Closed wcventure closed 5 years ago
@wcventure Thanks for reporting the bug! What tools did you use to find it?
Hi @mpreiner
I Use AddressSanitizer(https://clang.llvm.org/docs/AddressSanitizer.html) to dump the backtrace. This tool is integrated in LLVM.
You can compile the program with ASAN, and then reproduce the bug with the test case I gave you.
change the line in confiugre.sh.
#!/bin/sh
#--------------------------------------------------------------------------#
BUILDDIR=build
#--------------------------------------------------------------------------#
asan=yes
debug=yes
check=no
log=no
shared=no
prefix=
asan=no -> asan=yes
Yes, I know about ASAN (you can configure Boolector with ./configure.sh --asan
for that). What I actually meant was what input fuzzer/tool did you use to craft the failing inputs?
I use AFL, a well-known fuzzing tool.
Hi, there.
A Heap-buffer-overflow in prase function in btoruntrace.c. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use ./btoruntrace $POC to reproduce the bug. POC.zip
$ git log
The ASAN dumps the stack trace as follows: