[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PSPP-BUG: [bug #61254] heap-buffer-overflow in pspp at segment.c:267
|
From: |
Irfan Ariq |
|
Subject: |
PSPP-BUG: [bug #61254] heap-buffer-overflow in pspp at segment.c:267 |
|
Date: |
Thu, 30 Sep 2021 16:16:39 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 |
URL:
<https://savannah.gnu.org/bugs/?61254>
Summary: heap-buffer-overflow in pspp at segment.c:267
Project: PSPP
Submitted by: irfanariq
Submitted on: Thu 30 Sep 2021 08:16:37 PM UTC
Category: None
Severity: 5 - Average
Status: None
Assigned to: None
Open/Closed: Open
Release: None
Discussion Lock: Any
Effort: 0.00
_______________________________________________________
Details:
Hello,
We are currently working on fuzz testing feature, and we found a
**heap-buffer-overflow** on `pspp`.
The stack traces are as follow:
```st
==29425==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6120000005e2 at pc 0x7feba2dbae44 bp 0x7ffd88cc1210 sp 0x7ffd88cc1200
READ of size 1 at 0x6120000005e2 thread T0
#0 0x7feba2dbae43 in skip_digits src/language/lexer/segment.c:267
#1 0x7feba2dbaf16 in segmenter_parse_number__
src/language/lexer/segment.c:280
#2 0x7feba2dbe71d in segmenter_parse_mid_command__
src/language/lexer/segment.c:975
#3 0x7feba2dc1ecd in segmenter_push src/language/lexer/segment.c:1648
#4 0x7feba2db3f98 in lex_source_get__ src/language/lexer/lexer.c:1376
#5 0x7feba2daf46c in lex_get src/language/lexer/lexer.c:229
#6 0x7feba2db222a in lex_discard_rest_of_command
src/language/lexer/lexer.c:1114
#7 0x7feba2dabded in do_parse_command src/language/command.c:244
#8 0x7feba2dab809 in cmd_parse_in_state src/language/command.c:147
#9 0x7feba2dab8d9 in cmd_parse src/language/command.c:162
#10 0x55cdb7ec6e30 in main src/ui/terminal/main.c:136
```
The full stack trace is attached.
**Step to reproduce**
We configured `pspp` using `CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g
-O0 -fsanitize=address" ./configure --prefix=$(pwd)/ --without-cairo
--without-perl-module` and built in using `make -j10`, and run it with:
```
./pspp /dev/null <attached file> device=treminal -I- --no-output -o -x
format=odt -I -e -r
```
The input file is attached.
**Environment**
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- pspp version: [pspp
1.4.1](http://mirror.yongbok.net/gnu/pspp/pspp-1.4.1.tar.gz)
Thank you.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Thu 30 Sep 2021 08:16:37 PM UTC Name: full_stacktrace_poc_3.zip Size:
1KiB By: irfanariq
<http://savannah.gnu.org/bugs/download.php?file_id=51998>
-------------------------------------------------------
Date: Thu 30 Sep 2021 08:16:37 PM UTC Name: input_pspp_poc_3.zip Size: 366B
By: irfanariq
<http://savannah.gnu.org/bugs/download.php?file_id=51999>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61254>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- PSPP-BUG: [bug #61254] heap-buffer-overflow in pspp at segment.c:267,
Irfan Ariq <=