Bug#816709: libvformat0: segfaults on malformed input file

Fri, 04 Mar 2016 10:40:55 -0800 

Package: libvformat0
Version: 1.13-10
Severity: normal

Dear Maintainer,

while trying to fix https://bugs.debian.org/716434 I had to notice,
that this seems to be a bug in libvformat.

I built a minimal test program (test.c, attached).
Just compile this with
$ gcc -g -c test.c
$ gcc -g -o test test.o -lvformat

Now create the (malformed) vformat file:
$ echo "." > dot
(the file name is hard coded in test.c)

And run it:
$ ./test 
Segmentation fault (core dumped)

This gives the following backtrace:

$ gdb test core 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
[...]
Core was generated by `./test'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f225f3d8e5e in vf_parse_text ()
   from /usr/lib/x86_64-linux-gnu/libvformat.so.0
(gdb) bt
#0  0x00007f225f3d8e5e in vf_parse_text ()
   from /usr/lib/x86_64-linux-gnu/libvformat.so.0
#1  0x00007f225f3da119 in vf_read_file ()
   from /usr/lib/x86_64-linux-gnu/libvformat.so.0
#2  0x00000000004006b9 in main () at test.c:6

I think that a file parser should return an error on malformed input
but not segfault.

To collect more information, I linked my test program against an
unstripped static libvformat.a and with this I get the following
backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000401c47 in append_group_name (p_prop=0x8cd270)
    at vf_parser.c:677
677             const char *p_string = p_prop->name.pp_strings[0];
(gdb) bt
#0  0x0000000000401c47 in append_group_name (p_prop=0x8cd270)
    at vf_parser.c:677
#1  vf_parse_text (p_parser=0x8cd250, 
    p_chars=p_chars@entry=0x7ffd2a1e7aa0 ".\n", numchars=2) at vf_parser.c:406
#2  0x0000000000400959 in vf_read_file (pp_object=<optimized out>, 
    p_name=<optimized out>) at vf_reader.c:182
#3  0x0000000000400889 in main () at test.c:6

Hope this helps to fix this issue.

-- System Information:
Debian Release: 8.3
  APT prefers stable
  APT policy: (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages libvformat0 depends on:
ii  libc6              2.19-18+deb8u3
ii  multiarch-support  2.19-18+deb8u3

libvformat0 recommends no packages.

libvformat0 suggests no packages.


Tschoeeee

        Roland

#include <stdio.h>
#include <vf_iface.h>
int main() {
  VF_OBJECT_T*  vfobj;
  char *filename = "dot";
  if (!vf_read_file(&vfobj, filename)) {
    fprintf(stderr, "Could not read VCF file %s\n", filename);
    return 1;
  }
}

Reply via email to