[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22127: Segfault / null pointer access in function str_append_modifie
|
From: |
Hanno Böck |
|
Subject: |
bug#22127: Segfault / null pointer access in function str_append_modified() |
|
Date: |
Wed, 9 Dec 2015 12:42:11 +0100 |
Hi,
With a malformed input (see attachmend) sed can crash in the function
str_append_modified()
Test:
echo|./sed -f sed-nullptr-str_append_modified
Seems to be a null pointer access.
This only seems to happen in the git code of sed and not in 4.2.2.
This is the stack trace from address sanitizer:
==21489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fd77e298c16 bp 0x611000009c86 sp 0x7fffe46649d0 T0)
#0 0x7fd77e298c15 in wcrtomb
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/wcsmbs/wcrtomb.c:89
#1 0x5029ca in str_append_modified /mnt/ram/sed-plain/sed/execute.c:273:11
#2 0x4faa8c in append_replacement /mnt/ram/sed-plain/sed/execute.c:992:11
#3 0x4faa8c in do_subst /mnt/ram/sed-plain/sed/execute.c:1078
#4 0x4faa8c in execute_program /mnt/ram/sed-plain/sed/execute.c:1513
#5 0x4faa8c in process_files /mnt/ram/sed-plain/sed/execute.c:1681
#6 0x4e1365 in main /mnt/ram/sed-plain/sed/sed.c:362:17
#7 0x7fd77e21b62f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r1/work/glibc-2.22/csu/libc-start.c:289
#8 0x4191a8 in _start (/tmp/sed+0x4191a8)
This was found with the help of american fuzzy lop.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: address@hidden
GPG: BBB51E42
sed-nullptr-str_append_modified
Description: Binary data
pgp7Vo5N3Fg0f.pgp
Description: OpenPGP digital signature
- bug#22127: Segfault / null pointer access in function str_append_modified(),
Hanno Böck <=