#2323 another heap-buffer-overflow

[liuchenyifan]

gnuplot 5.5 in centos linux 7.7.1908

==30425== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60420001e67f at pc 0x5aff2d bp 0x7fff9791cb60 sp 0x7fff9791cb50
READ of size 1 at 0x60420001e67f thread T0
#0 0x5aff2c (/root/bug_finder/target_program/asan_program/gnuplot+0x5aff2c)

#1 0x469e6a (/root/bug_finder/target_program/asan_program/gnuplot+0x469e6a)

#2 0x459f6c (/root/bug_finder/target_program/asan_program/gnuplot+0x459f6c)

#3 0x61b63b (/root/bug_finder/target_program/asan_program/gnuplot+0x61b63b)

#4 0x40772e (/root/bug_finder/target_program/asan_program/gnuplot+0x40772e)

#5 0x7f499ad13554 (/usr/lib64/libc-2.17.so+0x22554)

#6 0x4084ec (/root/bug_finder/target_program/asan_program/gnuplot+0x4084ec)

0x60420001e67f is located 1 bytes to the left of 1024-byte region [0x60420001e680,0x60420001ea80)
allocated by thread T0 here:
#0 0x7f499c3a4ef9 (/usr/lib64/libasan.so.0.0.0+0x15ef9)

#1 0x4085f0 (/root/bug_finder/target_program/asan_program/gnuplot+0x4085f0)

Shadow bytes around the buggy address:
0x0c08bfffbc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c08bfffbcc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c08bfffbcd0:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c08bfffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==30425== ABORTING

[liuchenyifan]

information below from valgrind

==25852== at 0x79B90C: CGM_make_palette (cgm.trm:1014)
==25852== by 0x4379C9: make_palette (color.c:151)
==25852== by 0x562730: do_plot (graphics.c:709)
==25852== by 0x61F74B: eval_plots (plot2d.c:3612)
==25852== by 0x44BB88: plot_command (command.c:1897)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852== Address 0xce30924 is 16 bytes after a block of size 1,156 alloc'd
==25852== at 0x4C2C291: realloc (vg_replace_malloc.c:834)
==25852== by 0x406814: gp_realloc (alloc.c:84)
==25852== by 0x7C5AE5: CGM_options (cgm.trm:522)
==25852== by 0x6D0579: set_terminal (set.c:5181)
==25852== by 0x6D0579: set_command (set.c:471)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852==
==25852== Invalid write of size 8
==25852== at 0x79B911: CGM_make_palette (cgm.trm:1014)
==25852== by 0x4379C9: make_palette (color.c:151)
==25852== by 0x562730: do_plot (graphics.c:709)
==25852== by 0x61F74B: eval_plots (plot2d.c:3612)
==25852== by 0x44BB88: plot_command (command.c:1897)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852== Address 0xce30934 is 20 bytes after a block of size 1,168 in arena "client"
==25852==
==25852== Invalid write of size 8
==25852== at 0x79B91B: CGM_make_palette (cgm.trm:1014)
==25852== by 0x4379C9: make_palette (color.c:151)
==25852== by 0x562730: do_plot (graphics.c:709)
==25852== by 0x61F74B: eval_plots (plot2d.c:3612)
==25852== by 0x44BB88: plot_command (command.c:1897)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852== Address 0xce30914 is 0 bytes after a block of size 1,156 alloc'd
==25852== at 0x4C2C291: realloc (vg_replace_malloc.c:834)
==25852== by 0x406814: gp_realloc (alloc.c:84)
==25852== by 0x7C5AE5: CGM_options (cgm.trm:522)
==25852== by 0x6D0579: set_terminal (set.c:5181)
==25852== by 0x6D0579: set_command (set.c:471)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852==
==25852== Invalid write of size 8
==25852== at 0x79C61F: CGM_make_palette (cgm.trm:1014)
==25852== by 0x4379C9: make_palette (color.c:151)
==25852== by 0x562730: do_plot (graphics.c:709)
==25852== by 0x61F74B: eval_plots (plot2d.c:3612)
==25852== by 0x44BB88: plot_command (command.c:1897)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852== Address 0xce30954 is 12 bytes before a block of size 4 alloc'd
==25852== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
==25852== by 0x6193AF9: strdup (in /usr/lib64/libc-2.17.so)
==25852== by 0x4AF0D3: fill_gpval_string (eval.c:865)
==25852== by 0x4AFA54: update_gpval_variables (eval.c:972)
==25852== by 0x6C8D0A: set_command (set.c:698)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852==
==25852== Invalid write of size 8
==25852== at 0x79C62F: CGM_make_palette (cgm.trm:1014)
==25852== by 0x4379C9: make_palette (color.c:151)
==25852== by 0x562730: do_plot (graphics.c:709)
==25852== by 0x61F74B: eval_plots (plot2d.c:3612)
==25852== by 0x44BB88: plot_command (command.c:1897)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852== Address 0xce30964 is 0 bytes after a block of size 4 alloc'd
==25852== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
==25852== by 0x6193AF9: strdup (in /usr/lib64/libc-2.17.so)
==25852== by 0x4AF0D3: fill_gpval_string (eval.c:865)
==25852== by 0x4AFA54: update_gpval_variables (eval.c:972)
==25852== by 0x6C8D0A: set_command (set.c:698)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
==25852==

valgrind: m_mallocfree.c:305 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 1232, hi = 35.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.

host stacktrace:
==25852== at 0x5804DAD3: show_sched_status_wrk (m_libcassert.c:406)
==25852== by 0x5804DBE7: report_and_quit (m_libcassert.c:477)
==25852== by 0x5804DD81: vgPlain_assert_fail (m_libcassert.c:543)
==25852== by 0x58057AC3: get_bszB_as_is (m_mallocfree.c:303)
==25852== by 0x58057AC3: get_bszB (m_mallocfree.c:313)
==25852== by 0x58057AC3: get_pszB (m_mallocfree.c:387)
==25852== by 0x58057AC3: vgPlain_describe_arena_addr (m_mallocfree.c:1590)
==25852== by 0x58044EF3: vgPlain_describe_addr (m_addrinfo.c:185)
==25852== by 0x58043E36: vgMemCheck_update_Error_extra (mc_errors.c:1185)
==25852== by 0x58048B42: vgPlain_maybe_record_error (m_errormgr.c:822)
==25852== by 0x580433AB: vgMemCheck_record_address_error (mc_errors.c:765)
==25852== by 0x10042E539A: ???
==25852== by 0x1003272F2F: ???
==25852== by 0x1C0F: ???
==25852== by 0x100200833F: ???
==25852== by 0x79B729: CGM_make_palette (cgm.trm:1005)
==25852== by 0x1003C6CB37: ???
==25852== by 0x59D4B63F: ???
==25852== by 0x100200833F: ???
==25852== by 0x100200833F: ???
==25852== by 0x580A62F9: run_thread_for_a_while (scheduler.c:1031)
==25852== by 0x580A7A84: vgPlain_scheduler (scheduler.c:1427)
==25852== by 0x5810268A: thread_wrapper (syswrap-linux.c:101)
==25852== by 0x5810268A: run_a_thread_NORETURN (syswrap-linux.c:154)

sched status:
running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 25852)
==25852== at 0x79C69D: CGM_make_palette (cgm.trm:1014)
==25852== by 0x4379C9: make_palette (color.c:151)
==25852== by 0x562730: do_plot (graphics.c:709)
==25852== by 0x61F74B: eval_plots (plot2d.c:3612)
==25852== by 0x44BB88: plot_command (command.c:1897)
==25852== by 0x4411AB: command (command.c:659)
==25852== by 0x4411AB: do_line (command.c:429)
==25852== by 0x5CD14B: load_file (misc.c:335)
==25852== by 0x406416: main (plot.c:636)
client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFFBA0
valgrind stack range: [0x1003173000 0x1003272FFF] top usage: 7232 of 1048576