search

saitoha / libsixel

A SIXEL encoder/decoder implementation derived from kmiya's sixel (https://github.com/saitoha/sixel).
MIT License
2.46k stars 82 forks source link

unknown segv #124

Closed cuanduo closed 4 years ago

cuanduo commented 4 years ago

a craft png caused segv ./img2sixel $poc issue_845_poc.zip

gdb output

gdb-peda$ r issue_845_poc.png 
Starting program: /home/tim/libsixel-asan/converters/img2sixel issue_845_poc.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[----------------------------------registers-----------------------------------]
RAX: 0x55555558d998 (<main>:    push   rbp)
RBX: 0x7fffffffdf90 --> 0x7ffff7fe2b20 (push   rbp)
RCX: 0x7fffffffffff 
RDX: 0x7fffffffe0c0 --> 0x7fffffffe416 ("SHELL=/bin/bash")
RSI: 0x7fffffffe0a8 --> 0x7fffffffe3d7 ("/home/tim/libsixel-asan/converters/img2sixel")
RDI: 0x2 
RBP: 0x7fffffffdfc0 --> 0x5555555fc840 (<__libc_csu_init>:  push   r15)
RSP: 0x7fffffffda10 --> 0x7fffffffe0a8 --> 0x7fffffffe3d7 ("/home/tim/libsixel-asan/converters/img2sixel")
RIP: 0x55555558da6d (<main+213>:    mov    rax,QWORD PTR fs:0x28)
R8 : 0xf9 
R9 : 0x0 
R10: 0x1e 
R11: 0x30 ('0')
R12: 0xffffffffb46 --> 0x0 
R13: 0x7fffffffda30 --> 0x41b58ab3 
R14: 0x7fffffffda30 --> 0x41b58ab3 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555558da49 <main+177>:   mov    DWORD PTR [r12+0x7fff8014],0xf2f2f200
   0x55555558da55 <main+189>:   mov    DWORD PTR [r12+0x7fff8018],0xf2f2f2f2
   0x55555558da61 <main+201>:   mov    DWORD PTR [r12+0x7fff80a4],0xf3f3f3f3
=> 0x55555558da6d <main+213>:   mov    rax,QWORD PTR fs:0x28
   0x55555558da76 <main+222>:   mov    QWORD PTR [rbp-0x38],rax
   0x55555558da7a <main+226>:   xor    eax,eax
   0x55555558da7c <main+228>:   mov    DWORD PTR [rbp-0x5a0],0x1000
   0x55555558da86 <main+238>:   lea    rax,[rbx-0x4c0]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffda10 --> 0x7fffffffe0a8 --> 0x7fffffffe3d7 ("/home/tim/libsixel-asan/converters/img2sixel")
0008| 0x7fffffffda18 --> 0x200001f80 --> 0x0 
0016| 0x7fffffffda20 --> 0x7ffff718da5c ("__asprintf")
0024| 0x7fffffffda28 --> 0x5abb13 
0032| 0x7fffffffda30 --> 0x41b58ab3 
0040| 0x7fffffffda38 --> 0x5555555fffc0 ("4 32 4 8 long_opt 96 4 12 option_index 160 8 7 encoder 224 1088 12 long_options ")
0048| 0x7fffffffda40 --> 0x55555558d998 (<main>:    push   rbp)
0056| 0x7fffffffda48 --> 0x7fffffffdb50 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, main (argc=0x2, argv=0x7fffffffe0a8) at img2sixel.c:342
342 {
gdb-peda$ c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xffffffff --> 0x0 
RBX: 0x0 
RCX: 0x0 
RDX: 0xdb342af254eed764 
RSI: 0xffffffff --> 0x0 
RDI: 0x61a000000080 --> 0x0 
RBP: 0xdb342af254eed764 
RSP: 0xdb342af254eed764 
RIP: 0x7ffff71d6c80 (<__longjmp+80>:    jmp    rdx)
R8 : 0xdb342af254eed764 
R9 : 0xdb342af254eed764 
R10: 0xc ('\x0c')
R11: 0x7ffff769e890 (<__asan_handle_no_return>: push   r12)
R12: 0x0 
R13: 0x0 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff71d6c79 <__longjmp+73>:   mov    rsp,r8
   0x7ffff71d6c7c <__longjmp+76>:   mov    rbp,r9
   0x7ffff71d6c7f <__longjmp+79>:   nop
=> 0x7ffff71d6c80 <__longjmp+80>:   jmp    rdx
 | 0x7ffff71d6c82:  nop    WORD PTR cs:[rax+rax*1+0x0]
 | 0x7ffff71d6c8c:  nop    DWORD PTR [rax+0x0]
 | 0x7ffff71d6c90 <_longjmp_unwind>:    mov    eax,DWORD PTR [rip+0x1a672a]        # 0x7ffff737d3c0 <__libc_pthread_functions_init>
 | 0x7ffff71d6c96 <_longjmp_unwind+6>:  test   eax,eax
 |->   Cannot evaluate jump destination
                                                                  JUMP is taken
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0xdb342af254eed764
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__longjmp () at ../sysdeps/x86_64/__longjmp.S:111
111 ../sysdeps/x86_64/__longjmp.S: No such file or directory.
gdb-peda$ bt
#0  __longjmp () at ../sysdeps/x86_64/__longjmp.S:111
#1  0xdb342af254eed764 in ?? ()
Backtrace stopped: Cannot access memory at address 0xdb342af254eed764
gdb-peda$

asan output 

root@ubuntu:/home/tim/libsixel/converters# ../../libsixel-asan/converters/img2sixel issue_845_poc.png 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==115502==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe1d9455c80 bp 0x31e704df706489fd sp 0x31e704df706489fd T0)
==115502==The signal is caused by a READ memory access.
==115502==Hint: address points to the zero page.
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
saitoha commented 4 years ago

Fixed on v1.8.5. Thanks!