[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779573: bibtool: heap buffer overflow in the bibtool tests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello All,

The patch was committed by the upstream maintainer [1].
He is also currently working on the print issue.
Once solved, he may release a new version for BibTool.

On the other hand, the bug was downgraded from RC to Grave.

I will package this new version in due time in experiment.

My question is: may I patch the bibtool debian package 2.57+ds-2 and put it in unstable ?

Thanks.

Best wishes,
Jerome



[1] https://github.com/ge-ne/bibtool/commit/c6ed92c556f28ca2c738972c647486f9e11424bf

On 02/03/15 17:06, Vincent Lefevre wrote:
> On 2015-03-02 16:35:51 +0100, Jerome BENOIT wrote:
>> Thanks, it sounds helpful: I have just forwarded your last tow email
>> to the mainstream maintainer: let wait for his feedback.
> 
> I've attached a patch for this bug.
> 
> I've also added a new test that triggers another heap buffer overflow
> (this is based on my test used in bug 747519):
> 
> =================================================================
> ==1514==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000093fbc at pc 0x7f8ef3a6deec bp 0x7fffa07f6900 sp 0x7fffa07f68f8
> READ of size 1 at 0x606000093fbc thread T0
>     #0 0x7f8ef3a6deeb in line_breaking /home/vlefevre/software/bibtool-2.57+ds/print.c:275
>     #1 0x7f8ef3a6eb65 in put_record /home/vlefevre/software/bibtool-2.57+ds/print.c:580
>     #2 0x7f8ef3a5850c in print_segment /home/vlefevre/software/bibtool-2.57+ds/database.c:430
>     #3 0x7f8ef3a59769 in print_db /home/vlefevre/software/bibtool-2.57+ds/database.c:654
>     #4 0x7f8ef3a55b5e in main /home/vlefevre/software/bibtool-2.57+ds/main.c:619
>     #5 0x7f8ef23aab44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
>     #6 0x7f8ef3a566a6 (/home/vlefevre/software/bibtool-2.57+ds/bibtool+0x116a6)
> 
> 0x606000093fbc is located 0 bytes to the right of 60-byte region [0x606000093f80,0x606000093fbc)
> allocated by thread T0 here:
>     #0 0x7f8ef299f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
>     #1 0x7f8ef3a77c46 in new_string /home/vlefevre/software/bibtool-2.57+ds/symbols.c:155
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vlefevre/software/bibtool-2.57+ds/print.c:275 line_breaking
> Shadow bytes around the buggy address:
>   0x0c0c8000a7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c8000a7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c8000a7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c8000a7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c0c8000a7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c0c8000a7f0: 00 00 00 00 00 00 00[04]fa fa fa fa fd fd fd fd
>   0x0c0c8000a800: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c0c8000a810: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
>   0x0c0c8000a820: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
>   0x0c0c8000a830: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c0c8000a840: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==1514==ABORTING
> 
> This corresponds to the "if ( *ptr == '\n' )" in the following print.c
> excerpt:
> 
>         if ( 0 <= rsc_linelen - column )           /*                        */
>           save_ptr = s + rsc_linelen - column;     /* Potential end          */
>         else                                       /*                        */
>           save_ptr = s;                            /*                        */
>                                                    /*                        */
>         for(ptr = s;                               /* Search next newline    */
>             ptr <= save_ptr && *ptr != '\n';       /*  or end of region      */
>             ptr++) {}                              /*                        */
>                                                    /*                        */
>         if ( *ptr == '\n' )                        /*                        */
> 
> Then I don't know whether save_ptr is miscomputed or the condition
> ptr <= save_ptr is incorrect (possibly ptr < save_ptr).
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJU9V77AAoJEIC/w4IMSybj3jEH/il3ZL5dIwGvrZNuPJgUfIa1
qXMI60TZpYbNqx7eaddf5XRPBvl7YlFagrOTfB6RcP3gUjtLJvt6drnth0VHFTDx
NQ051f2I8fkkQtCnLQNNARsFUtvfhayyc5os7gCpSkrB29HrrVMwjoe4da+uzyg6
pBCYOr5KIsg9Zcv3bRk1GKqrmOQF/FBP4yvTfdzO1TsdQV+Z95ivjR1H9t9upbr7
uvdB4K7IIHCDkznmtAFeCfd8EQJhAC3B9+6CsKXOXVprwYyMrL2l7u/qtUPctXJH
zccscX/To8DxvIspQgUzSCUGlDLR2EPxObLQkEqjd/GbzgCjuclSGTRPhZO2WVA=
=bs/O
-----END PGP SIGNATURE-----
Reply to: