#2756 heap-buffer-overflow on utf8_copy_one()
version: gnuplot 6.1 last modified 2025-01-11
system: ubuntu 20.04
use this command to reproduce: gnutplot poc
message from ASAN:
==1486546==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000018e4 at pc 0x55aab38842e9 bp 0x7ffc2b988390 sp 0x7ffc2b988380
WRITE of size 4 at 0x6190000018e4 thread T0
#0 0x55aab38842e8 in utf8_copy_one ../term/dumb.trm:781
#1 0x55aab38842e8 in ENHdumb_FLUSH ../term/dumb.trm:954
#2 0x55aab394e395 in enhanced_recursion /home/fizz/target_program/tmp/gnuplot-main/src/term.c:2589
#3 0x55aab394ed2b in enhanced_recursion /home/fizz/target_program/tmp/gnuplot-main/src/term.c:2276
#4 0x55aab3951e56 in enhanced_recursion /home/fizz/target_program/tmp/gnuplot-main/src/term.c:2276
#5 0x55aab3959a07 in ENHdumb_put_text ../term/dumb.trm:1009
#6 0x55aab3959a07 in ENHdumb_put_text ../term/dumb.trm:978
#7 0x55aab395b2bc in write_multiline /home/fizz/target_program/tmp/gnuplot-main/src/term.c:808
#8 0x55aab33d9326 in do_key_sample /home/fizz/target_program/tmp/gnuplot-main/src/boundary.c:1277
#9 0x55aab358fe02 in do_plot /home/fizz/target_program/tmp/gnuplot-main/src/graphics.c:904
#10 0x55aab36a0b6c in eval_plots /home/fizz/target_program/tmp/gnuplot-main/src/plot2d.c:4124
#11 0x55aab34040fc in plot_command /home/fizz/target_program/tmp/gnuplot-main/src/command.c:2176
#12 0x55aab33fd9b1 in command /home/fizz/target_program/tmp/gnuplot-main/src/command.c:855
#13 0x55aab33fd9b1 in step_through_line /home/fizz/target_program/tmp/gnuplot-main/src/command.c:549
#14 0x55aab360d3af in load_file /home/fizz/target_program/tmp/gnuplot-main/src/misc.c:393
#15 0x55aab3394548 in main /home/fizz/target_program/tmp/gnuplot-main/src/plot.c:669
#16 0x7f4523fd5082 in __libc_start_main ../csu/libc-start.c:308
#17 0x55aab3395b4d in _start (/home/fizz/target_program/gnuplot-main/output/gnuplot_asan+0xd3b4d)
0x6190000018e4 is located 220 bytes to the right of 904-byte region [0x619000001480,0x619000001808)
allocated by thread T0 here:
#0 0x7f4524622808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55aab3395c55 in gp_alloc /home/fizz/target_program/tmp/gnuplot-main/src/alloc.c:56
#2 0x55aab3a11377 (/home/fizz/target_program/gnuplot-main/output/gnuplot_asan+0x74f377)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../term/dumb.trm:781 in utf8_copy_one
Shadow bytes around the buggy address:
0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8300: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8310: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1486546==ABORTING
[shrug] If you try to print a garbage bunch of bytes claiming it's UTF-8, the program issues a warning and dumps the bytes anyhow.
"2756.poc" line 6: warning: invalid UTF-8 byte sequence
"2756.poc" line 6: warning: invalid UTF-8 byte sequence
"2756.poc" line 6: warning: invalid UTF-8 byte sequence
8.02 |** ********|
7.94 +-------------------------------------------------------------------+
I suppose the program could call int_error() rather than int_warn() and thus exit with an error, but I don't see that as a better outcome from the user perspective.
I appreciate your validation and reply. Gnuplot is a widely used binary program. Leave memory leaks bug alone, but buffer overflow can cause security problems. Attacker can use this bug if it won't be fixed. So I still suggest that you could fix this one.
Fixed in 6.1
queued for 6.0
Last edit: Ethan Merritt 2025-01-15