search

ArcticaProject / nx-libs

nx-libs
Other
120 stars 39 forks source link

heap-buffer-overflow in Arc functions #998

Open uli42 opened 3 years ago

uli42 commented 3 years ago

This happened during a full xts test (see also #997). However, as this ran overnight I don't know (yet) which test lead to this:

==7128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000090c80 at pc 0x556fec23ac97 bp 0x7ffc3c8fdb00 sp 0x7ffc3c8fdaf8
READ of size 4 at 0x604000090c80 thread T0
    #0 0x556fec23ac96 in miComputeArcs /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/mi/miarc.c:2250
    #1 0x556fec231a15 in miPolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/mi/miarc.c:1204
    #2 0x556feb713385 in fbPolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/fb/fbarc.c:118
    #3 0x556feb669574 in nxagentPolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/hw/nxagent/GCOps.c:1398
    #4 0x556feb7b1951 in damagePolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/miext/damage/damage.c:1146
    #5 0x556feb518256 in ProcPolyArc ../../dix/dispatch.c:1891
    #6 0x556feb52b7d2 in Dispatch /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c:486
    #7 0x556feb5b2fd8 in main /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/dix/main.c:350
    #8 0x7fdae363409a in __libc_start_main ../csu/libc-start.c:308
    #9 0x556feb4b32e9 in _start (/home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/nxagent+0xd02e9)

0x604000090c80 is located 0 bytes to the right of 48-byte region [0x604000090c50,0x604000090c80)
allocated by thread T0 here:
    #0 0x7fdae503b330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x556fec23746c in miComputeArcs /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/mi/miarc.c:1934
    #2 0x556fec231a15 in miPolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/mi/miarc.c:1204
    #3 0x556feb713385 in fbPolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/fb/fbarc.c:118
    #4 0x556feb669574 in nxagentPolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/hw/nxagent/GCOps.c:1398
    #5 0x556feb7b1951 in damagePolyArc /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/miext/damage/damage.c:1146
    #6 0x556feb518256 in ProcPolyArc ../../dix/dispatch.c:1891
    #7 0x556feb52b7d2 in Dispatch /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c:486
    #8 0x556feb5b2fd8 in main /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/dix/main.c:350
    #9 0x7fdae363409a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/uli/work/nx/ArcticaProject/nx-libs/pr/windowfixes/nx-X11/programs/Xserver/mi/miarc.c:2250 in miComputeArcs
Shadow bytes around the buggy address:
  0x0c088000a140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000a150: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c088000a160: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c088000a170: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c088000a180: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c088000a190:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000a1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000a1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000a1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000a1d0: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c088000a1e0: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb