Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow in crc_folding.c:333 #452

Closed
nmoinvaz opened this issue Oct 13, 2019 · 1 comment
Closed

AddressSanitizer: heap-buffer-overflow in crc_folding.c:333 #452

nmoinvaz opened this issue Oct 13, 2019 · 1 comment

Comments

@nmoinvaz
Copy link
Member

nmoinvaz commented Oct 13, 2019
edited
Loading 

==1907==AddressSanitizer Init done
/Users/runner/runners/2.159.0/work/zlib-ng/zlib-ng/arch/x86/crc_folding.c:252:20: runtime error: unsigned integer overflow: 0 - 4464207872 cannot be represented in type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/runner/runners/2.159.0/work/zlib-ng/zlib-ng/arch/x86/crc_folding.c:252:20 in 
=================================================================
==1907==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00010a1ccda0 at pc 0x000106752bbe bp 0x7ffee95d5b90 sp 0x7ffee95d5b88
READ of size 16 at 0x00010a1ccda0 thread T0
    #0 0x106752bbd in crc_fold_copy crc_folding.c:333
    #1 0x10663ecd6 in copy_with_crc crc32.c:212
    #2 0x10668d0fe in read_buf deflate.c:1202
    #3 0x10674a232 in fill_window_sse fill_window_sse.c:78
    #4 0x1066a2c10 in deflate_medium deflate_medium.c:217
    #5 0x106663326 in zng_deflate deflate.c:1035
    #6 0x10677c1bc in gz_comp gzwrite.c:115
    #7 0x1067734e1 in gz_write gzwrite.c:214
    #8 0x10677198f in zng_gzwrite gzwrite.c:245
    #9 0x10662cd25 in test_gzio_deflate_inflate example.c:286
    #10 0x106637f82 in main example.c:1495
    #11 0x7fff5c1783d4 in start (libdyld.dylib:x86_64+0x163d4)

0x00010a1ccda3 is located 0 bytes to the right of 419235-byte region [0x00010a166800,0x00010a1ccda3)
2019-10-11T22:36:48.2287670Z allocated by thread T0 here:
2019-10-11T22:36:48.2287830Z     #0 0x1068cf143 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x59143)
2019-10-11T22:36:48.2287990Z     #1 0x10662c93f in test_gzio_deflate_inflate example.c:245
2019-10-11T22:36:48.2288130Z     #2 0x106637f82 in main example.c:1495
2019-10-11T22:36:48.2288270Z     #3 0x7fff5c1783d4 in start (libdyld.dylib:x86_64+0x163d4)
2019-10-11T22:36:48.2288350Z 
2019-10-11T22:36:48.2288910Z SUMMARY: AddressSanitizer: heap-buffer-overflow crc_folding.c:333 in crc_fold_copy

This can be reproduced in my improvements/added-codecov branch. It fails on crc_fold_copy.c line 333 at which point len = 3. At the top of the function len is an odd number. Here is the GitHub Actions build that it fails on https://github.com/nmoinvaz/zlib-ng/runs/257248230.
@nmoinvaz nmoinvaz changed the title AddressSanitizer: heap-buffer-overflow in crc_fold_copy:333 AddressSanitizer: heap-buffer-overflow in crc_folding.c:333 Oct 13, 2019
@nmoinvaz
Copy link
Member Author

nmoinvaz commented Oct 13, 2019
edited
Loading

This may be related:

gzio() test/data/lcet10.txt mode : zlib-ng\arch\x86\crc_folding.c:252:20: runtime error: unsigned integer overflow: 0 - 10248136 cannot be represented in type 'unsigned int'

nmoinvaz added a commit to nmoinvaz/zlib-ng that referenced this issue Oct 22, 2019
@nmoinvaz
Fixed crc32 calculation during gzwrite when buf size is not 128 bit a…
47b0cbf 
…ligned. zlib-ng#452
@nmoinvaz nmoinvaz mentioned this issue Oct 22, 2019
Merged
nmoinvaz added a commit to nmoinvaz/zlib-ng that referenced this issue Oct 22, 2019
@nmoinvaz
Fixed crc32 calculation during gzwrite when buf size is not 128 bit a…
1248b69 
…ligned. zlib-ng#452
nmoinvaz added a commit to nmoinvaz/zlib-ng that referenced this issue Oct 22, 2019
@nmoinvaz
Fixed crc32 calculation during gzwrite when buf size is not 128 bit a…
f5af369 
…ligned. zlib-ng#452
nmoinvaz added a commit to nmoinvaz/zlib-ng that referenced this issue Oct 23, 2019
@nmoinvaz
Fixed buffer read overflow in crc32 folding when allocation size is n…
da5a1a9 
…ot a multiple of 16 bytes. zlib-ng#452
Dead2 pushed a commit that referenced this issue Oct 24, 2019
@nmoinvaz @Dead2
Fixed buffer read overflow in crc32 folding when allocation size is n…
2d18964 
…ot a multiple of 16 bytes. #452
nmoinvaz added a commit to nmoinvaz/zlib-ng that referenced this issue Oct 24, 2019
@nmoinvaz
Fixed buffer read overflow in crc32 folding when allocation size is n…
621ad30 
…ot a multiple of 16 bytes. zlib-ng#452
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nmoinvaz