AddressSanitizer.StrCatOOBTest fails on Mountain Lion

[ramosian-glider]

Originally reported on Google Code with ID 96

[ RUN      ] AddressSanitizer.StrCatOOBTest
=================================================================
==35590== ERROR: AddressSanitizer heap-buffer-overflow on address 0x0177ca7f at pc
0x28e50b bp 0xbffbbc88 sp 0xbffbbc78
READ of size 1 at 0x0177ca7f thread T0
    #0 0x28e50a in wrap_strlen (in asan_test32) + 138
    #1 0x99fa73f8 in strcat (in libsystem_c.dylib) + 19
    #2 0x28da56 in wrap_strcat (in asan_test32) + 758
    #3 0x92485 in AddressSanitizer_StrCatOOBTest_Test::TestBody _asan_rtl_
    #4 0x175580 in testing::Test::Run gtest.cc:2086
    #5 0x17ad6a in testing::internal::TestInfoImpl::Run gtest.cc:2305
    #6 0x17f27c in testing::TestCase::Run gtest.cc:2413
    #7 0x19e859 in testing::internal::UnitTestImpl::RunAllTests gtest.cc:4016
    #8 0x19d8cd in testing::UnitTest::Run gtest.cc:3683
    #9 0xc3b86 in main _asan_rtl_
    #10 0x97de5724 in start (in libdyld.dylib) + 0
    #11 0x2
0x0177ca7f is located 1 bytes to the left of 100-byte region [0x0177ca80,0x0177cae4)
allocated by thread T0 here:
    #0 0x291b7b in (anonymous namespace)::mz_malloc(_malloc_zone_t*, unsigned long)
(in asan_test32) + 43
    #1 0x99f96556 in malloc_zone_malloc (in libsystem_c.dylib) + 74
    #2 0x99f96f92 in malloc (in libsystem_c.dylib) + 52
    #3 0x922cf in AddressSanitizer_StrCatOOBTest_Test::TestBody _asan_rtl_
    #4 0x175580 in testing::Test::Run gtest.cc:2086
    #5 0x17ad6a in testing::internal::TestInfoImpl::Run gtest.cc:2305
    #6 0x17f27c in testing::TestCase::Run gtest.cc:2413
    #7 0x19e859 in testing::internal::UnitTestImpl::RunAllTests gtest.cc:4016
    #8 0x19d8cd in testing::UnitTest::Run gtest.cc:3683
    #9 0xc3b86 in main _asan_rtl_
    #10 0x97de5724 in start (in libdyld.dylib) + 0
    #11 0x2
==35590== ABORTING
Stats: 0M malloced (0M for red zones) by 2855 calls
Stats: 0M realloced by 26 calls
Stats: 0M freed by 1322 calls
Stats: 0M really freed by 0 calls
Stats: 16M (4097 full pages) mmaped in 4 calls
  mmaps   by size class: 8:16383; 9:8191; 10:4095; 15:128;
  mallocs by size class: 8:2749; 9:39; 10:66; 15:1;
  frees   by size class: 8:1220; 9:38; 10:64;
  rfrees  by size class:
Stats: malloc large: 0 small slow: 9
Shadow byte and word:
  0x202ef94f: fa
  0x202ef94c: fa fa fa fa
More shadow bytes:
  0x202ef93c: fb fb fb fb
  0x202ef940: fa fa fa fa
  0x202ef944: fa fa fa fa
  0x202ef948: fa fa fa fa
=>0x202ef94c: fa fa fa fa
  0x202ef950: 00 00 00 00
  0x202ef954: 00 00 00 00
  0x202ef958: 00 00 00 00
  0x202ef95c: 04 fb fb fb

Reported by ramosian.glider on 2012-08-01 16:40:37

[ramosian-glider]

Here's where the error is reported:

1229   // Catenate empty string is not always an error.
1230   strcat(to - 1, from + from_size - 1);

WTF? Isn't it a real bug?

Reported by ramosian.glider on 2012-08-01 16:46:51

[ramosian-glider]

Ditto for StrNCatOOBTest:

1265   // Catenating empty string is not an error.
1266   strncat(to - 1, from, 0);

Reported by ramosian.glider on 2012-08-01 16:50:08

[ramosian-glider]

Looks like strcat just calls strlen for both arguments on 10.8

Reported by ramosian.glider on 2012-08-01 17:08:33

[ramosian-glider]

Fixed in Clang r161167.

Reported by ramosian.glider on 2012-08-02 10:41:42

[ramosian-glider]

Reported by ramosian.glider on 2012-08-02 10:42:32

• Status changed: Fixed

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:59

• Labels added: ProjectAddressSanitizer