Closed stevegrubb closed 7 months ago
I tried several ways how to reproduce it but I was not successful.
I fuzzed this for 45 minutes. 15.5 Million executions with AFL++. No crashes. I also used radamsa for an hour with no crashes.
I think we can close this. I don't see anything obvious and fuzzing is also not showing a problem.
It's been reported that the unescape_shell function is overflowing:
library/escape.c:100:9: runtime error: load of address 0x7fb4ae604175 with insufficient space for an object of type 'char' 0x7fb4ae604175: note: pointer points here 72 6f 6f 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^
0 0x55bd93a119a6 in unescape_shell library/escape.c:100
library/escape.c:116:7: runtime error: store to address 0x7fb4ae604175 with insufficient space for an object of type 'char' 0x7fb4ae604175: note: pointer points here 72 6f 6f 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^
0 0x55bd93a11cad in unescape_shell library/escape.c:116
It doesn't seem to affect runtime because of the padding that glibc provides between allocations, but we should look into this.