gnuplot / Bugs / #2429 global-buffer-overflow on set

A portable, multi-platform, command-line driven graphing utility

#2429 global-buffer-overflow on set_terminal

Milestone: None

Status: closed-cannot-reproduce

Owner: nobody

Labels: None

Priority:

Updated: 2021-06-02

Created: 2021-04-16

Creator: liuchenyifan

Private: No

gnuplot 5.5 (last modified in 9.18) on centos linux 7.7.1908

==4710== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000cb1164 at pc 0x80e919 bp 0x7fff2c921c60 sp 0x7fff2c921c50
READ of size 1 at 0x000000cb1164 thread T0
#0 0x80e918 (/root/uniafl_evaluation/asan_program/gnuplot+0x80e918)
#1 0x757942 (/root/uniafl_evaluation/asan_program/gnuplot+0x757942)
#2 0x459f6c (/root/uniafl_evaluation/asan_program/gnuplot+0x459f6c)
#3 0x61b63b (/root/uniafl_evaluation/asan_program/gnuplot+0x61b63b)
#4 0x40772e (/root/uniafl_evaluation/asan_program/gnuplot+0x40772e)
#5 0x7f237b176554 (/usr/lib64/libc-2.17.so+0x22554)
#6 0x4084ec (/root/uniafl_evaluation/asan_program/gnuplot+0x4084ec)
0x000000cb1164 is located 60 bytes to the left of global variable 'term (term.c)' (0xcb11a0) of size 8
0x000000cb1164 is located 3 bytes to the right of global variable 'term_options (term.c)' (0xcb0d60) of size 1025
Shadow bytes around the buggy address:
0x00008018e1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008018e1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008018e1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008018e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008018e210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008018e220: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9
0x00008018e230: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008018e240: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x00008018e250: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008018e260: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
0x00008018e270: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==4710== ABORTING

information below from valgrind:
==4733== Memcheck, a memory error detector
==4733== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==4733== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==4733== Command: /root/pfuzz-new/p-fuzz/pfcon/programs/gnuplot ./GBO_setterminal
==4733==
Warning: empty y range [0:0], adjusting to [-1:1]
WARNING: Plotting with an 'unknown' terminal.
No output will be generated. Please select a terminal with 'set terminal'.

    pointsize is 1

WARNING: Plotting with an 'unknown' terminal.
No output will be generated. Please select a terminal with 'set terminal'.
==4733== Invalid read of size 1
==4733== at 0x6D065B: set_terminal (set.c:5184)
==4733== by 0x6D065B: set_command (set.c:471)
==4733== by 0x4411AB: command (command.c:659)
==4733== by 0x4411AB: do_line (command.c:429)
==4733== by 0x5CD14B: load_file (misc.c:335)
==4733== by 0x406416: main (plot.c:636)
==4733== Address 0x39393939393939e2 is not stack'd, malloc'd or (recently) free'd
==4733==
==4733==
==4733== Process terminating with default action of signal 11 (SIGSEGV)
==4733== General Protection Fault
==4733== at 0x6D065B: set_terminal (set.c:5184)
==4733== by 0x6D065B: set_command (set.c:471)
==4733== by 0x4411AB: command (command.c:659)
==4733== by 0x4411AB: do_line (command.c:429)
==4733== by 0x5CD14B: load_file (misc.c:335)
==4733== by 0x406416: main (plot.c:636)
==4733==
==4733== HEAP SUMMARY:
==4733== in use at exit: 50,934 bytes in 311 blocks
==4733== total heap usage: 441 allocs, 130 frees, 194,924 bytes allocated
==4733==
==4733== LEAK SUMMARY:
==4733== definitely lost: 0 bytes in 0 blocks
==4733== indirectly lost: 0 bytes in 0 blocks
==4733== possibly lost: 0 bytes in 0 blocks
==4733== still reachable: 50,934 bytes in 311 blocks
==4733== suppressed: 0 bytes in 0 blocks
==4733== Rerun with --leak-check=full to see details of leaked memory
==4733==
==4733== For lists of detected and suppressed errors, rerun with: -s
==4733== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

1 Attachments

GBO_setterminal

Discussion

Ethan Merritt - 2021-04-16

Cannot reproduce

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ethan Merritt - 2021-04-22

status: open --> open-cannot-reproduce

Group: -->

Priority: -->
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ethan Merritt - 2021-06-02

Status: open-cannot-reproduce --> closed-cannot-reproduce
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

global-buffer-overflow on set_terminal

A portable, multi-platform, command-line driven graphing utility

Priority

Searches

Help

#2429 global-buffer-overflow on set_terminal

Discussion