[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AddressSanitizer: heap-buffer-overflow _rl_find_prev_mbchar_internal
|
From: |
Chet Ramey |
|
Subject: |
Re: AddressSanitizer: heap-buffer-overflow _rl_find_prev_mbchar_internal / expand_prompt |
|
Date: |
Wed, 14 Jun 2017 12:06:24 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 |
On 6/14/17 11:19 AM, Eduardo Bustamante wrote:
> On Tue, Jun 13, 2017 at 04:30:23PM -0400, Chet Ramey wrote:
> [...]
>> I can't reproduce it with asan or without on Mac OS X. I'll look around
>> for a Linux system with asan to run it on.
>
> All these inputs seem to trigger the same problem. You'll find the
> stacktrace as reported by ASAN first, and then the corresponding input
> base64 encoded.
OK. I finally got it on a Fedora 25 VM. It's an easy fix:
*** display.c 2017-06-09 17:03:59.000000000 -0400
--- /Users/chet/display.c 2017-06-14 12:02:37.000000000 -0400
***************
*** 467,472 ****
--- 467,473 ----
if (physchars > bound) /* should rarely happen */
{
#if defined (HANDLE_MULTIBYTE)
+ *r = '\0'; /* need null-termination for strlen */
if (mb_cur_max > 1 && rl_byte_oriented == 0)
new = _rl_find_prev_mbchar (ret, r - ret, MB_FIND_ANY);
else
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/