outbound read in scan_file codedoc.c:2903

[cuanduo]

root@ubuntu:/home/tim/fuzz/codedoc# ./codedoc poc poc.zip

ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27 I think should limit ch (char instead of int) one byte, or it use alpha table in glibc,which may cause outbound read in inline code glibc

asan output

==47845==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff6b201d4 (pc 0x55555556be17 bp 0x7fffffffde20 sp 0x7ffffffddcc0 T0)`

==47845==The signal is caused by a READ memory access.
    #0 0x55555556be16 in scan_file /home/tim/codedoc-addr/codedoc.c:2903
    #1 0x555555566b56 in main /home/tim/codedoc-addr/codedoc.c:488
    #2 0x7ffff660eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #3 0x5555555675e9 in _start (/home/tim/fuzz/codedoc/codedoc-addr+0x135e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/tim/codedoc-addr/codedoc.c:2903 in scan_file
==47845==ABORTING

gdb output

[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7fdd6d8 --> 0x7ffff7746cc0 --> 0x2000200020002 
RBX: 0x0 
RCX: 0x7ffff7746cc0 --> 0x2000200020002 
RDX: 0x1ca28a 
RSI: 0x555555771790 --> 0x8a8a8a8a8af7 
RDI: 0x5555557714e0 --> 0xfbad2488 
RBP: 0x0 
RSP: 0x7ffffffdde00 --> 0x0 
RIP: 0x55555555aab3 (<scan_file+3396>:  test   BYTE PTR [rcx+rdx*2],0x8)
R8 : 0x77 ('w')
R9 : 0x0 
R10: 0x555555771010 --> 0x100 
R11: 0x246 
R12: 0x1ca28a 
R13: 0x8 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555555aaa8 <scan_file+3385>: call   0x5555555571e0 <__ctype_b_loc@plt>
   0x55555555aaad <scan_file+3390>: mov    rcx,QWORD PTR [rax]
   0x55555555aab0 <scan_file+3393>: movsxd rdx,r12d
=> 0x55555555aab3 <scan_file+3396>: test   BYTE PTR [rcx+rdx*2],0x8
   0x55555555aab7 <scan_file+3400>: jne    0x55555555aad2 <scan_file+3427>
   0x55555555aab9 <scan_file+3402>: cmp    r12d,0x5f
   0x55555555aabd <scan_file+3406>: je     0x55555555aad2 <scan_file+3427>
   0x55555555aabf <scan_file+3408>: cmp    r12d,0x2e
[------------------------------------stack-------------------------------------]
0000| 0x7ffffffdde00 --> 0x0 
0008| 0x7ffffffdde08 --> 0x555555771710 --> 0x0 
0016| 0x7ffffffdde10 --> 0x0 
0024| 0x7ffffffdde18 --> 0x0 
0032| 0x7ffffffdde20 --> 0x0 
0040| 0x7ffffffdde28 --> 0x5555557712f0 --> 0x0 
0048| 0x7ffffffdde30 --> 0x0 
0056| 0x7ffffffdde38 --> 0x7fffffffdf58 --> 0x7fffffffe3f1 --> 0x54554c4300636f70 ('poc')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000055555555aab3 in scan_file (file=<optimized out>, tree=<optimized out>) at codedoc.c:2903
2903                if (isalnum(ch) || ch == '_' || ch == '.' || ch == ':' || ch == '~')
gdb-peda$ bt
#0  0x000055555555aab3 in scan_file (file=<optimized out>, tree=<optimized out>) at codedoc.c:2903
#1  0x00005555555577d6 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe098) at codedoc.c:488
#2  0x00007ffff75c9b97 in __libc_start_main (main=0x555555557239 <main>, argc=0x2, argv=0x7fffffffe098, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe088) at ../csu/libc-start.c:310
#3  0x0000555555557dfa in _start ()
gdb-peda$ vmmap 
Start              End                Perm  Name
0x0000555555554000 0x000055555556e000 r-xp  /home/tim/fuzz/codedoc/codedoc
0x000055555576e000 0x0000555555770000 r--p  /home/tim/fuzz/codedoc/codedoc
0x0000555555770000 0x0000555555771000 rw-p  /home/tim/fuzz/codedoc/codedoc
0x0000555555771000 0x0000555555792000 rw-p  [heap]
0x00007ffff75a8000 0x00007ffff778f000 r-xp  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff778f000 0x00007ffff798f000 ---p  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff798f000 0x00007ffff7993000 r--p  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff7993000 0x00007ffff7995000 rw-p  /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff7995000 0x00007ffff7999000 rw-p  mapped
0x00007ffff7999000 0x00007ffff79b3000 r-xp  /lib/x86_64-linux-gnu/libpthread-2.27.so
0x00007ffff79b3000 0x00007ffff7bb2000 ---p  /lib/x86_64-linux-gnu/libpthread-2.27.so
0x00007ffff7bb2000 0x00007ffff7bb3000 r--p  /lib/x86_64-linux-gnu/libpthread-2.27.so
0x00007ffff7bb3000 0x00007ffff7bb4000 rw-p  /lib/x86_64-linux-gnu/libpthread-2.27.so
0x00007ffff7bb4000 0x00007ffff7bb8000 rw-p  mapped
0x00007ffff7bb8000 0x00007ffff7bd4000 r-xp  /lib/x86_64-linux-gnu/libz.so.1.2.11
0x00007ffff7bd4000 0x00007ffff7dd3000 ---p  /lib/x86_64-linux-gnu/libz.so.1.2.11
0x00007ffff7dd3000 0x00007ffff7dd4000 r--p  /lib/x86_64-linux-gnu/libz.so.1.2.11
0x00007ffff7dd4000 0x00007ffff7dd5000 rw-p  /lib/x86_64-linux-gnu/libz.so.1.2.11
0x00007ffff7dd5000 0x00007ffff7dfc000 r-xp  /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7fdd000 0x00007ffff7fe2000 rw-p  mapped
0x00007ffff7ff7000 0x00007ffff7ffa000 r--p  [vvar]
0x00007ffff7ffa000 0x00007ffff7ffc000 r-xp  [vdso]
0x00007ffff7ffc000 0x00007ffff7ffd000 r--p  /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7ffd000 0x00007ffff7ffe000 rw-p  /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7ffe000 0x00007ffff7fff000 rw-p  mapped
0x00007ffffffdd000 0x00007ffffffff000 rw-p  [stack]
0xffffffffff600000 0xffffffffff601000 r-xp  [vsyscall]

[michaelrsweet]

Dupe of Issue #4.