Address Sanitizer Reporting Heap Buffer Overflow with gmd2html

grosgood commented 2 months ago

@dtschump overflow.zip To reproduce:

Unzip overflow.zip to someplace convenient.
Change directory to some place convenient/cheats
../cheats $ gmic -run 'f=affine_cheat it $f.gmd gmd2html. 2 ot. $f.html' See Gory Details below.

Environment Build (in gmic/src): $ make -j debug CImg: 2f627c85fa20 Fri Jun 14 17:36:40 2024 +0200 gmic: 68dd0725eee6 Sat Jun 15 12:37:38 2024 +0200 $ uname -a Linux bertha 6.6.30-gentoo-bertha #1 SMP PREEMPT_DYNAMIC Sun May 26 08:04:58 EDT 2024 x86_64 AMD Ryzen 9 7950X3D 16-Core Processor AuthenticAMD GNU/Linux

Gory Details

Archive:  overflow.zip
   creating: cheats/
  inflating: cheats/affine_cheat.gmd  
   creating: cheats/images/
  inflating: cheats/images/mapscale.jpg  
  inflating: cheats/images/identity.jpg  
  inflating: cheats/images/affrotexam.svg  
  inflating: cheats/images/orient_arrow_2.svg  
  inflating: cheats/images/maprot.jpg  
  inflating: cheats/images/circpipeline.jpg  
  inflating: cheats/images/orient_arrow_3.svg  
  inflating: cheats/images/affmatrix.svg  
  inflating: cheats/images/orient_arrow_0.svg  
  inflating: cheats/images/affinespin.jpg  
  inflating: cheats/images/box_rot.gif  
  inflating: cheats/images/box_trans.gif  
  inflating: cheats/images/box_scale.gif  
  inflating: cheats/images/maptrans.jpg  
  inflating: cheats/images/mapshear.jpg  
  inflating: cheats/images/orient_arrow_1.svg  
  inflating: cheats/images/box_shr.gif  
   creating: cheats/img/
  inflating: cheats/img/images_affinespin_jpg_r2dx_400_5_n_0_255.png  
gosgood@bertha /dev/shm/cheats $ gmic -run 'f=affine_cheat it $f.gmd gmd2html. 2 ot. $f.html'
[gmic]./ Start G'MIC interpreter (v.3.4.0).
[gmic]./run/__run/ Set local variable 'f=affine_cheat'.
[gmic]./run/__run/ Input text-data file 'affine_cheat.gmd'.=================================================================
==11232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00047f308 at pc 0x55e695577465 bp 0x7fffbccdf9b0 sp 0x7fffbccdf9a0
READ of size 8 at 0x61e00047f308 thread T0
    #0 0x55e695577464 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_set(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:28111
    #1 0x55e69578d1dd in void gmic_library::gmic_image<float>::_cimg_math_parser::operator()<double>(double, double, double, double, double*) /home/gosgood/git_repositories/gmic/src/CImg.h:23658
    #2 0x55e6955c6ce0 in void gmic_library::gmic_image<float>::_eval<double>(gmic_library::gmic_image<double>&, gmic_library::gmic_image<float>*, char const*, double, double, double, double, gmic_library::gmic_list<float>*) const /home/gosgood/git_repositories/gmic/src/CImg.h:31095
    #3 0x55e695408e79 in void gmic_library::gmic_image<float>::eval<double>(gmic_library::gmic_image<double>&, char const*, double, double, double, double, gmic_library::gmic_list<float>*) /home/gosgood/git_repositories/gmic/src/CImg.h:31072
    #4 0x55e69526a2e2 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:7049
    #5 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #6 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #7 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #8 0x55e695a9a7b6 in double gmic::mp_run<float>(char*, bool, void*, float const&) /home/gosgood/git_repositories/gmic/src/gmic.cpp:2323
    #9 0x55e69576fc18 in double gmic_mp_run<float>(char*, bool, void*, float const&) /home/gosgood/git_repositories/gmic/src/gmic.h:560
    #10 0x55e695576d67 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_run(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:28016
    #11 0x55e695527d1d in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25951
    #12 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #13 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #14 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #15 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #16 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #17 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #18 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #19 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #20 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #21 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #22 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #23 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #24 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #25 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #26 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #27 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #28 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #29 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #30 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #31 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #32 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #33 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #34 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #35 0x55e69523a4b9 in gmic_library::gmic_image<float>::_cimg_math_parser::operator()(double, double, double, double) /home/gosgood/git_repositories/gmic/src/CImg.h:23646
    #36 0x55e6955ae406 in gmic_library::gmic_image<float>::_fill(char const*, bool, unsigned int, gmic_library::gmic_list<float>*, char const*, gmic_library::gmic_image<float> const*, gmic_library::gmic_image<double>*) /home/gosgood/git_repositories/gmic/src/CImg.h:33823
    #37 0x55e695409715 in gmic_library::gmic_image<float>::gmic_eval(char const*, gmic_library::gmic_list<float>&) /home/gosgood/git_repositories/gmic/src/gmic.cpp:1664
    #38 0x55e69526a7e6 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:7061
    #39 0x55e695273c69 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:7514
    #40 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #41 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #42 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #43 0x55e695231ff8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:4935
    #44 0x55e695216f98 in gmic& gmic::run<float>(char const*, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&) /home/gosgood/git_repositories/gmic/src/gmic.cpp:4909
    #45 0x55e6950dd86e in main /home/gosgood/git_repositories/gmic/src/gmic_cli.cpp:237
    #46 0x7ff4dd044f09  (/lib64/libc.so.6+0x25f09)
    #47 0x7ff4dd044fc4 in __libc_start_main (/lib64/libc.so.6+0x25fc4)
    #48 0x55e6950db460 in _start (/home/gosgood/.local/bin/gmic+0x48460)

0x61e00047f308 is located 0 bytes after 2696-byte region [0x61e00047e880,0x61e00047f308)
allocated by thread T0 here:
    #0 0x7ff4de4e0238 in operator new[](unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0xe0238)
    #1 0x55e69516b7de in gmic_library::gmic_image<double>::assign(unsigned int, unsigned int, unsigned int, unsigned int) /home/gosgood/git_repositories/gmic/src/CImg.h:12657
    #2 0x55e695518125 in gmic_library::gmic_image<double>::assign(unsigned int, unsigned int, unsigned int, unsigned int, double const&) /home/gosgood/git_repositories/gmic/src/CImg.h:12677
    #3 0x55e695592597 in gmic_library::gmic_image<double>::get_resize(int, int, int, int, int, unsigned int, float, float, float, float) const /home/gosgood/git_repositories/gmic/src/CImg.h:36537
    #4 0x55e6953cd535 in gmic_library::gmic_image<double>::resize(int, int, int, int, int, unsigned int, float, float, float, float) /home/gosgood/git_repositories/gmic/src/CImg.h:36507
    #5 0x55e6952390f1 in gmic_library::gmic_image<float>::_cimg_math_parser::_cimg_math_parser(char const*, char const*, gmic_library::gmic_image<float> const&, gmic_library::gmic_image<float>*, gmic_library::gmic_list<float>*, bool) /home/gosgood/git_repositories/gmic/src/CImg.h:17127
    #6 0x55e6955c6b85 in void gmic_library::gmic_image<float>::_eval<double>(gmic_library::gmic_image<double>&, gmic_library::gmic_image<float>*, char const*, double, double, double, double, gmic_library::gmic_list<float>*) const /home/gosgood/git_repositories/gmic/src/CImg.h:31090
    #7 0x55e695408e79 in void gmic_library::gmic_image<float>::eval<double>(gmic_library::gmic_image<double>&, char const*, double, double, double, double, gmic_library::gmic_list<float>*) /home/gosgood/git_repositories/gmic/src/CImg.h:31072
    #8 0x55e69526a2e2 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:7049
    #9 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #10 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #11 0x55e6952f24e8 in gmic& gmic::_run<float>(gmic_library::gmic_list<char> const&, unsigned int&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, gmic_library::gmic_list<float>&, gmic_library::gmic_list<char>&, unsigned int const*, bool*, char const*, gmic_library::gmic_image<unsigned int> const*, bool) /home/gosgood/git_repositories/gmic/src/gmic.cpp:13432
    #12 0x55e695a9a7b6 in double gmic::mp_run<float>(char*, bool, void*, float const&) /home/gosgood/git_repositories/gmic/src/gmic.cpp:2323
    #13 0x55e69576fc18 in double gmic_mp_run<float>(char*, bool, void*, float const&) /home/gosgood/git_repositories/gmic/src/gmic.h:560
    #14 0x55e695576d67 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_run(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:28016
    #15 0x55e695527d1d in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25951
    #16 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #17 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #18 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #19 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #20 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #21 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #22 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #23 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #24 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #25 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #26 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #27 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #28 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956
    #29 0x55e695527f20 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_if(gmic_library::gmic_image<float>::_cimg_math_parser&) /home/gosgood/git_repositories/gmic/src/CImg.h:25956

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/gosgood/git_repositories/gmic/src/CImg.h:28111 in gmic_library::gmic_image<float>::_cimg_math_parser::mp_set(gmic_library::gmic_image<float>::_cimg_math_parser&)
Shadow bytes around the buggy address:
  0x61e00047f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x61e00047f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x61e00047f180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x61e00047f200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x61e00047f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x61e00047f300: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61e00047f380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61e00047f400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61e00047f480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61e00047f500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61e00047f580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11232==ABORTING

dtschump commented 2 months ago

Thanks. I've been able to reproduce the bug. Investigating....

dtschump commented 2 months ago

Crash case reduced to:

bug :
  str={`vector64(_'A')`}  # Work with 63 instead of 64
  eval "set('out','"$str"')"

grosgood commented 2 months ago

Confirm reduced test case crashes here as well.

dtschump commented 2 months ago

Should be fixed with : https://github.com/GreycLab/CImg/commit/c8ccfce81df14969d5f29349022c677e47165e89 and https://github.com/GreycLab/gmic/commit/e27fbba81d21599df4cb7e0513d8c5837fe953c0

grosgood commented 2 months ago

OK: Looks good... CImg: 07edcbac6656 Sat Jun 15 17:49:16 2024 +0200 gmic: e27fbba81d21 Sat Jun 15 17:46:33 2024 +0200 debug build of gmic, as before.


$ cat ralloc.gmic
ralloc : -skip ${1=1024},${2=1},${3=2048}
  tc,min,max=${1-3}
  -repeat $tc
     sz:=v($min,$max,1,1)
     str={`vector$sz(_'A')`}  # Try lots of allocations
     -eval "set('out','"$str"')"
     -echo $sz" worked..."
  -done
$ gmic -m ralloc.gmic ralloc 2048,1,2048
[gmic]./ Start G'MIC interpreter (v.3.4.0).
[gmic]./ Import commands from file 'ralloc.gmic', with debug info (1 new, total: 4788).
949 worked...
451 worked...
1212 worked...
… (2,041 times)
71 worked...
411 worked...
347 worked...
130 worked...
[gmic]./ End G'MIC interpreter.
$ cd cheats
$ gmic -run 'f=affine_cheat it $f.gmd gmd2html. 2 ot $f.html'
[gmic]./ Start G'MIC interpreter (v.3.4.0).
[gmic]./run/__run/ Set local variable 'f=affine_cheat'.
[gmic]./run/__run/ Input text-data file 'affine_cheat.gmd'.
[gmic]./run/__run/ Output image [0] as text-data file 'affine_cheat.html'.
[gmic]./ End G'MIC interpreter.
$
Think you can put paid to this.

GreycLab / gmic

Address Sanitizer Reporting Heap Buffer Overflow with gmd2html #56