#2777 heap-buffer-overflow on set_var_loadpath()

[liuchenyifan]

version: gnuplot 6.1 last modified 2025-03-05
system: ubuntu 22.04

use this command to reproduce: gnutplot poc
message from ASAN:
==1120617==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6280000abf40 at pc 0x7fe9e819ef65 bp 0x7ffc9229a220 sp 0x7ffc922999c8
READ of size 2 at 0x6280000abf40 thread T0
#0 0x7fe9e819ef64 in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:708
#1 0x56198da21c2c in set_var_loadpath /home/ubuntu/asan_program/gnuplot-main/src/loadpath.c:126
#2 0x56198dbe8ae0 in set_loadpath /home/ubuntu/asan_program/gnuplot-main/src/set.c:2835
#3 0x56198dbe8ae0 in set_command /home/ubuntu/asan_program/gnuplot-main/src/set.c:356
#4 0x56198d826981 in command /home/ubuntu/asan_program/gnuplot-main/src/command.c:855
#5 0x56198d826981 in step_through_line /home/ubuntu/asan_program/gnuplot-main/src/command.c:549
#6 0x56198da3a543 in load_file /home/ubuntu/asan_program/gnuplot-main/src/misc.c:393
#7 0x56198d7bd404 in main /home/ubuntu/asan_program/gnuplot-main/src/plot.c:669
#8 0x7fe9e7804d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7fe9e7804e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x56198d7becd4 in _start (/home/ubuntu/asan_program/gnuplot-main/src/gnuplot+0xe0cd4)

0x6280000abf40 is located 0 bytes to the right of 15936-byte region [0x6280000a8100,0x6280000abf40)
allocated by thread T0 here:
#0 0x7fe9e8215867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x56198d7beeef in gp_alloc /home/ubuntu/asan_program/gnuplot-main/src/alloc.c:56
#2 0x56198d7beeef in gp_realloc /home/ubuntu/asan_program/gnuplot-main/src/alloc.c:82

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:708 in __interceptor_strchr
Shadow bytes around the buggy address:
0x0c508000d790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c508000d7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c508000d7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c508000d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c508000d7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c508000d7e0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c508000d7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c508000d800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c508000d810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c508000d820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c508000d830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1120617==ABORTING