In the function void CU::ReadTopLevelDIE (src/dwarf/debug_info.cc), the variable abbrev can be nullptr, but the usage of this variable in the follow (die_reader.ReadAttributes(..., abbrev, ...)) doesn't have any check, which will cause the program crash:
void CU::ReadTopLevelDIE(InfoReader& reader) {
DIEReader die_reader = GetDIEReader();
const auto* abbrev = die_reader.ReadCode(*this); /* This can be NULL */
absl::optional<uint64_t> stmt_list;
unit_name_.clear();
die_reader.ReadAttributes(..., abbrev, ...); /* Doesn't have any check */
/*...*/
}
=================================================================
==27479==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000611e97 bp 0x7f52888fd770 sp 0x7f52888fd480 T4)
==27479==The signal is caused by a READ memory access.
==27479==Hint: address points to the zero page.
#0 0x611e97 in ReadAttributes<(lambda at /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf/debug_info.cc:193:22)> /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf/debug_info.h
#1 0x611e97 in bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&) /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf/debug_info.cc:192:14
#2 0x6119c1 in bloaty::dwarf::CU::ReadHeader(std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >, bloaty::dwarf::InfoReader::Section, bloaty::dwarf::InfoReader&) /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf/debug_info.cc:181:3
#3 0x610f27 in bloaty::dwarf::CUIter::NextCU(bloaty::dwarf::InfoReader&, bloaty::dwarf::CU*) /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf/debug_info.cc:118:7
#4 0x5ecf07 in ReadName /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf.cc:259:17
#5 0x5ecf07 in LookupFilename /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf.cc:268:11
#6 0x5ecf07 in GetFilename /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf.cc:249:16
#7 0x5ecf07 in bloaty::ReadDWARFAddressRanges(bloaty::dwarf::File const&, bloaty::RangeSink*) /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf.cc:283:32
#8 0x5ec6f2 in bloaty::ReadDWARFCompileUnits(bloaty::dwarf::File const&, bloaty::DualMap const&, bloaty::RangeSink*) /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/dwarf.cc:637:5
#9 0x54cd58 in bloaty::(anonymous namespace)::ElfObjectFile::ProcessFile(std::vector<bloaty::RangeSink*, std::allocator<bloaty::RangeSink*> > const&) const /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/elf.cc:1317:11
#10 0x4ef1e1 in bloaty::Bloaty::ScanAndRollupFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bloaty::Rollup*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) const /home/ubuntu/Fuzzing/Workspace/Projects/.tmp/bloaty/src/bloaty.cc:1674:9
In the function
void CU::ReadTopLevelDIE
(src/dwarf/debug_info.cc), the variableabbrev
can be nullptr, but the usage of this variable in the follow (die_reader.ReadAttributes(..., abbrev, ...)) doesn't have any check, which will cause the program crash: