URL:
<http://savannah.gnu.org/bugs/?53173>
Summary: Out of bounds heap memory read in MClearArea()
Project: GNU Screen
Submitted by: None
Submitted on: Fri 16 Feb 2018 09:58:10 PM UTC
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: 4.6.2
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
I detected an out of bounds heap read in screen when building with address
sanitizer. Happens both in 4.6.2 and current git, though the code changed a
bit, so the line numbers differ. I'll attach stack traces for both.
This can be reliably reproduced for me by:
1. compile screen with -fsanitize=address in CFLAGS+LDFLAGS.
2. run screen in a terminal emulator.
3. Press ctrl-a.
4. Resize the window.
Screen will hang and the main process will have crashed with an oob read in
MClearArea.
Stack trace:
==19786==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x615000001154 at pc 0x561d8c848842 bp 0x7ffdea718400 sp 0x7ffdea7183f0
READ of size 4 at 0x615000001154 thread T0
#0 0x561d8c848841 in MClearArea /mnt/ram/screen/src/ansi.c:2117
#1 0x561d8c8411ab in ClearLineRegion /mnt/ram/screen/src/ansi.c:1636
#2 0x561d8c8390a8 in DoCSI /mnt/ram/screen/src/ansi.c:887
#3 0x561d8c834085 in WriteString /mnt/ram/screen/src/ansi.c:426
#4 0x561d8c937335 in win_readev_fn /mnt/ram/screen/src/window.c:1443
#5 0x561d8c90ae42 in sched /mnt/ram/screen/src/sched.c:164
#6 0x561d8c8250f9 in main /mnt/ram/screen/src/screen.c:1075
#7 0x7f33026c8f85 in __libc_start_main (/lib64/libc.so.6+0x20f85)
#8 0x561d8c8204a9 in _start (/mnt/ram/screen/src/screen+0x294a9)
0x615000001154 is located 0 bytes to the right of 468-byte region
[0x615000000f80,0x615000001154)
allocated by thread T0 here:
#0 0x7f33033ff220 in realloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/libasan.so.4+0xe1220)
#1 0x561d8c90640d in xrealloc /mnt/ram/screen/src/resize.c:455
#2 0x561d8c90503f in CheckMaxSize /mnt/ram/screen/src/resize.c:394
#3 0x561d8c901cb1 in ChangeScreenSize /mnt/ram/screen/src/resize.c:128
#4 0x561d8c901518 in CheckScreenSize /mnt/ram/screen/src/resize.c:100
#5 0x561d8c9150f0 in ReceiveMsg /mnt/ram/screen/src/socket.c:813
#6 0x561d8c828ee7 in serv_read_fn /mnt/ram/screen/src/screen.c:1627
#7 0x561d8c90ae42 in sched /mnt/ram/screen/src/sched.c:164
#8 0x561d8c8250f9 in main /mnt/ram/screen/src/screen.c:1075
#9 0x7f33026c8f85 in __libc_start_main (/lib64/libc.so.6+0x20f85)
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 16 Feb 2018 09:58:10 PM UTC Name: screen-asan-oob-4.6.2.txt Size:
3KiB By: None
full asan errors
<http://savannah.gnu.org/bugs/download.php?file_id=43335>
-------------------------------------------------------
Date: Fri 16 Feb 2018 09:58:10 PM UTC Name: screen-asan-oob-git.txt Size:
3KiB By: None
full asan errors
<http://savannah.gnu.org/bugs/download.php?file_id=43336>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?53173>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
