search

lfos / calcurse

A text-based calendar and scheduling application
https://calcurse.org
BSD 2-Clause "Simplified" License
963 stars 95 forks source link

test failure because of a stack-buffer-overflow #469

Open asarubbo opened 10 months ago

asarubbo commented 10 months ago

Our Gentoo Tinderbox reported a test failure at bug 914094

Looking at test-suite.log I can see that it fails because of a stack-buffer-overflow:

FAIL: ical-012.sh
=================

=================================================================
==679==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7efd3d8125df at pc 0x5654ab7a5229 bp 0x7ffff80873e0 sp 0x7ffff80873d0
READ of size 1 at 0x7efd3d8125df thread T0
    #0 0x5654ab7a5228 in ical_readline /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:693
    #1 0x5654ab7a7c61 in ical_chk_header /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:723
    #2 0x5654ab7a7c61 in ical_import_data /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:1878
    #3 0x5654ab7b742d in io_import_data /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/io.c:1303
    #4 0x5654ab78cfad in parse_args /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/args.c:966
    #5 0x5654ab675c8e in main /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/calcurse.c:709
    #6 0x7efd3ee23c89  (/lib64/libc.so.6+0x23c89)
    #7 0x7efd3ee23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
    #8 0x5654ab677340 in _start (/var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/calcurse+0x2c340)

Address 0x7efd3d8125df is located in stack of thread T0 at offset 9695 in frame
    #0 0x5654ab7a764f in ical_import_data /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:1873

  This frame has 39 object(s):
    [48, 49) 'c' (line 875)
    [64, 68) 'major' (line 1875)
    [80, 84) 'minor' (line 1875)
    [96, 100) 'bytes_read' (line 876)
    [112, 116) 'week' (line 877)
    [128, 132) 'day' (line 877)
    [144, 148) 'mon' (line 927)
    [160, 164) 'n' (line 928)
    [176, 180) 'mday' (line 948)
    [192, 196) 'n' (line 949)
    [208, 212) 'order' (line 970)
    [224, 228) 'n' (line 970)
    [240, 248) 'fmt' (line 472)
    [272, 280) 'p' (line 1358)
    [304, 312) 'dtstart' (line 1359)
    [336, 344) 'dtend' (line 1359)
    [368, 376) 'duration' (line 1359)
    [400, 408) 'rrule' (line 1359)
    [432, 440) 'until' (line 1553)
    [464, 472) 'msg' (line 1555)
    [496, 504) 'freqstr' (line 1066)
    [528, 536) 'note' (line 1868)
    [560, 568) 'note' (line 1868)
    [592, 600) 'p' (line 1723)
    [624, 632) 'note' (line 1868)
    [656, 668) 'vparam' (line 761)
    [688, 700) 'vparam' (line 761)
    [720, 732) 'vparam' (line 761)
    [752, 768) 's' (line 1360)
    [784, 800) 'exdate' (line 1360)
    [816, 832) 's' (line 1724)
    [848, 865) 'datestr' (line 1066)
    [912, 960) 'vtodo' (line 1729)
    [992, 1072) 'tmp' (line 552)
    [1104, 1216) 'vevent' (line 1369)
    [1248, 9440) 'buf' (line 1874)
    [9696, 17888) 'lstore' (line 1874) <== Memory access at offset 9695 underflows this variable
    [18144, 26336) 'msg' (line 581)
    [26592, 34784) 'msg' (line 525)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /var/tmp/portage/app-office/calcurse-4.8.1/work/calcurse-4.8.1/src/ical.c:693 in ical_readline
Shadow bytes around the buggy address:
  0x7efd3d812300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812480: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x7efd3d812500: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x7efd3d812580: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
  0x7efd3d812600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7efd3d812800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==679==ABORTING

If I can do more, please let me know.