Bug#779573: bibtool: heap buffer overflow in the bibtool tests
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello All,
The patch was committed by the upstream maintainer [1].
He is also currently working on the print issue.
Once solved, he may release a new version for BibTool.
On the other hand, the bug was downgraded from RC to Grave.
I will package this new version in due time in experiment.
My question is: may I patch the bibtool debian package 2.57+ds-2 and put it in unstable ?
Thanks.
Best wishes,
Jerome
[1] https://github.com/ge-ne/bibtool/commit/c6ed92c556f28ca2c738972c647486f9e11424bf
On 02/03/15 17:06, Vincent Lefevre wrote:
> On 2015-03-02 16:35:51 +0100, Jerome BENOIT wrote:
>> Thanks, it sounds helpful: I have just forwarded your last tow email
>> to the mainstream maintainer: let wait for his feedback.
>
> I've attached a patch for this bug.
>
> I've also added a new test that triggers another heap buffer overflow
> (this is based on my test used in bug 747519):
>
> =================================================================
> ==1514==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000093fbc at pc 0x7f8ef3a6deec bp 0x7fffa07f6900 sp 0x7fffa07f68f8
> READ of size 1 at 0x606000093fbc thread T0
> #0 0x7f8ef3a6deeb in line_breaking /home/vlefevre/software/bibtool-2.57+ds/print.c:275
> #1 0x7f8ef3a6eb65 in put_record /home/vlefevre/software/bibtool-2.57+ds/print.c:580
> #2 0x7f8ef3a5850c in print_segment /home/vlefevre/software/bibtool-2.57+ds/database.c:430
> #3 0x7f8ef3a59769 in print_db /home/vlefevre/software/bibtool-2.57+ds/database.c:654
> #4 0x7f8ef3a55b5e in main /home/vlefevre/software/bibtool-2.57+ds/main.c:619
> #5 0x7f8ef23aab44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> #6 0x7f8ef3a566a6 (/home/vlefevre/software/bibtool-2.57+ds/bibtool+0x116a6)
>
> 0x606000093fbc is located 0 bytes to the right of 60-byte region [0x606000093f80,0x606000093fbc)
> allocated by thread T0 here:
> #0 0x7f8ef299f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
> #1 0x7f8ef3a77c46 in new_string /home/vlefevre/software/bibtool-2.57+ds/symbols.c:155
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vlefevre/software/bibtool-2.57+ds/print.c:275 line_breaking
> Shadow bytes around the buggy address:
> 0x0c0c8000a7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c0c8000a7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c0c8000a7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c0c8000a7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c0c8000a7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c0c8000a7f0: 00 00 00 00 00 00 00[04]fa fa fa fa fd fd fd fd
> 0x0c0c8000a800: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c8000a810: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
> 0x0c0c8000a820: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c8000a830: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c8000a840: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==1514==ABORTING
>
> This corresponds to the "if ( *ptr == '\n' )" in the following print.c
> excerpt:
>
> if ( 0 <= rsc_linelen - column ) /* */
> save_ptr = s + rsc_linelen - column; /* Potential end */
> else /* */
> save_ptr = s; /* */
> /* */
> for(ptr = s; /* Search next newline */
> ptr <= save_ptr && *ptr != '\n'; /* or end of region */
> ptr++) {} /* */
> /* */
> if ( *ptr == '\n' ) /* */
>
> Then I don't know whether save_ptr is miscomputed or the condition
> ptr <= save_ptr is incorrect (possibly ptr < save_ptr).
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJU9V77AAoJEIC/w4IMSybj3jEH/il3ZL5dIwGvrZNuPJgUfIa1
qXMI60TZpYbNqx7eaddf5XRPBvl7YlFagrOTfB6RcP3gUjtLJvt6drnth0VHFTDx
NQ051f2I8fkkQtCnLQNNARsFUtvfhayyc5os7gCpSkrB29HrrVMwjoe4da+uzyg6
pBCYOr5KIsg9Zcv3bRk1GKqrmOQF/FBP4yvTfdzO1TsdQV+Z95ivjR1H9t9upbr7
uvdB4K7IIHCDkznmtAFeCfd8EQJhAC3B9+6CsKXOXVprwYyMrL2l7u/qtUPctXJH
zccscX/To8DxvIspQgUzSCUGlDLR2EPxObLQkEqjd/GbzgCjuclSGTRPhZO2WVA=
=bs/O
-----END PGP SIGNATURE-----
Reply to: