search

apimall / chromiumembedded

Automatically exported from code.google.com/p/chromiumembedded
0 stars 1 forks source link

Linux: heap-buffer-overflow when passing command-line arguments to cef_unittests #1458

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Ubuntu 14.04.1 64-bit
CEF version 3.2171.1932

What steps will reproduce the problem?
1. Build CEF with AddressSanitizer enabled: 
http://www.chromium.org/developers/testing/addresssanitizer
2. Run unit tests with any command-line flag:

marshall@ubuntu:~/code/chromium_git/chromium/src$ ./out/Release/cef_unittests 
--gtest_filter=NoExisting 2>&1 | tools/valgrind/asan/asan_symbolize.py

What is the expected output? What do you see instead?
Program should exit cleanly. Instead, get the following crash:

==50319==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000a020 at pc 0x000000aaf4e6 bp 0x7fff23f69030 sp 0x7fff23f69028
READ of size 8 at 0x60200000a020 thread T0 (cef_unittests)
    #0 0xaaf4e5 in void testing::internal::ParseGoogleTestFlagsOnlyImpl<char>(int*, char**) /home/marshall/code/chromium_git/chromium/src/out/Release/../../testing/gtest/src/gtest.cc:5207:9
    #1 0xaafa51 in ParseGoogleTestFlagsOnly /home/marshall/code/chromium_git/chromium/src/out/Release/../../testing/gtest/src/gtest.cc:5236:3
    #2 0xaafa51 in void testing::internal::InitGoogleTestImpl<char>(int*, char**) /home/marshall/code/chromium_git/chromium/src/out/Release/../../testing/gtest/src/gtest.cc:5266:0
    #3 0xa65368 in InitializeFromCommandLine /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/test/test_suite.cc:118:3
    #4 0xa65368 in base::TestSuite::TestSuite(int, char**) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/test/test_suite.cc:94:0
    #5 0x81428d in CefTestSuite::CefTestSuite(int, char**) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/unittests/test_suite.cc:27:27
    #6 0x76e274 in main /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/unittests/run_all_unittests.cc:140:3
    #7 0x7fd44f64eec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0
    #8 0x43045f in _start ??:0:0

0x60200000a020 is located 0 bytes to the right of 16-byte region 
[0x60200000a010,0x60200000a020)
allocated by thread T0 (cef_unittests) here:
    #0 0x4b2ceb in operator new[](unsigned long) ??:0:0
    #1 0x76ea86 in CefScopedArgArray::CefScopedArgArray(int, char**) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/include/wrapper/cef_helpers.h:59:5
    #2 0x76de7b in main /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/unittests/run_all_unittests.cc:90:3
    #3 0x7fd44f64eec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff93b0: fa fa 00 00 fa fa 00 07 fa fa 00 03 fa fa 00 00
  0x0c047fff93c0: fa fa fd fa fa fa fd fd fa fa 00 04 fa fa 00 04
  0x0c047fff93d0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff93e0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff93f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
=>0x0c047fff9400: fa fa 00 00[fa]fa 00 fa fa fa 00 00 fa fa 00 fa
  0x0c047fff9410: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa
  0x0c047fff9420: fa fa 00 00 fa fa 00 fa fa fa fd fa fa fa fd fd
  0x0c047fff9430: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa 00 fa
  0x0c047fff9440: fa fa 00 04 fa fa 00 fa fa fa fd fa fa fa fd fd
  0x0c047fff9450: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  ASan internal:           fe
==50319==ABORTING

Original issue reported on code.google.com by magreenb...@gmail.com on 26 Nov 2014 at 11:24

GoogleCodeExporter commented 9 years ago 
Fixed in trunk revision 2037, 2272 branch revision 2038 and 2171 branch 
revision 2039.

Original comment by magreenb...@gmail.com on 2 Mar 2015 at 5:28