Open Halcy0nic opened 1 year ago
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2750
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x1
RCX 0x2
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x1
RSI 0x2e2
R8 0x8dc
R9 0x0
R10 0x7ffff7ddcbf8 ◂— 0x10001200000e38
R11 0x7ffff7e63f00 (realloc) ◂— push r15
R12 0x0
R13 0x41
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x2e2
RSP 0x7fffffffdad0 ◂— 0x0
RIP 0x7ffff7e63f4d (realloc+77) ◂— mov rax, qword ptr [rbx - 8]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e63f4d <realloc+77> mov rax, qword ptr [rbx - 8]
0x7ffff7e63f51 <realloc+81> lea r13, [rbx - 0x10]
0x7ffff7e63f55 <realloc+85> xor r8d, r8d
0x7ffff7e63f58 <realloc+88> mov r15, rax
0x7ffff7e63f5b <realloc+91> and r15, 0xfffffffffffffff8
0x7ffff7e63f5f <realloc+95> test al, 2
0x7ffff7e63f61 <realloc+97> jne realloc+166 <realloc+166>
↓
0x7ffff7e63fa6 <realloc+166> mov rdx, r15
0x7ffff7e63fa9 <realloc+169> neg rdx
0x7ffff7e63fac <realloc+172> cmp rdx, r13
0x7ffff7e63faf <realloc+175> jb realloc+776 <realloc+776>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1414447==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff1 (pc 0x7f72b5c28b23 bp 0x0000000002e2 sp 0x7ffdd923d030 T0)
==1414447==The signal is caused by a READ memory access.
#0 0x7f72b5c28b23 in __sanitizer::atomic_uint8_t::Type __sanitizer::atomic_load<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t const volatile*, __sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang_x86.h:46
#1 0x7f72b5c28b23 in __sanitizer::atomic_uint8_t::Type __sanitizer::atomic_load<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t const volatile*, __sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang_x86.h:27
#2 0x7f72b5c28b23 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cpp:729
#3 0x7f72b5c28b23 in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1009
#4 0x7f72b5caeb24 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:165
#5 0x55c6cbfdc4af in forth_run /dev/shm/libforth/libforth.c:2750
#6 0x55c6cbfd492f in eval_file /dev/shm/libforth/main.c:248
#7 0x55c6cbfd3f6e in main /dev/shm/libforth/main.c:449
#8 0x7f72b5a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f72b5a46244 in __libc_start_main_impl ../csu/libc-start.c:381
#10 0x55c6cbfd4530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang_x86.h:46 in __sanitizer::atomic_uint8_t::Type __sanitizer::atomic_load<__sanitizer::atomic_uint8_t>(__sanitizer::atomic_uint8_t const volatile*, __sanitizer::memory_order)
==1414447==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2730
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x73e
RBX 0x7ffff7dc5060 ◂— 0x0
RCX 0x3
RDX 0x2
RDI 0x6
RSI 0x73e
R8 0x8dc
R9 0x0
R10 0x7ffff7de1c08 ◂— 0x10001a000048c5
R11 0x7ffff7f1cee0 (__memcmp_avx2_movbe) ◂— cmp rdx, 0x20
R12 0x2
R13 0x3e
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5070 ◂— 0x73e
RSP 0x7fffffffdb28 —▸ 0x55555555b14f (forth_run+1103) ◂— movsxd r12, eax
RIP 0x7ffff7f1d1d5 (__memcmp_avx2_movbe+757) ◂— vmovdqu ymm2, ymmword ptr [rsi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1d1d5 <__memcmp_avx2_movbe+757> vmovdqu ymm2, ymmword ptr [rsi]
0x7ffff7f1d1d9 <__memcmp_avx2_movbe+761> vpcmpeqb ymm2, ymm2, ymmword ptr [rdi]
0x7ffff7f1d1dd <__memcmp_avx2_movbe+765> vpmovmskb eax, ymm2
0x7ffff7f1d1e1 <__memcmp_avx2_movbe+769> inc eax
0x7ffff7f1d1e3 <__memcmp_avx2_movbe+771> bzhi edx, eax, edx
0x7ffff7f1d1e8 <__memcmp_avx2_movbe+776> jne __memcmp_avx2_movbe+208 <__memcmp_avx2_movbe+208>
↓
0x7ffff7f1cfb0 <__memcmp_avx2_movbe+208> tzcnt eax, eax
0x7ffff7f1cfb4 <__memcmp_avx2_movbe+212> movzx ecx, byte ptr [rsi + rax]
0x7ffff7f1cfb8 <__memcmp_avx2_movbe+216> movzx eax, byte ptr [rdi + rax]
0x7ffff7f1cfbc <__memcmp_avx2_movbe+220> sub eax, ecx
0x7ffff7f1cfbe <__memcmp_avx2_movbe+222> vzeroupper
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1439508==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000073e (pc 0x7f5b42f711d5 bp 0x7ffc9b2acec0 sp 0x7ffc9b2ac638 T0)
==1439508==The signal is caused by a READ memory access.
==1439508==Hint: address points to the zero page.
#0 0x7f5b42f711d5 in __memcmp_avx2_movbe ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:414
#1 0x7f5b4308f11c in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:881
#2 0x7f5b4308f9a8 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#3 0x7f5b4308f9a8 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#4 0x5571e47d4208 in forth_run /dev/shm/libforth/libforth.c:2730
#5 0x5571e47cd92f in eval_file /dev/shm/libforth/main.c:248
#6 0x5571e47ccf6e in main /dev/shm/libforth/main.c:449
#7 0x7f5b42e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7f5b42e46244 in __libc_start_main_impl ../csu/libc-start.c:381
#9 0x5571e47cd530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/memcmp-avx2-movbe.S:414 in __memcmp_avx2_movbe
==1439508==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2362
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x4
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x4
RSI 0x55555555e848 ◂— 0x27732527000a2920 /* ' )\n' */
R8 0x0
R9 0x64
R10 0x7ffff7dd8fc8 ◂— 0x100022000064f9
R11 0x7ffff7e40ca0 (fflush) ◂— test rdi, rdi
R12 0x0
R13 0x36
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5060 ◂— 0x0
RSP 0x7fffffffdb00 —▸ 0x7ffff7dc5060 ◂— 0x0
RIP 0x7ffff7e40cb2 (fflush+18) ◂— mov eax, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e40cb2 <fflush+18> mov eax, dword ptr [rdi]
0x7ffff7e40cb4 <fflush+20> and eax, 0x8000
0x7ffff7e40cb9 <fflush+25> jne fflush+79 <fflush+79>
↓
0x7ffff7e40cef <fflush+79> mov rbp, qword ptr [rbx + 0xd8]
0x7ffff7e40cf6 <fflush+86> lea rdx, [rip + 0x158ce3] <_IO_helper_jumps>
0x7ffff7e40cfd <fflush+93> lea rax, [rip + 0x159a44]
0x7ffff7e40d04 <fflush+100> sub rax, rdx
0x7ffff7e40d07 <fflush+103> mov rcx, rbp
0x7ffff7e40d0a <fflush+106> sub rcx, rdx
0x7ffff7e40d0d <fflush+109> cmp rcx, rax
0x7ffff7e40d10 <fflush+112> jae fflush+184 <fflush+184>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1472125==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7fb746e94cb2 bp 0x000000000004 sp 0x7ffd1c82d350 T0)
==1472125==The signal is caused by a READ memory access.
==1472125==Hint: address points to the zero page.
#0 0x7fb746e94cb2 in __GI__IO_fflush libio/iofflush.c:39
#1 0x7fb74708c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6214
#2 0x7fb74708c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6211
#3 0x55e7cd00c89b in forth_run /dev/shm/libforth/libforth.c:2623
#4 0x55e7cd00592f in eval_file /dev/shm/libforth/main.c:248
#5 0x55e7cd004f6e in main /dev/shm/libforth/main.c:449
#6 0x7fb746e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7fb746e46244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x55e7cd005530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSaniti
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2665
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x55555555b800 (forth_run+2816) ◂— mov rdi, qword ptr [rbp - 8]
RBX 0x7ffff7dc5068 ◂— 0x7
RCX 0x2
RDX 0xc3
RDI 0x7ffff7d8705f ◂— 0x0
RSI 0x1
R8 0x8dc
R9 0x0
R10 0x7ffff7de3c00 ◂— 0x10002200001aa2
R11 0x7ffff7e41950 (fwrite) ◂— push r15
R12 0x2
R13 0xc3
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5070 ◂— 0xc3
RSP 0x7fffffffdae0 —▸ 0x7ffff7dc86d8 —▸ 0x7ffff7f483c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
RIP 0x7ffff7e4196e (fwrite+30) ◂— mov eax, dword ptr [rcx]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e4196e <fwrite+30> mov eax, dword ptr [rcx]
0x7ffff7e41970 <fwrite+32> mov r14, rdi
0x7ffff7e41973 <fwrite+35> mov r12, rsi
0x7ffff7e41976 <fwrite+38> mov rbp, rdx
0x7ffff7e41979 <fwrite+41> mov rbx, rcx
0x7ffff7e4197c <fwrite+44> and eax, 0x8000
0x7ffff7e41981 <fwrite+49> jne fwrite+103 <fwrite+103>
↓
0x7ffff7e419b7 <fwrite+103> mov eax, dword ptr [rbx + 0xc0]
0x7ffff7e419bd <fwrite+109> test eax, eax
0x7ffff7e419bf <fwrite+111> jne fwrite+256 <fwrite+256>
↓
0x7ffff7e41a50 <fwrite+256> cmp eax, -1
==1499801==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7f4ed049596e bp 0x7ffd396c0ed0 sp 0x7ffd396c0620 T0)
==1499801==The signal is caused by a READ memory access.
==1499801==Hint: address points to the zero page.
#0 0x7f4ed049596e in __GI__IO_fwrite libio/iofwrite.c:37
#1 0x7f4ed063efb6 in __interceptor_fwrite ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1159
#2 0x55f7d6ba0ad7 in forth_run /dev/shm/libforth/libforth.c:2665
#3 0x55f7d6b9992f in eval_file /dev/shm/libforth/main.c:248
#4 0x55f7d6b98f6e in main /dev/shm/libforth/main.c:449
#5 0x7f4ed0446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f4ed0446244 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x55f7d6b99530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/iofwrite.c:37 in __GI__IO_fwrite
==1499801==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2716
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x6
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x3
RDX 0x2
RDI 0x6
RSI 0x5
R8 0x8dc
R9 0x0
R10 0x7ffff7dd9298 ◂— 0x10001a00005bee
R11 0x7ffff7f1d640 (__memmove_avx_unaligned_erms) ◂— mov rax, rdi
R12 0x2
R13 0x3b
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5058 ◂— 0x0
RSP 0x7fffffffdb28 —▸ 0x55555555b1bf (forth_run+1215) ◂— mov r12, qword ptr [rbp + 8]
RIP 0x7ffff7f1d684 (__memmove_avx_unaligned_erms+68) ◂— mov cl, byte ptr [rsi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1d684 <__memmove_avx_unaligned_erms+68> mov cl, byte ptr [rsi]
0x7ffff7f1d686 <__memmove_avx_unaligned_erms+70> je __memmove_avx_unaligned_erms+82 <__memmove_avx_unaligned_erms+82>
↓
0x7ffff7f1d692 <__memmove_avx_unaligned_erms+82> mov byte ptr [rdi], cl
0x7ffff7f1d694 <__memmove_avx_unaligned_erms+84> ret
0x7ffff7f1d695 <__memmove_avx_unaligned_erms+85> mov ecx, dword ptr [rsi + rdx - 4]
0x7ffff7f1d699 <__memmove_avx_unaligned_erms+89> mov esi, dword ptr [rsi]
0x7ffff7f1d69b <__memmove_avx_unaligned_erms+91> mov dword ptr [rdi + rdx - 4], ecx
0x7ffff7f1d69f <__memmove_avx_unaligned_erms+95> mov dword ptr [rdi], esi
0x7ffff7f1d6a1 <__memmove_avx_unaligned_erms+97> ret
0x7ffff7f1d6a2 <__memmove_avx_unaligned_erms+98> vmovdqu xmm0, xmmword ptr [rsi]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1517907==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000006 (pc 0x7fb22f8c5210 bp 0x7fb230211808 sp 0x7ffee9470278 T0)
==1517907==The signal is caused by a READ memory access.
==1517907==Hint: address points to the zero page.
#0 0x7fb22f8c5210 in __sanitizer::internal_memmove(void*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:68
#1 0x55c9e6ba1350 in forth_run /dev/shm/libforth/libforth.c:2716
#2 0x55c9e6b9a92f in eval_file /dev/shm/libforth/main.c:248
#3 0x55c9e6b99f6e in main /dev/shm/libforth/main.c:449
#4 0x7fb22f646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7fb22f646244 in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x55c9e6b9a530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:68 in __sanitizer::internal_memmove(void*, void const*, unsigned long)
==1517907==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2721
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x6
RBX 0x7ffff7dc5060 ◂— 0x0
RCX 0x3
RDX 0x2
RDI 0x6
RSI 0xba
R8 0x8dc
R9 0x0
R10 0x7ffff7ddef08 ◂— 0x10001a000062b8
R11 0x7ffff7f1cc40 (__memchr_avx2) ◂— test rdx, rdx
R12 0x2
R13 0x3c
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5070 ◂— 0xba
RSP 0x7fffffffdb28 —▸ 0x55555555b196 (forth_run+1174) ◂— mov rbp, rbx
RIP 0x7ffff7f1cc60 (__memchr_avx2+32) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1cc60 <__memchr_avx2+32> vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
0x7ffff7f1cc64 <__memchr_avx2+36> vpmovmskb eax, ymm1
0x7ffff7f1cc68 <__memchr_avx2+40> cmp rdx, 0x20
0x7ffff7f1cc6c <__memchr_avx2+44> jbe __memchr_avx2+64 <__memchr_avx2+64>
↓
0x7ffff7f1cc80 <__memchr_avx2+64> tzcnt eax, eax
0x7ffff7f1cc84 <__memchr_avx2+68> vzeroupper
0x7ffff7f1cc87 <__memchr_avx2+71> cmp edx, eax
0x7ffff7f1cc89 <__memchr_avx2+73> jle __memchr_avx2+93 <__memchr_avx2+93>
↓
0x7ffff7f1cc9d <__memchr_avx2+93> xor eax, eax
0x7ffff7f1cc9f <__memchr_avx2+95> ret
0x7ffff7f1cca0 <__memchr_avx2+96> tzcnt eax, eax
==1540863==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000006 (pc 0x7f1e49338c60 bp 0x7ffd56cd19f0 sp 0x7ffd56cd1198 T0)
==1540863==The signal is caused by a READ memory access.
