https://sourceware.org/bugzilla/show_bug.cgi?id=20893
Bug ID: 20893
Summary: Sigabrt in objdump
Product: binutils
Version: 2.28 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: thuanpv at comp dot nus.edu.sg
Target Milestone: ---
Dear all,
Using AFLFast (https://github.com/mboehme/aflfast), a fork of AFL, we found an
input causing objdump to crash.
The bug was found on Ubuntu 14.04 & binutils was checked out from
https://github.com/bminor/binutils-gdb repository. Its commit is
268ebe95201d2ebdcf68cad9dc67ff6d1e25be9e (Fri Nov 18 14:15:12 2016)
To reproduce:
printf
"\x0b\x01\x00\x30\x30\x30\x30\x00\x30\x30\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x62\xe3\x65\x30\x20"
> fd
objdump -D fd
OR
objdump -d fd
ASAN says:
../../binutils/objdump.c:2274:3: runtime error: null pointer passed as argument
2, which is declared to never be null
Signal 1
Valgrind says:
==53754== Conditional jump or move depends on uninitialised value(s)
[16/1855]
==53754== at 0x5A97AD: get_valid_dis386 (i386-dis.c:12916)
==53754== by 0x5A97AD: print_insn (i386-dis.c:13239)
==53754== by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754== by 0x42879D: disassemble_section (objdump.c:2241)
==53754== by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754== by 0x418307: disassemble_data (objdump.c:2375)
==53754== by 0x4229D7: dump_bfd (objdump.c:3469)
==53754== by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754== by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754== by 0x40CFC9: display_file (objdump.c:3636)
==53754== by 0x40CFC9: main (objdump.c:3919)
==53754==
==53754== Conditional jump or move depends on uninitialised value(s)
==53754== at 0x58E4AF: get_sib (i386-dis.c:12957)
==53754== by 0x5A89F6: print_insn (i386-dis.c:13242)
==53754== by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754== by 0x42879D: disassemble_section (objdump.c:2241)
==53754== by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754== by 0x418307: disassemble_data (objdump.c:2375)
==53754== by 0x4229D7: dump_bfd (objdump.c:3469)
==53754== by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754== by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754== by 0x40CFC9: display_file (objdump.c:3636)
==53754== by 0x40CFC9: main (objdump.c:3919)
==53754==
==53754== Conditional jump or move depends on uninitialised value(s)
==53754== at 0x58E4F7: get_sib (i386-dis.c:12958)
==53754== by 0x5A89F6: print_insn (i386-dis.c:13242)
==53754== by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754== by 0x42879D: disassemble_section (objdump.c:2241)
==53754== by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754== by 0x418307: disassemble_data (objdump.c:2375)
==53754== by 0x4229D7: dump_bfd (objdump.c:3469)
==53754== by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754== by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754== by 0x40CFC9: display_file (objdump.c:3636)
==53754== by 0x40CFC9: main (objdump.c:3919)
==53754==
==53754== Use of uninitialised value of size 8
==53754== at 0x5858E6: stpcpy (string3.h:111)
==53754== by 0x5858E6: oappend (i386-dis.c:14387)
==53754== by 0x5858E6: OP_XMM (i386-dis.c:16241)
==53754== by 0x5A8A90: print_insn (i386-dis.c:13248)
==53754== by 0x42879D: disassemble_bytes (objdump.c:1801)
==53754== by 0x42879D: disassemble_section (objdump.c:2241)
==53754== by 0x5FB3AB: bfd_map_over_sections (section.c:1395)
==53754== by 0x418307: disassemble_data (objdump.c:2375)
==53754== by 0x4229D7: dump_bfd (objdump.c:3469)
==53754== by 0x4234FF: display_object_bfd (objdump.c:3526)
==53754== by 0x4234FF: display_any_bfd (objdump.c:3615)
==53754== by 0x40CFC9: display_file (objdump.c:3636)
==53754== by 0x40CFC9: main (objdump.c:3919)
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
