/git/gnuplot-crash-triage/gnuplot-5.2.5/src/misc.c:378 in load_file
Shadow bytes around the buggy address:
  0x0c327fff9c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9cb0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff9cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14252==ABORTING
-------- STDOUT --------

Credits:
Tim Blazytko
Cornelius Aschermann
Sergej Schumilo
Nils Bars

[Ethan Merritt]

I will continue to look at this one, but so far it makes no sense to me. The empty string input case is handled explicitly in the existing code. Furthermore I see nothing in the payload example that would create an empty input.

Could there be missing context? The reproducer attempts to load a file named "A". In general there is no such file so the code in your dump is never executed. Could there be a strange file "A" in your test environment?

[Ethan Merritt]

Fixed for 5.2 and 5.3
Thanks for the ASAN instructions