moinejf
commented
3 years ago Sorry but the code has been validated a long time ago and I could not reproduce the problem in my machine (ARM 32 bits).
Open PangPangpeng opened 3 years ago
moinejf
commented
3 years ago Sorry but the code has been validated a long time ago and I could not reproduce the problem in my machine (ARM 32 bits).
PangPangpeng
commented
3 years ago It's a little wired, I get the crash in my system (x86 ubuntu), and I also reproduce it in my qemu-arm 32bit.
root@ubuntu:/abc2music/origin/32bit# cp abcm2ps-8.14.9/abcm2ps ./ root@ubuntu:/abc2music/origin/32bit# qemu-arm-static abcm2ps ../pocs/poc1 abcm2ps-8.14.9 (2020-06-21) File ../pocs/poc1 Line 7: Unexpected EOF in header definition qemu: uncaught target signal 11 (Segmentation fault) - core dumped Segment Fault
$ unzip poc1 gdb-peda$ set args ./poc1/poc1 gdb-peda$ r Starting program: /root/Intriguer/intriguer/opensoft/abc2music/origin/abcm2ps poc1 abcm2ps-8.14.9 (2020-06-21) File poc1 Line 7: Unexpected EOF in header definition
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7fffffffddf0 --> 0xfbad8001 RCX: 0xffffffffffffffff RDX: 0x10 RSI: 0x7fffffffdda8 --> 0x7fffffffdde0 --> 0xffc0 RDI: 0x6563696f76206e69 ('in voice') RBP: 0x7fffffffdde0 --> 0xffc0 RSP: 0x7fffffffd870 --> 0x0 RIP: 0x7ffff7752cd0 (<_IO_vfprintf_internal+6992>: repnz scas al,BYTE PTR es:[rdi]) R8 : 0x0 R9 : 0x1 R10: 0x73 ('s') R11: 0x6563696f76206e69 ('in voice') R12: 0x44a070 --> 0x206461420073252f ('/%s') R13: 0x7fffffffdf60 --> 0x3000000010 R14: 0x0 R15: 0x44a071 --> 0x7520646142007325 ('%s') EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7752cc7 <_IO_vfprintf_internal+6983>: xor eax,eax 0x7ffff7752cc9 <_IO_vfprintf_internal+6985>: or rcx,0xffffffffffffffff 0x7ffff7752ccd <_IO_vfprintf_internal+6989>: mov rdi,r11 => 0x7ffff7752cd0 <_IO_vfprintf_internal+6992>: repnz scas al,BYTE PTR es:[rdi] 0x7ffff7752cd2 <_IO_vfprintf_internal+6994>: mov DWORD PTR [rbp-0x4d8],0x0 0x7ffff7752cdc <_IO_vfprintf_internal+7004>: mov rax,rcx 0x7ffff7752cdf <_IO_vfprintf_internal+7007>: not rax 0x7ffff7752ce2 <_IO_vfprintf_internal+7010>: lea r10,[rax-0x1] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffd870 --> 0x0 0008| 0x7fffffffd878 --> 0x7ffff775193d (<_IO_vfprintf_internal+1981>: mov rdx,QWORD PTR [rbp-0x498]) 0016| 0x7fffffffd880 --> 0x0 0024| 0x7fffffffd888 --> 0x7fffffffd958 --> 0x44c63f --> 0x202d2d2d20252500 ('') 0032| 0x7fffffffd890 --> 0x7fffffffd948 --> 0x44a072 --> 0x6e75206461420073 ('s') 0040| 0x7fffffffd898 --> 0x7fff00000000 0048| 0x7fffffffd8a0 --> 0x7fff00000000 0056| 0x7fffffffd8a8 --> 0x7fffffffd960 --> 0x7fffffffd970 --> 0x4030000000000000 ('') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff7752cd0 in _IO_vfprintf_internal (s=s@entry=0x7fffffffddf0, format=, format@entry=0x44a070 "/%s", ap=ap@entry=0x7fffffffdf60) at vfprintf.c:1632
1632 vfprintf.c:no such file or directory
poc1.zip
it seems that this piece of code treats one-dimensional array as a two-dimensional array, makes q point to an invalid address, results in an segment fault.
if (i1 >= 0 && i2 >= 0) { g = (char **) utf_1[i1]; if (g) { g = (char **) g[i2]; if (i3 >= 0 && g) { g = (char **) g[i3]; if (i4 >= 0 && g) g = (char **) g[i4]; } } q = (char *) g;