millert
commented
8 months ago This bug causes a crash with OpenBSD's malloc but on Linux you will need to use ASAN or valgrind. A reduced testcase is:
printf "route:\t194.32.71.0/24\n" | ./a.out 'BEGIN{ RS = "route:" ; FS = "\n" }{ print $1 }'ASAN output:
==3037598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000000ff at pc 0x55b393121e09 bp 0x7ffe78860c30 sp 0x7ffe78860c20
READ of size 1 at 0x6250000000ff thread T0
#0 0x55b393121e08 in fnematch b.c:872
#1 0x55b39312a754 in readrec lib.c:246
#2 0x55b39312d40f in getrec lib.c:179
#3 0x55b3931304c0 in program run.c:197
#4 0x55b3931301da in execute run.c:166
#5 0x55b39313c9e7 in run run.c:141
#6 0x55b3931232da in main main.c:233
#7 0x7fc9d1423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7fc9d1423b48 in __libc_start_main_impl ../csu/libc-start.c:360
#9 0x55b393117b64 in _start (a.out+0x13b64) (BuildId: 35cebf6c2cfeab9be9c4e3a90c48ef266d6e9114)
0x6250000000ff is located 1 bytes before 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
#0 0x7fc9d18defef in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55b3931298d9 in recinit lib.c:67
#2 0x55b3931231ad in main main.c:214
#3 0x7fc9d1423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow b.c:872 in fnematch
plan9
fnematch() expects to store a NUL byte when EOF is encountered. However, the rewrite broke this assumption because r.len from getrune() is zero on EOF. This results in j becoming negative on EOF, causing an out-of-bounds access. It is simplest to just force r.len to 1 on EOF to copy a single NUL byte--the rune is initialized to zero even for EOF.
This also fixes the call to adjbuf(). We cannot use 'k' to determine when we need to expand the buffer now that we are potentially reading more than a single byte at a time.