Seg fault in fy-atom.c on malformed input #118

gabe-sherman · 2024-08-09T19:16:40Z

A seg faults occurs at line 708 in fy-atom.c when the below code is provided a malformed input:

#include <stdarg.h>
#include <libfyaml.h>

int main(int argc, char *argv[])
{
   struct fy_document* doc = fy_document_build_from_file(NULL, argv[1]);
   fy_emit_document_to_file(doc, FYECF_MODE_JSON, "/tmp/file");
   return 0;
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 592ccc1

POC File

https://github.com/gabe-sherman/bug-pocs/blob/main/fyaml/c1

Address Sanitizer Output

==1994304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555559392b7 bp 0x7ffff5a01440 sp 0x7fffffffd600 T0)
==1994304==The signal is caused by a READ memory access.
==1994304==Hint: address points to the zero page.
    #0 0x5555559392b7 in fy_atom_iter_line /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:708:11
    #1 0x55555592f7af in fy_atom_iter_format /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:829:7
    #2 0x5555559334a7 in fy_atom_iter_read /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1326:10
    #3 0x555555933b98 in fy_atom_iter_utf8_get /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1408:10
    #4 0x555555934fcc in fy_atom_iter_utf8_peek /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1497:6
    #5 0x555555934fcc in fy_atom_is_number /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1587:14
    #6 0x5555557a5398 in fy_emit_token_scalar_style /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:1315:4
    #7 0x5555557a5398 in fy_emit_token_scalar /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:1411:10
    #8 0x55555579bfa6 in fy_emit_node_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:714:3
    #9 0x5555557b1e3c in fy_emit_root_node_no_check /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2218:2
    #10 0x5555557b1e3c in fy_emit_document_no_check /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2262:7
    #11 0x5555557b433e in fy_emit_document_to_fp /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2681:7
    #12 0x5555557b44e3 in fy_emit_document_to_file /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2699:7
    #13 0x555555744222 in main /home/gabriel/fuzzing-trials/fyaml/crashes/c1/rep.c:7:4
    #14 0x7ffff765ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7ffff765ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #16 0x55555566b3a4 in _start (/home/gabriel/fuzzing-trials/fyaml/crashes/c1/r.out+0x1173a4) (BuildId: 7d209317532d4cbd470fda6bbafb6be8926018c2)

The text was updated successfully, but these errors were encountered:

We didn't calculate the hint size correctly; the bug was apparent in debugging builds, alas on release builds we got a SEGV. Fixes issue #118 Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>

pantoniou · 2024-09-27T09:34:29Z

967114e fixes this.

Thanks a lot!

pantoniou closed this as completed Sep 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Seg fault in fy-atom.c on malformed input #118

Seg fault in fy-atom.c on malformed input #118

gabe-sherman commented Aug 9, 2024

pantoniou commented Sep 27, 2024

Seg fault in fy-atom.c on malformed input #118

Seg fault in fy-atom.c on malformed input #118

Comments

gabe-sherman commented Aug 9, 2024

Test Environment

How to trigger

Version

POC File

Address Sanitizer Output

pantoniou commented Sep 27, 2024