ERROR - segmentation fault - malloc_consolidate

[EnchantedJohn]

I found the second Error。Server:Ubuntu 14.04.5 LTS using AFL fuzzing 。 The error is the following。

(gdb) run -e crashes/id\:000120\,sig\:11\,src\:000411\,op\:havoc\,rep\:2 test8.flif Starting program: /home/lx/5_7/flif/flif/src/flif -e crashes/id\:000120\,sig\:11\,src\:000411\,op\:havoc\,rep\:2 test8.flif Warning: expected ".png", ".pnm" or ".pam" file name extension for input file, trying anyway...

Program received signal SIGSEGV, Segmentation fault. malloc_consolidate (av=av@entry=0x7ffff7683760 ) at malloc.c:4151 4151 malloc.c: No such file or directory.

[EnchantedJohn]

(gdb) x/i $pc => 0x7ffff733f7d9 <malloc_consolidate+281>: mov 0x8(%rbx),%rax (gdb) i r rax 0xd06090 13656208 rbx 0x400000003 17179869187 rcx 0xd06380 13656960 rdx 0x61 97 rsi 0xc198 49560 rdi 0x7ffff7683760 140737344190304 rbp 0xd06250 0xd06250 rsp 0x7fffffffd8b0 0x7fffffffd8b0 r8 0x3 3 r9 0x7ffff76837b8 140737344190392 r10 0x7ffff7683770 140737344190320 r11 0x246 582 r12 0x60 96 r13 0x30 48 r14 0x400000003 17179869187 r15 0x7ffff7683760 140737344190304 rip 0x7ffff733f7d9 0x7ffff733f7d9 <malloc_consolidate+281> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0

[EnchantedJohn]

(gdb) bt

0 malloc_consolidate (av=av@entry=0x7ffff7683760 ) at malloc.c:4151

1 0x00007ffff73418b8 in _int_malloc (av=0x7ffff7683760 , bytes=49560) at malloc.c:3425

2 0x00007ffff7343ae0 in __GI___libc_malloc (bytes=49560) at malloc.c:2893

3 0x00007ffff790b928 in operator new(unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6

4 0x00000000006086d8 in allocate (this=0x7fffffffdb20, __n=3) at /usr/include/c++/4.9/ext/new_allocator.h:104

5 allocate (a=..., n=3) at /usr/include/c++/4.9/bits/alloc_traits.h:488

6 _M_allocate (this=0x7fffffffdb20, __n=3) at /usr/include/c++/4.9/bits/stl_vector.h:170

7 _M_allocate_and_copy<PropertySymbolCoder<SimpleBitChance, RacDummy, 10>*> (this=0x7fffffffdb20, last=0x0, first=0x0, __n=3) at /usr/include/c++/4.9/bits/stl_vector.h:1224

8 std::vector<PropertySymbolCoder<SimpleBitChance, RacDummy, 10>, std::allocator<PropertySymbolCoder<SimpleBitChance, RacDummy, 10> > >::reserve (this=this@entry=0x7fffffffdb20, __n=3)

at /usr/include/c++/4.9/bits/vector.tcc:75

9 0x000000000063def7 in flif_encode_scanlines_pass<FileIO, RacDummy, PropertySymbolCoder<SimpleBitChance, RacDummy, 10> > (io=..., rac=..., images=std::vector of length 1, capacity 1 = {...},

ranges=ranges@entry=0xd06380, forest=std::vector of length 3, capacity 3 = {...}, repeats=repeats@entry=2, options=...) at flif-enc.cpp:105

10 0x00000000006587bd in flif_encode_main<10, FileIO> (rac=..., io=..., images=std::vector of length 1, capacity 1 = {...}, ranges=ranges@entry=0xd06380, options=...) at flif-enc.cpp:717

11 0x0000000000675e38 in flif_encode (io=..., images=std::vector of length 1, capacity 1 = {...}, transDesc=std::vector of length 6, capacity 8 = {...}, options=...) at flif-enc.cpp:1039

12 0x000000000045ea4d in encode_flif (argc=, argv=0x7fffffffe320, images=std::vector of length 1, capacity 1 = {...}, options=...) at flif.cpp:344

13 0x0000000000407c03 in main (argc=, argv=0x7fffffffe318) at flif.cpp:763

[EnchantedJohn]

(gdb) x/8i $pc => 0x7ffff733f7d9 <malloc_consolidate+281>: mov 0x8(%rbx),%rax 0x7ffff733f7dd <malloc_consolidate+285>: mov 0x10(%rbx),%r14 0x7ffff733f7e1 <malloc_consolidate+289>: mov %rax,%r12 0x7ffff733f7e4 <malloc_consolidate+292>: and $0xfffffffffffffffa,%r12 0x7ffff733f7e8 <malloc_consolidate+296>: lea (%rbx,%r12,1),%rbp 0x7ffff733f7ec <malloc_consolidate+300>: mov 0x8(%rbp),%r13 0x7ffff733f7f0 <malloc_consolidate+304>: and $0xfffffffffffffff8,%r13 0x7ffff733f7f4 <malloc_consolidate+308>: test $0x1,%al

[EnchantedJohn]

ASAN analyis report: ==30260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ede4 at pc 0x5c36e2 bp 0x7ffdce44a690 sp 0x7ffdce44a688 WRITE of size 4 at 0x60300000ede4 thread T0

0 0x5c36e1 in TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&) transform/palette_C.hpp:130

#1 0x72e7d8 in bool flif_encode<FileIO>(FileIO&, std::vector<Image, std::allocator<Image> >&, std::vector<std::string, std::allocator<std::string> > const&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif-enc.cpp:914
#2 0x4acaf5 in encode_flif(int, char**, std::vector<Image, std::allocator<Image> >&, flif_options&) /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:344
#3 0x408c14 in main /home/lx/5_7/ASAN/FLIF-master/src/flif.cpp:763
#4 0x7f4f02baff44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x49f14f (/home/lx/5_7/ASAN/FLIF-master/src/flif+0x49f14f)

0x60300000ede4 is located 0 bytes to the right of 20-byte region [0x60300000edd0,0x60300000ede4) allocated by thread T0 here:

0 0x7f4f036fc15f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5515f)

#1 0x5a4677 in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:488
#2 0x5a4677 in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#3 0x5a4677 in std::vector<int, std::allocator<int> >::_M_default_append(unsigned long) /usr/include/c++/4.9/bits/vector.tcc:557
#4 0x5a4677 in std::vector<int, std::allocator<int> >::resize(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:676

SUMMARY: AddressSanitizer: heap-buffer-overflow transform/palette_C.hpp:130 TransformPaletteC::process(ColorRanges const*, std::vector<Image, std::allocator > const&) Shadow bytes around the buggy address: 0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa 00 00[04]fa fa fa 0x0c067fff9dc0: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 00 0x0c067fff9dd0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 0x0c067fff9de0: 00 07 fa fa fd fd fd fd fa fa 00 00 00 06 fa fa 0x0c067fff9df0: 00 00 00 00 fa fa 00 00 00 07 fa fa 00 00 00 06 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==30260==ABORTING