Closed Siyuan-Li201 closed 3 months ago
I have been troubled by this error for a long time. May I ask for your insight on what the issue might be?
Hi, I am sorry for the inconvenience.
Sparrow converts the given source code into CIL representation before the analysis. Thus, if the CIL interprets the line numbers differently, it may not be visible to the analysis logic. For example, in the CIL representation of the following code, there are no lines 2 and 3, but there is only line 1, where the condition of the if statement begins.
1: if ( foo() &&
2: goo() &&
3: moo() )
If you provide me the +-3 lines of the target line tif_dir.c:1056
, I might be able to check if this is the case.
Thank you very much for your prompt reply. The following is the context of tif_dir.c:1056:
(gdb) list tif_dir.c:1056
1051 if (fip->field_passcount) {
1052 if (fip->field_readcount == TIFF_VARIABLE2)
1053 *va_arg(ap, uint32*) = (uint32)tv->count;
1054 else /* Assume TIFF_VARIABLE */
1055 *va_arg(ap, uint16*) = (uint16)tv->count;
1056 *va_arg(ap, void **) = tv->value;
1057 ret_val = 1;
1058 } else if (fip->field_tag == TIFFTAG_DOTRANGE
1059 && strcmp(fip->field_name,"DotRange") == 0) {
1060 /* TODO: This is an evil exception and should not have been
In addition, I debugged the code of sparrow and found that in the comparison with target_node in /sparrow/src/slicing/slicingUtils.ml, the source code lines extracted by static analysis did not include tif_dir.c:1056. It did not even include any code lines between 900-1100. I was going to try using tif_dir.c:824, the starting address of the function where tif_dir.c:1056 is located, which is in the comparison node list of sparrow. The node list is as follows, excluding 1056: nodes_output.txt
Hmm, that is strange...
In my experience, when Sparrow does not recognize some line, it is either due to CIL representation, or the line residing inside an unreachable function. However, in your case, some lines of the same function are recognized while others are not. I guess giving line tif_dir.c:824
can be an alternative.
Thanks for your reply. I successfully verified the vulnerability using the alternative line. I will try more to see if this is a common issue. Before that, I will close this issue.
Thank you for open-sourcing such meaningful work. However, I meet an error when using DAFL to test libtiff for CVE-2016-10095. I followed the ReadMe to perform smake analysis, but an error occurred at the Sparrow step. The error message is as follows:
But I set the target line in /benchmark/target/tiffsplit/2016-10095:
I dynamically debugged run_sparrow.py and ensured that the executed cmd was as follows (including the target line):
The complete error message is as follows:
The SLICE_TARGETS:
The output of smake: