[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory;
From: |
Dmitri A. Sergatskov |
Subject: |
[Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit |
Date: |
Fri, 19 Feb 2021 18:41:25 -0500 (EST) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 |
URL:
<https://savannah.gnu.org/bugs/?60081>
Summary: loading bad hdf file corrupts memory; segfault at
exit
Project: GNU Octave
Submitted by: dasergatskov
Submitted on: Fri 19 Feb 2021 11:41:23 PM UTC
Category: Octave Function
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: Segfault, Bus Error, etc.
Status: None
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: 6.1.0
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
I tried to load “bad” hdf file (see
https://octave.discourse.group/t/low-level-write-hdf5-file-in-matlab-for-use-in-octave/792/2
for details) on octave 6.1.1 and it failed and then octave segfault at exit.
The hdf file is attached. When I tried to do the same with ASAN I got:
octave:1> load("test_matlab_h5write_bad.hdf5");
=================================================================
==2098438==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000215617 at pc 0x7ffff6eb319d bp 0x7fffbd2c9a10 sp 0x7fffbd2c91b8
READ of size 8 at 0x602000215617 thread T6 (QThread)
#0 0x7ffff6eb319c (/lib64/libasan.so.5+0xad19c)
#1 0x7fffe98630da in std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >::basic_string(char const*,
std::allocator<char> const&) (/lib64/libstdc++.so.6+0x1300da)
#2 0x7ffff5495f25 in hdf5_read_next_data_internal
../libinterp/corefcn/ls-hdf5.cc:744
#3 0x7fffef7e1375 (/lib64/libhdf5.so.103+0x134375)
#4 0x7fffef7e8924 in H5G__node_iterate (/lib64/libhdf5.so.103+0x13b924)
#5 0x7fffef71a998 (/lib64/libhdf5.so.103+0x6d998)
#6 0x7fffef71be5a in H5B_iterate (/lib64/libhdf5.so.103+0x6ee5a)
#7 0x7fffef7eea4b in H5G__stab_iterate (/lib64/libhdf5.so.103+0x141a4b)
#8 0x7fffef7eb501 in H5G__obj_iterate (/lib64/libhdf5.so.103+0x13e501)
#9 0x7fffef7e2641 in H5G_iterate (/lib64/libhdf5.so.103+0x135641)
#10 0x7fffef7ded97 in H5Giterate (/lib64/libhdf5.so.103+0x131d97)
#11 0x7ffff54986ea in read_hdf5_data(std::istream&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
> const&, bool&, octave_value&, std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> >&, string_vector const&, int,
int) ../libinterp/corefcn/ls-hdf5.cc:1110
#12 0x7ffff546fcc3 in octave::load_save_system::load_vars(std::istream&,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
> const&, octave::load_save_format const&, octave::mach_info::float_format,
bool, bool, bool, string_vector const&, int, int, int)
../libinterp/corefcn/load-save.cc:425
#13 0x7ffff547c042 in octave::load_save_system::load(octave_value_list
const&, int) ../libinterp/corefcn/load-save.cc:1301
#14 0x7ffff547f1b9 in Fload(octave::interpreter&, octave_value_list
const&, int) ../libinterp/corefcn/load-save.cc:1658
#15 0x7ffff46b9c1e in octave_builtin::execute(octave::tree_evaluator&,
int, octave_value_list const&) ../libinterp/octave-value/ov-builtin.cc:65
#16 0x7ffff47b1bc1 in octave_function::call(octave::tree_evaluator&, int,
octave_value_list const&) ../libinterp/octave-value/ov-fcn.cc:57
#17 0x7ffff4b5aeee in
octave::tree_index_expression::evaluate_n(octave::tree_evaluator&, int)
../libinterp/parse-tree/pt-idx.cc:402
#18 0x7ffff4b60cc2 in
octave::tree_index_expression::evaluate(octave::tree_evaluator&, int)
(/home/dima/src/octave/gcc_debug/libinterp/.libs/liboctinterp.so.8+0x18cacc2)
#19 0x7ffff4b115e0 in
octave::tree_evaluator::visit_statement(octave::tree_statement&)
../libinterp/parse-tree/pt-eval.cc:3032
#20 0x7ffff4b7c72a in octave::tree_statement::accept(octave::tree_walker&)
../libinterp/parse-tree/pt-stmt.h:124
#21 0x7ffff4b12270 in
octave::tree_evaluator::visit_statement_list(octave::tree_statement_list&)
../libinterp/parse-tree/pt-eval.cc:3117
#22 0x7ffff45e9d62 in
octave::tree_statement_list::accept(octave::tree_walker&)
../libinterp/parse-tree/pt-stmt.h:201
#23 0x7ffff4af84c9 in
octave::tree_evaluator::eval(std::shared_ptr<octave::tree_statement_list>&,
bool) ../libinterp/parse-tree/pt-eval.cc:404
#24 0x7ffff5405200 in octave::interpreter::main_loop()
../libinterp/corefcn/interpreter.cc:1269
#25 0x7ffff53face4 in octave::interpreter::execute()