==1540863==Hint: address points to the zero page.
#0 0x7f1e49338c60 in __memchr_avx2 ../sysdeps/x86_64/multiarch/memchr-avx2.S:82
#1 0x7f1e4883e1c1 in __interceptor_memchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:928
#2 0x5574bf6032e8 in forth_run /dev/shm/libforth/libforth.c:2721
#3 0x5574bf5fc92f in eval_file /dev/shm/libforth/main.c:248
#4 0x5574bf5fbf6e in main /dev/shm/libforth/main.c:449
#5 0x7f1e4920e189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f1e4920e244 in __libc_start_main_impl ../csu/libc-start.c:381
#7 0x5574bf5fc530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/memchr-avx2.S:82 in __memchr_avx2
==1540863==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2725
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x4
RBX 0x7ffff7d87010 ◂— 0xf010408485434ff
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x2
RDI 0x4
RSI 0x91
R8 0x0
R9 0x64
R10 0x7ffff7de1fe0 ◂— 0x10001a00007ccc
R11 0x7ffff7f1e040 (__memset_avx2_unaligned_erms) ◂— vmovd xmm0, esi
R12 0x2
R13 0x3d
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5058 ◂— 0x0
RSP 0x7fffffffdb28 —▸ 0x55555555b176 (forth_run+1142) ◂— mov r12, qword ptr [rbp + 8]
RIP 0x7ffff7f1e170 (__memset_avx2_unaligned_erms+304) ◂— mov byte ptr [rdi], sil
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7f1e170 <__memset_avx2_unaligned_erms+304> mov byte ptr [rdi], sil
0x7ffff7f1e173 <__memset_avx2_unaligned_erms+307> mov byte ptr [rdi + 1], sil
0x7ffff7f1e177 <__memset_avx2_unaligned_erms+311> mov byte ptr [rdi + rdx - 1], sil
0x7ffff7f1e17c <__memset_avx2_unaligned_erms+316> ret
0x7ffff7f1e17d nop dword ptr [rax]
0x7ffff7f1e180 <__rawmemchr_avx2> vmovd xmm0, esi
0x7ffff7f1e184 <__rawmemchr_avx2+4> vpbroadcastb ymm0, xmm0
0x7ffff7f1e189 <__rawmemchr_avx2+9> mov eax, edi
0x7ffff7f1e18b <__rawmemchr_avx2+11> and eax, 0xfff
0x7ffff7f1e190 <__rawmemchr_avx2+16> cmp eax, 0xfe0
0x7ffff7f1e195 <__rawmemchr_avx2+21> ja __rawmemchr_avx2+304 <__rawmemchr_avx2+304>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1584856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f9963572170 bp 0x7f996079c808 sp 0x7ffddf79bde8 T0)
==1584856==The signal is caused by a WRITE memory access.
==1584856==Hint: address points to the zero page.
