lnav icon indicating copy to clipboard operation
lnav copied to clipboard
verified publisher icon tstack

1-byte-read-heap-buffer-overflow in ptime_l

Open kcwu opened this issue 3 years ago • 0 comments

lnav version github master

To Reproduce Steps to reproduce the behavior:

CXXFLAGS='-fsanitize=address' ./configure
make
./src/lnav -n <(printf '#Date:\t3/9/3/0\x85 2\n0\n')

ASAN report

==1595849==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000076b22 at pc 0x000000fe7d5d bp 0x7fff57b748b0 sp 0x7fff57b748a8
READ of size 1 at 0x603000076b22 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0xfe7d5c in ptime_l(exttm*, char const*, long&, long) /home/kcwu/fuzz/targets/lnav/lnav/src/./ptimec.hh:750:27
    #1 0x133feb3 in ptime_f38(exttm*, char const*, long&, long) /home/kcwu/fuzz/targets/lnav/lnav/src/time_fmts.cc:688:10
    #2 0x14275d2 in date_time_scanner::scan(char const*, unsigned long, char const* const*, exttm*, timeval&, bool) /home/kcwu/fuzz/targets/lnav/lnav/src/base/date_time_scanner.cc:143:17
    #3 0xe1b73f in w3c_log_format::scan(logfile&, std::vector<logline, std::allocator<logline> >&, line_info const&, shared_buffer_ref&) /home/kcwu/fuzz/targets/lnav/lnav/src/./log_format_impls.cc:1188:25
    #4 0xee9d0f in logfile::process_prefix(shared_buffer_ref&, line_info const&) /home/kcwu/fuzz/targets/lnav/lnav/src/logfile.cc:225:30
    #5 0xeedb28 in logfile::rebuild_index(nonstd::optional_lite::optional<std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > >) /home/kcwu/fuzz/targets/lnav/lnav/src/logfile.cc:527:33
    #6 0x118ce73 in textfile_sub_source::rescan_files(textfile_sub_source::scan_callback&, nonstd::optional_lite::optional<std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > >) /home/kcwu/fuzz/targets/lnav
/lnav/src/textfile_sub_source.cc:459:38
    #7 0x82deb4 in rebuild_indexes(nonstd::optional_lite::optional<std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > >) /home/kcwu/fuzz/targets/lnav/lnav/src/lnav.indexing.cc:192:18
    #8 0x830d8c in rebuild_indexes_repeatedly() /home/kcwu/fuzz/targets/lnav/lnav/src/lnav.indexing.cc:309:46
    #9 0x55d587 in main /home/kcwu/fuzz/targets/lnav/lnav/src/lnav.cc:2773:17
    #10 0x7f23d56d37fc in __libc_start_main csu/../csu/libc-start.c:332:16
    #11 0x498149 in _start (/btrfs2/fuzz/targets/lnav/run/lnav.asan+0x498149)

0x603000076b22 is located 0 bytes to the right of 18-byte region [0x603000076b10,0x603000076b22)
allocated by thread T0 here:
    #0 0x51502d in malloc (/btrfs2/fuzz/targets/lnav/run/lnav.asan+0x51502d)
    #1 0x1109dfb in shared_buffer_ref::take_ownership() /home/kcwu/fuzz/targets/lnav/lnav/src/shared_buffer.cc:116:33
    #2 0xefeb78 in shared_buffer_ref::get_writable_data() /home/kcwu/fuzz/targets/lnav/lnav/src/./shared_buffer.hh:111:19
    #3 0xef6369 in auto logfile::read_line[abi:cxx11](__gnu_cxx::__normal_iterator<logline*, std::vector<logline, std::allocator<logline> > >)::$_5::operator()<shared_buffer_ref>(shared_buffer_ref) const /home/kcwu/fuzz/targets/lnav/lnav/src/logfile.cc:642:39
    #4 0xef0c81 in auto Result<shared_buffer_ref, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::map<logfile::read_line(__gnu_cxx::__normal_iterator<logline*, std::vector<logline, std::allocator<logline> > >)::$_5>(logfile::read_line(
__gnu_cxx::__normal_iterator<logline*, std::vector<logline, std::allocator<logline> > >)::$_5) /home/kcwu/fuzz/targets/lnav/lnav/src/./base/result.h:789:24
    #5 0xef067f in logfile::read_line[abi:cxx11](__gnu_cxx::__normal_iterator<logline*, std::vector<logline, std::allocator<logline> > >) /home/kcwu/fuzz/targets/lnav/lnav/src/logfile.cc:639:14
    #6 0xe1b35e in w3c_log_format::scan(logfile&, std::vector<logline, std::allocator<logline> >&, line_info const&, shared_buffer_ref&) /home/kcwu/fuzz/targets/lnav/lnav/src/./log_format_impls.cc:1162:40
    #7 0xee9d0f in logfile::process_prefix(shared_buffer_ref&, line_info const&) /home/kcwu/fuzz/targets/lnav/lnav/src/logfile.cc:225:30
    #8 0xeedb28 in logfile::rebuild_index(nonstd::optional_lite::optional<std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > >) /home/kcwu/fuzz/targets/lnav/lnav/src/logfile.cc:527:33
    #9 0x118ce73 in textfile_sub_source::rescan_files(textfile_sub_source::scan_callback&, nonstd::optional_lite::optional<std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > >) /home/kcwu/fuzz/targets/lnav
/lnav/src/textfile_sub_source.cc:459:38
    #10 0x82deb4 in rebuild_indexes(nonstd::optional_lite::optional<std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > >) /home/kcwu/fuzz/targets/lnav/lnav/src/lnav.indexing.cc:192:18
    #11 0x830d8c in rebuild_indexes_repeatedly() /home/kcwu/fuzz/targets/lnav/lnav/src/lnav.indexing.cc:309:46
    #12 0x55d587 in main /home/kcwu/fuzz/targets/lnav/lnav/src/lnav.cc:2773:17
    #13 0x7f23d56d37fc in __libc_start_main csu/../csu/libc-start.c:332:16

found by afl++

kcwu avatar Jun 13 '22 06:06 kcwu