#2435 heap-use-after-free on load_file

[liuchenyifan]

gnuplot 5.5 (last modified in 9.18) on centos linux 7.7.1908

==5236== ERROR: AddressSanitizer: heap-use-after-free on address 0x60620000d908 at pc 0x61bb1e bp 0x7ffce9425620 sp 0x7ffce9425610
READ of size 8 at 0x60620000d908 thread T0
#0 0x61bb1d (/root/uniafl_evaluation/asan_program/gnuplot+0x61bb1d)
#1 0x462d16 (/root/uniafl_evaluation/asan_program/gnuplot+0x462d16)
#2 0x459f6c (/root/uniafl_evaluation/asan_program/gnuplot+0x459f6c)
#3 0x61b63b (/root/uniafl_evaluation/asan_program/gnuplot+0x61b63b)
#4 0x40772e (/root/uniafl_evaluation/asan_program/gnuplot+0x40772e)
#5 0x7f8fba940554 (/usr/lib64/libc-2.17.so+0x22554)
#6 0x4084ec (/root/uniafl_evaluation/asan_program/gnuplot+0x4084ec)
0x60620000d908 is located 8 bytes inside of 4096-byte region [0x60620000d900,0x60620000e900)
freed by thread T0 here:
#0 0x7f8fbbfd1dd9 (/usr/lib64/libasan.so.0.0.0+0x15dd9)
#1 0x47d247 (/root/uniafl_evaluation/asan_program/gnuplot+0x47d247)
previously allocated by thread T0 here:
#0 0x7f8fbbfd1ef9 (/usr/lib64/libasan.so.0.0.0+0x15ef9)
#1 0x4086b7 (/root/uniafl_evaluation/asan_program/gnuplot+0x4086b7)
Shadow bytes around the buggy address:
0x0c0cbfff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfff9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0cbfff9b20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0cbfff9b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0cbfff9b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0cbfff9b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0cbfff9b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0cbfff9b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==5236== ABORTING

information below from valgrind:
==5247== Memcheck, a memory error detector
==5247== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==5247== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==5247== Command: /root/pfuzz-new/p-fuzz/pfcon/programs/gnuplot ./bugs/HUAF_loadfile
==5247==
==5247== Invalid read of size 8
==5247== at 0x5CC978: load_file (misc.c:250)
==5247== by 0x44A8D7: load_command (command.c:1601)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247== Address 0x65005b8 is 8 bytes inside a block of size 4,096 free'd
==5247== at 0x4C2B06D: free (vg_replace_malloc.c:538)
==5247== by 0x46577B: gpfree_datablock (datablock.c:194)
==5247== by 0x44C2E8: print_set_output (command.c:1955)
==5247== by 0x6AB63E: set_print (set.c:3269)
==5247== by 0x6CBEA0: set_command (set.c:438)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x44A8D7: load_command (command.c:1601)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247== Block was alloc'd at
==5247== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
==5247== by 0x40689F: gp_alloc (alloc.c:56)
==5247== by 0x40689F: gp_realloc (alloc.c:82)
==5247== by 0x46675D: enlarge_datablock (datablock.c:229)
==5247== by 0x46675D: append_to_datablock (datablock.c:241)
==5247== by 0x46675D: append_multiline_to_datablock (datablock.c:275)
==5247== by 0x44CAD7: print_command (command.c:2058)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247==
==5247== Invalid read of size 1
==5247== at 0x4C2D791: __strncpy_sse2_unaligned (vg_replace_strmem.c:553)
==5247== by 0x5CC9D1: load_file (misc.c:262)
==5247== by 0x44A8D7: load_command (command.c:1601)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247== Address 0x65015f0 is 0 bytes inside a block of size 256 free'd
==5247== at 0x4C2B06D: free (vg_replace_malloc.c:538)
==5247== by 0x4656F8: gpfree_datablock (datablock.c:193)
==5247== by 0x44C2E8: print_set_output (command.c:1955)
==5247== by 0x6AB63E: set_print (set.c:3269)
==5247== by 0x6CBEA0: set_command (set.c:438)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x44A8D7: load_command (command.c:1601)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247== Block was alloc'd at
==5247== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
==5247== by 0x4066C0: gp_alloc (alloc.c:56)
==5247== by 0x44C4C6: print_command (command.c:2005)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247==
==5247== Invalid read of size 1
==5247== at 0x4C2D7B0: __strncpy_sse2_unaligned (vg_replace_strmem.c:553)
==5247== by 0x5CC9D1: load_file (misc.c:262)
==5247== by 0x44A8D7: load_command (command.c:1601)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247== Address 0x65015f1 is 1 bytes inside a block of size 256 free'd
==5247== at 0x4C2B06D: free (vg_replace_malloc.c:538)
==5247== by 0x4656F8: gpfree_datablock (datablock.c:193)
==5247== by 0x44C2E8: print_set_output (command.c:1955)
==5247== by 0x6AB63E: set_print (set.c:3269)
==5247== by 0x6CBEA0: set_command (set.c:438)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x44A8D7: load_command (command.c:1601)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247== Block was alloc'd at
==5247== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
==5247== by 0x4066C0: gp_alloc (alloc.c:56)
==5247== by 0x44C4C6: print_command (command.c:2005)
==5247== by 0x4411AB: command (command.c:659)
==5247== by 0x4411AB: do_line (command.c:429)
==5247== by 0x5CD14B: load_file (misc.c:335)
==5247== by 0x406416: main (plot.c:636)
==5247==
"./bugs/HUAF_loadfile" line 5: no datablock named $sep

==5247==
==5247== HEAP SUMMARY:
==5247== in use at exit: 25,976 bytes in 140 blocks
==5247== total heap usage: 294 allocs, 154 frees, 168,414 bytes allocated
==5247==
==5247== LEAK SUMMARY:
==5247== definitely lost: 6 bytes in 1 blocks
==5247== indirectly lost: 0 bytes in 0 blocks
==5247== possibly lost: 0 bytes in 0 blocks
==5247== still reachable: 25,970 bytes in 139 blocks
==5247== suppressed: 0 bytes in 0 blocks
==5247== Rerun with --leak-check=full to see details of leaked memory
==5247==
==5247== For lists of detected and suppressed errors, rerun with: -s
==5247== ERROR SUMMARY: 7 errors from 3 contexts (suppressed: 0 from 0)