Stack overflow on malformed input
gabe-sherman opened this issue · comments
A stack overflow occurs in the below program when provided with malformed input.
#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include "ucl.h"
int main(int argc, char *argv[])
{
long size;
FILE *f = fopen(argv[1], "rb");
fseek(f, 0, SEEK_END);
size = ftell(f);
rewind(f);
unsigned char *data = malloc((size_t)size+1);
fread(data, (size_t)size, 1, f);
data[size] = '\0';
struct ucl_parser* v0 = ucl_parser_new(0);
bool v1 = ucl_parser_add_string(v0, (char*)data, size);
if (v1 == false) exit(EXIT_FAILURE);
bool v2 = ucl_parser_add_chunk_priority(v0, (unsigned char*)data, size, 0);
return 0;
}
Test Environment
Ubuntu 22.04, 64bit
How to trigger
./filename poc
Version
Latest: 51c5e2f
Poc File
https://github.com/FuturesLab/POC/blob/main/ucl/poc-14
Address Sanitizer Output
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1020146==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fee98 (pc 0x7ffff7d7673e bp 0x7fffff7ffc90 sp 0x7fffff7feea0 T0)
#0 0x7ffff7d7673e in glob64 posix/../posix/glob.c:568:18
#1 0x7ffff7d76790 in glob64 posix/../posix/glob.c:598:21
... same glob messages continue ...
SUMMARY: AddressSanitizer: stack-overflow posix/../posix/glob.c:568:18 in glob64
==1020146==ABORTING
It seems it is also fixed.
Thank you @gabe-sherman for finding that out! Probably, we should add these PoC and corresponding code to the tests suite to exclude future regressions.