Heap buffer overflow in parser::consume_whitespace()
grievejia opened this issue · comments
Here's the input that triggers the problem:
heap_bof2.txt
Feed it into master(07a7b07) cpptoml-parser built with AddressSanitizer will crash the parser:
> cat heap_bof2 | cpptoml-parser
==12673==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000002f at pc 0x0000005d69e1 bp 0x7fffd176a5c0 sp 0x7fffd176a5b8
READ of size 1 at 0x60300000002f thread T0
#0 0x5d69e0 in cpptoml::parser::consume_whitespace(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) (/home/grieve/scratch/fuzz_toml/cpptoml/build/cpptoml-parser+0x5d69e0)
#1 0x5e40cd in cpptoml::parser::parse_single_table(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&, cpptoml::table*&) (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x5e40cd)
#2 0x5d7bbc in cpptoml::parser::parse_table(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&, cpptoml::table*&) (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x5d7bbc)
#3 0x59786c in cpptoml::parser::parse() (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x59786c)
#4 0x58bb2a in main (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x58bb2a)
#5 0x7f4e66b414c9 in __libc_start_main (/usr/lib/libc.so.6+0x204c9)
#6 0x492eb9 in _start (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x492eb9)
0x60300000002f is located 0 bytes to the right of 31-byte region [0x603000000010,0x60300000002f)
allocated by thread T0 here:
#0 0x587260 in operator new(unsigned long) /home/grieve/LLVM/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
#1 0x7f4e67b3f0e9 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:317
It is a malformed input, and the expected behavior is to reject the input instead of crashing.
Thanks for the report! I think the latest commit should fix this.