../libinterp/corefcn/interpreter.cc:797
#26 0x7ffff65da5e2 in octave::interpreter_qobject::execute()
../libgui/src/interpreter-qobject.cc:87
#27 0x7ffff6894c0f in
octave::interpreter_qobject::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**) libgui/src/moc-interpreter-qobject.cc:95
#28 0x7ffff1c8a275 in QObject::event(QEvent*)
(/lib64/libQt5Core.so.5+0x288275)
#29 0x7ffff25aa5f4 in QApplicationPrivate::notify_helper(QObject*,
QEvent*) (/lib64/libQt5Widgets.so.5+0x1675f4)
#30 0x7ffff25b1b0f in QApplication::notify(QObject*, QEvent*)
(/lib64/libQt5Widgets.so.5+0x16eb0f)
#31 0x7ffff66f6113 in octave::octave_qapplication::notify(QObject*,
QEvent*) ../libgui/src/octave-qobject.cc:136
#32 0x7ffff1c60325 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
(/lib64/libQt5Core.so.5+0x25e325)
#33 0x7ffff1c63596 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) (/lib64/libQt5Core.so.5+0x261596)
#34 0x7ffff1cb3406 (/lib64/libQt5Core.so.5+0x2b1406)
#35 0x7fffe4c6667c in g_main_context_dispatch
(/lib64/libglib-2.0.so.0+0x4d67c)
#36 0x7fffe4c66a47 (/lib64/libglib-2.0.so.0+0x4da47)
#37 0x7fffe4c66adf in g_main_context_iteration
(/lib64/libglib-2.0.so.0+0x4dadf)
#38 0x7ffff1cb318a in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/lib64/libQt5Core.so.5+0x2b118a)
#39 0x7ffff1c5f18a in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(/lib64/libQt5Core.so.5+0x25d18a)
#40 0x7ffff1abdd41 in QThread::exec() (/lib64/libQt5Core.so.5+0xbbd41)
#41 0x7ffff1abf075 (/lib64/libQt5Core.so.5+0xbd075)
#42 0x7fffe8d49149 in start_thread (/lib64/libpthread.so.0+0x8149)
#43 0x7fffe8a7af22 in clone (/lib64/libc.so.6+0xfcf22)
0x602000215617 is located 0 bytes to the right of 7-byte region
[0x602000215610,0x602000215617)
allocated by thread T6 (QThread) here:
#0 0x7ffff6ef7990 in operator new[](unsigned long)
(/lib64/libasan.so.5+0xf1990)
#1 0x7ffff46a25f7 in std::_MakeUniq<char []>::__array
std::make_unique<char []>(unsigned long)
/usr/include/c++/8/bits/unique_ptr.h:833
#2 0x7ffff5495d8d in hdf5_read_next_data_internal
../libinterp/corefcn/ls-hdf5.cc:731
#3 0x7fffef7e1375 (/lib64/libhdf5.so.103+0x134375)
Thread T6 (QThread) created by T0 here:
#0 0x7ffff6e58ea3 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52ea3)
#1 0x7ffff1abeaf6 in QThread::start(QThread::Priority)
(/lib64/libQt5Core.so.5+0xbcaf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.5+0xad19c)
Shadow bytes around the buggy address:
0x0c048003aa70: fa fa fd fa fa fa 00 00 fa fa 00 fa fa fa 00 fa
0x0c048003aa80: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c048003aa90: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c048003aaa0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c048003aab0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c048003aac0: fa fa[07]fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c048003aad0: fa fa 00 00 fa fa 00 07 fa fa 00 fa fa fa 00 fa
0x0c048003aae0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa fa fa
0x0c048003aaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048003ab00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048003ab10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2098438==ABORTING
Dmitri.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 19 Feb 2021 11:41:23 PM UTC Name: test_matlab_h5write_bad.hdf5
Size: 5KiB By: dasergatskov
<http://savannah.gnu.org/bugs/download.php?file_id=50891>
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?60081>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit,
Dmitri A. Sergatskov <=
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Leonardo, 2021/02/20
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Dmitri A. Sergatskov, 2021/02/20
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Dmitri A. Sergatskov, 2021/02/20
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Leonardo, 2021/02/21
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Markus Mützel, 2021/02/21
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Dmitri A. Sergatskov, 2021/02/21
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Markus Mützel, 2021/02/21
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Dmitri A. Sergatskov, 2021/02/21
- [Octave-bug-tracker] [bug #60081] loading bad hdf file corrupts memory; segfault at exit, Markus Mützel, 2021/02/21