[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
indent crashes on various inputs
From: |
Sami Liedes |
Subject: |
indent crashes on various inputs |
Date: |
Sat, 28 Mar 2015 02:48:53 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi,
I discovered by fuzzing (using afl-fuzz) that indent 2.2.11 crashes,
or at least invokes undefined behavior, on various inputs. For
example, on Debian unstable:
------------------------------------------------------------
$ echo -ne '/*' |indent
Segmentation fault
------------------------------------------------------------
There are even one-character inputs that cause reads of
some_allocated_object[-1]:
------------------------------------------------------------
$ echo -ne '}' |valgrind indent
[...]
==16665== Invalid read of size 4
[...]
==16665== Address 0x51eb4ec is 4 bytes before a block of size 8 alloc'd
------------------------------------------------------------
At least some of them are rather obvious heap buffer overflows using
data from the input. Indeed, there's even a comment on these buffers
in the code in parse.c:
------------------------------------------------------------
/* Although these are supposed to grow if we reach the end,
* I can find no place in the code which does this. */
combuf = (char *) xmalloc (INITIAL_BUFFER_SIZE);
labbuf = (char *) xmalloc (INITIAL_BUFFER_SIZE);
codebuf = (char *) xmalloc (INITIAL_BUFFER_SIZE);
------------------------------------------------------------
So, I'd venture to guess that some of these are likely to be
exploitable to execute arbitrary code if untrusted input is passed to
indent (which I hope is unlikely anyway).
Here's a bunch of test files which, when passed via standard input to
indent, all cause slightly different crashes or out-of-bounds accesses
(verified by compiling indent with clang -fsanitize=address;
alternatively, you could run indent under valgrind):
http://sliedes.kapsi.fi/indent-crashes.tar.gz
Or individually:
http://sliedes.kapsi.fi/indent-crashes/
Sami
signature.asc
Description: Digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- indent crashes on various inputs,
Sami Liedes <=