#0 0x7f9963572170 in __memset_avx2_unaligned_erms ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:424
#1 0x5643d0cb5270 in forth_run /dev/shm/libforth/libforth.c:2725
#2 0x5643d0cae92f in eval_file /dev/shm/libforth/main.c:248
#3 0x5643d0cadf6e in main /dev/shm/libforth/main.c:449
#4 0x7f9963446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f9963446244 in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x5643d0cae530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:424 in __memset_avx2_unaligned_erms
==1584856==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2623
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x2e1
RCX 0x1
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x2e1
RSI 0x7fffffffdbc0 —▸ 0x7fffffffde88 ◂— 0x0
R8 0x8dc
R9 0x5555555632a0 ◂— 0xfbad2488
R10 0x7ffff7dd8fc8 ◂— 0x100022000064f9
R11 0x7ffff7e40ca0 (fflush) ◂— test rdi, rdi
R12 0x0
R13 0x36
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5088 ◂— 0x0
RSP 0x7fffffffdb00 —▸ 0x7ffff7d87010 ◂— 0xf010408485434ff
RIP 0x7ffff7e40cb2 (fflush+18) ◂— mov eax, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e40cb2 <fflush+18> mov eax, dword ptr [rdi]
0x7ffff7e40cb4 <fflush+20> and eax, 0x8000
0x7ffff7e40cb9 <fflush+25> jne fflush+79 <fflush+79>
↓
0x7ffff7e40cef <fflush+79> mov rbp, qword ptr [rbx + 0xd8]
0x7ffff7e40cf6 <fflush+86> lea rdx, [rip + 0x158ce3] <_IO_helper_jumps>
0x7ffff7e40cfd <fflush+93> lea rax, [rip + 0x159a44]
0x7ffff7e40d04 <fflush+100> sub rax, rdx
0x7ffff7e40d07 <fflush+103> mov rcx, rbp
0x7ffff7e40d0a <fflush+106> sub rcx, rdx
0x7ffff7e40d0d <fflush+109> cmp rcx, rax
0x7ffff7e40d10 <fflush+112> jae fflush+184 <fflush+184>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1621354==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002e1 (pc 0x7f9141894cb2 bp 0x0000000002e1 sp 0x7ffd15be62f0 T0)
==1621354==The signal is caused by a READ memory access.
==1621354==Hint: address points to the zero page.
#0 0x7f9141894cb2 in __GI__IO_fflush libio/iofflush.c:39
#1 0x7f9141a8c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6214
#2 0x7f9141a8c025 in __interceptor_fflush ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6211
#3 0x560fbfcaf89b in forth_run /dev/shm/libforth/libforth.c:2623
#4 0x560fbfca892f in eval_file /dev/shm/libforth/main.c:248
#5 0x560fbfca7f6e in main /dev/shm/libforth/main.c:449
#6 0x7f9141846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f9141846244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x560fbfca8530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/iofflush.c:39 in __GI__IO_fflush
==1621354==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2666
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff7dc5068 ◂— 0x0
RCX 0x2
RDX 0x0
RDI 0x2
RSI 0x1
R8 0x8dc
R9 0x0
R10 0x7ffff7dd8f20 ◂— 0x10002200006683
R11 0x7ffff7e48630 (ferror) ◂— mov edx, dword ptr [rdi]
R12 0x2
R13 0x2
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5068 ◂— 0x0
RSP 0x7fffffffdb28 —▸ 0x55555555b831 (forth_run+2865) ◂— mov rdi, r13
RIP 0x7ffff7e48630 (ferror) ◂— mov edx, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e48630 <ferror> mov edx, dword ptr [rdi]
0x7ffff7e48632 <ferror+2> test byte ptr [rdi + 0x74], 0x80
0x7ffff7e48636 <ferror+6> je ferror+120 <ferror+120>
↓
0x7ffff7e486a8 <ferror+120> shr edx, 5
0x7ffff7e486ab <ferror+123> mov eax, edx
0x7ffff7e486ad <ferror+125> and eax, 1
0x7ffff7e486b0 <ferror+128> ret
0x7ffff7e486b1 <ferror+129> nop dword ptr [rax]
0x7ffff7e486b8 <ferror+136> shr edx, 5
0x7ffff7e486bb <ferror+139> mov ecx, dword ptr [rdi + 4]
0x7ffff7e486be <ferror+142> mov eax, edx
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1652582==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7f97bf69c630 bp 0x000000000002 sp 0x7fff54242db8 T0)
==1652582==The signal is caused by a READ memory access.
==1652582==Hint: address points to the zero page.
#0 0x7f97bf69c630 in _IO_ferror libio/ferror.c:36
#1 0x561de1a17af3 in forth_run /dev/shm/libforth/libforth.c:2666
#2 0x561de1a1092f in eval_file /dev/shm/libforth/main.c:248
#3 0x561de1a0ff6e in main /dev/shm/libforth/main.c:449
#4 0x7f97bf646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f97bf646244 in __libc_start_main_impl ../csu/libc-start.c:381
#6 0x561de1a10530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/ferror.c:36 in _IO_ferror
==1652582==ABORTING
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2615
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x7ffff7dc86c0 ◂— 0x0
RBX 0x7ffff7dc86c0 ◂— 0x0
RCX 0x7ffff7ec3190 (write+16) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x55555555f0c0 ◂— 0xffffbf20ffffcc48
RDI 0x0
RSI 0x55555555e848 ◂— 0x27732527000a2920 /* ' )\n' */
R8 0x0
R9 0x64
R10 0x7ffff7de1c38 ◂— 0x100012000020a3
R11 0x7ffff7e40840 (fclose) ◂— push r12
R12 0x0
R13 0x2f
R14 0x7ffff7d87058 ◂— 0x0
R15 0x7ffff7d87010 ◂— 0xf010408485434ff
RBP 0x7ffff7dc5160 ◂— 0x1d
RSP 0x7fffffffdb10 —▸ 0x7ffff7dc86c0 ◂— 0x0
RIP 0x7ffff7e40844 (fclose+4) ◂— mov eax, dword ptr [rdi]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff7e40844 <fclose+4> mov eax, dword ptr [rdi]
0x7ffff7e40846 <fclose+6> mov rbx, rdi
0x7ffff7e40849 <fclose+9> test ah, 0x20
0x7ffff7e4084c <fclose+12> jne fclose+400 <fclose+400>
↓
0x7ffff7e409d0 <fclose+400> call _IO_un_link <_IO_un_link>
0x7ffff7e409d5 <fclose+405> mov eax, dword ptr [rbx]
0x7ffff7e409d7 <fclose+407> test ah, 0x80
0x7ffff7e409da <fclose+410> jne fclose+83 <fclose+83>
0x7ffff7e409e0 <fclose+416> jmp fclose+27 <fclose+27>
0x7ffff7e409e5 <fclose+421> nop dword ptr [rax]
0x7ffff7e409e8 <fclose+424> call _IO_vtable_check <_IO_vtable_check>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1671224==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0e28494844 bp 0x000000000000 sp 0x7ffcf466c1f0 T0)
==1671224==The signal is caused by a READ memory access.
==1671224==Hint: address points to the zero page.
#0 0x7f0e28494844 in _IO_new_fclose libio/iofclose.c:48
#1 0x7f0e2868c098 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6233
#2 0x7f0e2868c098 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6228
#3 0x557558c8ee23 in forth_run /dev/shm/libforth/libforth.c:2615
#4 0x557558c8792f in eval_file /dev/shm/libforth/main.c:248
#5 0x557558c86f6e in main /dev/shm/libforth/main.c:449
#6 0x7f0e28446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7f0e28446244 in __libc_start_main_impl ../csu/libc-start.c:381
#8 0x557558c87530 in _start (/dev/shm/libforth/forth+0xc530)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libio/iofclose.c:48 in _IO_new_fclose
==1671224==ABORTING
Nice work! I'm not sure when I'll get around to fixing these though as I have a baby and little time, but the detailed report is appreciated.
Hello, How is your baby? All well, and sometimes smiling at you? I would like to concur with Halcy0nic: the program crashes now and then. Valgrind then pinpoints the offending source line, but how to fix it goes beyond my skills. Hopefully you will have some time soon to address the problem.
She is, and crawling! I haven't much time to give to this project unfortunately, I will get around to it eventually.
Hello, it's me again. It occured to me that a simple line like 2 3 ' dup execute resulted in a out-of-bounds error. I tried to find the bug in forth.c, but could not find anything. The reason however was simple: the line where the tick word was specified (line 4180 in forth.fth) had been out-commented! Most of the interesting forth constructs are working now, so I'm happy.
Hi everyone,
Sorry for the delay, but here are some example fixes in the meantime to mitigate each of the discovered vulnerabilities:
match
FunctionIssue: An out-of-bounds read occurs when the match
function attempts to access memory outside the bounds of the m
array. This is triggered by the expression WORD_LENGTH(m[pwd + 1])
.
Solution: Ensure that the index pwd + 1
is within the bounds of the m
array before accessing it. One approach is to check the size of the m
array and compare it with pwd + 1
to ensure it does not exceed the array's bounds.
if (pwd + 1 < m_size) { // Assuming m_size is the size of the m array
forth_cell_t len = WORD_LENGTH(m[pwd + 1]);
...
}
forth_run
FunctionIssue: The invalid free operation is triggered by attempting to free memory that was not allocated with malloc
or already freed.
Solution: Ensure that the pointer being freed was allocated via malloc
(or similar functions) and has not been freed before. A simple strategy is to set the pointer to NULL
after freeing it and check if the pointer is NULL
before attempting to free it.
if (f != NULL) {
free((char*)f);
f = NULL; // Prevent double free
}
check_is_asciiz
FunctionIssue: Attempting to read beyond the allocated memory when checking if a string ends with a null terminator.
Solution: Validate that the index end
is within the actual bounds of the string s
before accessing s[end]
.
if (end < string_length) { // Assuming string_length is the length of the s string
if (*(s + end) != '\0') {
...
}
}
print_cell
FunctionIssue: Exceeding the bounds of a stack-allocated buffer when attempting to fill it with characters. Solution: Ensure that the buffer size is respected when filling it with characters. This can involve checking the current length of the buffer against its maximum size before each write.
char s[MAX_SIZE]; // Assuming MAX_SIZE is the maximum buffer size
int i = 0;
while (condition && i < MAX_SIZE - 1) { // Reserve space for null terminator
s[i++] = conv[u % base];
...
}
s[i] = '\0'; // Ensure null termination
compile
FunctionIssue: Writing beyond the allocated space when copying a string into the memory area starting at o->m + head
.
Solution: Use a safer string copying function like strncpy
to avoid writing beyond the allocated space, and ensure the destination buffer is large enough to hold the source string including the null terminator.
// Ensure o->m has enough space for str at position head
strncpy((char *)(o->m + head), str, max_length); // max_length should be the maximum number of characters to copy, including the null terminator
forth_get_char
FunctionIssue: Reading from a file descriptor that might not point to a valid FILE object, leading to an out-of-bounds read.
Solution: Validate the file descriptor before using it in the fgetc
function. Ensure it refers to an open and valid FILE object.
if (o->m[FIN] >= 0 && o->m[FIN] < OPEN_MAX) { // Assuming OPEN_MAX is the maximum number of open files
FILE* file = fdopen(o->m[FIN], "r"); // Convert file descriptor to FILE*
if (file != NULL) {
r = fgetc(file);
...
}
}
print_stack
FunctionIssue: Attempting to access elements beyond the allocated space of the stack when printing stack contents. Solution: Check that the index used to access stack elements is within the bounds of the stack size before accessing it.
for (forth_cell_t i = 0; i < stack_size && i <= f; ++i) { // Assuming stack_size is the number of elements in S
print_cell(o, out, *(o->S + i));
}
Problem Analysis:
The invalid free seems to be triggered by misusing the realloc
function. Typically, realloc
is used for resizing a memory block that was previously allocated with malloc
, calloc
, or realloc
. However, the code incorrectly attempts to decrement the stack pointer S
before passing its content to realloc
.
Solution:
Ensure the pointer being reallocated was previously allocated with malloc
, calloc
, or realloc
and not yet freed. Additionally, adjust the stack manipulation logic to avoid undefined behavior.
// Corrected version
forth_cell_t *temp_ptr = (forth_cell_t *)(*S); // Temporarily store the pointer
*S--; // Adjust the stack pointer correctly
w = (forth_cell_t)realloc(temp_ptr, f);
if (!w) {
// Handle realloc failure
}
Problem Analysis:
This issue is likely caused by attempting to use memcmp
on memory areas that have not been properly validated for their size, leading to reads beyond the allocated memory.
Solution:
Ensure that the memory regions being compared are within valid bounds. This might involve checking the size of the data structure S
points to and ensuring f
does not exceed it.
if (f <= validSize) { // validSize should represent the valid size of memory (*S) points to
f = memcmp((char*)(*S--), (char*)w, f);
}
forth_run
at line 2362Problem Analysis: This appears to involve accessing potentially uninitialized or out-of-bound memory as part of formatting an error message.
Solution:
Verify that the string o->s
and the line number o->line
are within valid bounds before using them.
// Assume o->s is a null-terminated string and o->line is correctly set
if (o->s != NULL) {
error("'%s' is not a word (line %zu)", o->s, o->line);
}
Issue: Reading outside allocated memory when calling fwrite
.
Solution: Verify the parameters passed to fwrite
are correct and that the memory area to be written (((char*)m)+offset
) is within the bounds of allocated memory for m
.
// Assuming 'm' points to a buffer with size 'm_size' and 'file' is a valid FILE* pointer
if ((offset + count <= m_size) && file) {
*++S = fwrite(((char*)m) + offset, 1, count, file);
} else {
// Handle error: invalid parameters or out-of-bounds access attempt
}
Issue: Attempting to read memory beyond allocated bounds with memmove
.
Solution: Confirm that the destination and source memory regions do not exceed their bounds before performing memmove
.
// Verify *S points to valid memory and the move size 'f' is within bounds
if (*S && f <= valid_size) { // Assume valid_size is known and represents the bounds of memory
memmove((char*)(*S--), (char*)w, f);
}
Issue: Reading beyond allocated memory when using memchr
.
Solution: Before using memchr
, ensure the size parameter (f
in this case) does not exceed the allocated memory space that *S
points to. Additionally, validate that *S
points to a valid memory address.
// Ensure *S is valid and does not point to unallocated memory
if (*S && f <= valid_size) { // valid_size should represent the size of allocated memory *S points to
f = (forth_cell_t)memchr((char*)(*S--), w, f);
}
Problem Analysis:
The code attempts to write beyond the allocated memory bounds using memset
, potentially corrupting memory.
Solution:
Before calling memset
, ensure the operation stays within the bounds of the memory S
points to.
if (f <= validSize) { // Ensure 'f' bytes do not exceed the allocated memory bounds
memset((char*)(*S--), w, f);
}
Issue Description: The problem occurs when attempting to flush a stream with fflush
that might not refer to an open file, potentially leading to undefined behavior or out-of-bounds memory access.
Solution:
Check that the FILE*
pointer is valid and points to an open file before attempting to flush it.
// Assuming 'file' is the FILE* pointer that is intended to be flushed and 'ferrno()' is a typo for 'ferror()'.
FILE* file = (FILE*)f;
if (file && !fflush(file)) {
f = 0; // On success, fflush returns 0.
} else {
// On error, or if the file pointer is not valid, handle the error appropriately.
f = file ? ferror(file) : SOME_ERROR_CODE; // Use an appropriate error code or function to indicate the error.
}
Issue Description: The issue arises when attempting to check for errors using ferror
on a potentially invalid FILE*
pointer, leading to out-of-bounds memory access.
Solution:
Ensure that the FILE*
pointer is valid and points to an open file before calling ferror
.
// Assuming 'file' is the FILE* pointer derived from 'f'
if (file) {
f = ferror(file);
} else {
// Handle the case where the file pointer is not valid.
// This could include logging an error, setting 'f' to a known error value, etc.
}
Problem Analysis:
The issue arises from attempting to call fclose
on an invalid (null) FILE pointer, leading to a null pointer dereference.
Solution: Check the FILE pointer for nullity before attempting to close it.
FILE* file = (FILE*)f;
if (file != NULL) {
f = fclose(file) ? ferrno() : 0;
f = NULL; // Clear the pointer after closing the file
}
I'll try to get around to fixing some of these issues, but bear in mind that Forth is a memory unsafe language. A lot of the problems are caused by don't do that
. It's a bit like complaining that PEEK and POKE in BASIC can access arbitrary memory...
No worries, and I appreciate your perspective. I understand that Forth, by its nature, allows direct memory manipulation, which can indeed introduce risks if not used carefully. My intention isn't to complain but to help identify potential issues, especially since applications utilizing libforth might process input from external and possibly untrusted sources. Ensuring robust input handling and memory operations can greatly benefit users of the library who might not be aware of these intricacies. Thanks for considering these points, and I look forward to seeing the library evolve.
Hi!
While I was running my fuzz tests in the background I discovered multiple memory corruption security flaws in libforth Version 4.0 at various locations. I have attached a zip archive named crash.zip for replication. The easiest way to reproduce is to compile the project and execute forth against the crash files that call specific library functions:
Zip archive with reproduction files:
crash.zip
After triaging all of the crashes, I can verify that there are 17 separate and unique issues at the following locations:
Out of bounds read (CWE-125) in static int match(forth_cell_t *m, forth_cell_t pwd, const char *s) at libforth.c, line 1306 when attempting to execute 'forth_cell_t len = WORD_LENGTH(m[pwd + 1]);':
File for replication: match_line_1306.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1306
GDB Backtrace:
Address Sanitizer Output:
Invalid free (CWE-763) in int forth_run(forth_t *o) at libforth.c, line 2745 when attempting to execute 'free((char*)f);':
File for replication: forth_run_line_2745.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L2745
GDB Backtrace:
Address Sanitizer Output:
Out of bounds read (CWE-125) in static void check_is_asciiz(jmp_buf *on_error, char *s, forth_cell_t end) libforth/libforth.c, line 1436 when attempting to execute 'if (*(s + end) != '\0')':
File for replication: check_is_asciiz_line_1436.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1436
GDB Backtrace:
Address Sanitizer Output:
Stack-based buffer overflow (CWE-121) in static int print_cell(forth_t *o, FILE *out, forth_cell_t u) at libforth.c, line 1367 when attempting to execute 's[i++] = conv[u % base];':
File for replication: print_cell_line_1367.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1367
GDB Backtrace:
Address Sanitizer Output:
Out of bounds write (CWE-787) in static forth_cell_t compile(forth_t *o, forth_cell_t code, const char *str, forth_cell_t compiling, forth_cell_t hide) at libforth.c, line 1241 when attempting to execute 'strcpy((char *)(o->m + head), str);':
File for replication: compile_line_1241.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1241
GDB Backtrace:
Address Sanitizer Output:
Out of bounds read (CWE-125) in static int forth_get_char(forth_t *o) at libforth.c, line 1091 when attempting to execute 'r = fgetc((FILE*)(o->m[FIN]));':
File for replication: forth_get_char_line_1091.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1091
GDB Backtrace:
Address Sanitizer Output:
Out of bounds read (CWE-125) in static void print_stack(forth_t *o, FILE *out, forth_cell_t *S, forth_cell_t f) at libforth.c, line 1481 when attempting to execute 'print_cell(o, out, *(o->S + i + 1));':
File for replication: print_stack_line_1481.fth
Source Code:
https://github.com/howerj/libforth/blob/b851c6a25150e7d2114804fc8712664c6d825214/libforth.c#L1481
GDB Backtrace:
Address Sanitizer Output: