Heap-buffer-overflow in ueStrNBytes

[kcwu]

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=203

reduced testcase

$ xxd -r > 203-heap-buffer-overflow
00000000: 0630 3030 3030 3030 3001 8206 0054 0686  .00000000....T..
00000010: 060e 070e 8206 3001 0006 3c54 0686 0606  ......0...<T....

how to reproduce

./test/stress -file 203-heap-buffer-overflow -init -loop 1

[czchen]

Need help to reprocedure this one.

[kcwu]

Did you forget -init argument?

[Billy4195]

@kcwu , How to get the testcase file? I click the link of testcase in 203, but instead of downloading the testcase, it shows "Invalid testcase". Does it mean that I don't have permission to download this testcase?

[kcwu]

Yes. Could you reproduce using my above reduced testcase?

[Billy4195]

@kcwu but I can't get the reduced test case, or the test case's content is just the hex data you mentioned above

[kcwu]

Yes, I meant the hex data above.

[Billy4195]

I have used the above content to reproduce error, but It didn't print out any error in terminal.

$ xxd 203-heap-buffer-overflow
00000000: 0630 3030 3030 3030 3001 8206 0054 0686  .00000000....T..
00000010: 060e 070e 8206 3001 0006 3c54 0686 0606  ......0...<T....
$ ./test/stress -file 203-heap-buffer-overflow -init -loop 1

It didn't print out any message.

[kcwu]

This is my full reproduce step:

export CC=clang-3.8
CFLAGS='-fsanitize=address -O0 -g'  ./configure --disable-shared --without-sqlite3
make clean
make check
./test/stress -file 203-heap-buffer-overflow -init -loop 1

Could you reproduce using above steps?

[Billy4195]

I have tried to reproduce the error using above steps, but it still outputs nothing...

[yan12125]

Maybe the result varies on different clang versions? I can reproduce the issue with clang-4.0 on Arch Linux x86_64.

$ ./test/stress -file 203-heap-buffer-overflow -init -loop 1
stress: choice.c:359: void SetChoiceInfo(ChewingData *): Assertion `pci->nTotalChoice > 0' failed.
[1]    28124 abort (core dumped)  ./test/stress -file 203-heap-buffer-overflow -init -loop 1