[asterisk-bugs] [JIRA] (ASTERISK-24804) ASAN heap-buffer-overflow c_setpat
Badalian Vyacheslav (JIRA)
noreply at issues.asterisk.org
Tue Feb 17 15:15:34 CST 2015
Badalian Vyacheslav created ASTERISK-24804:
----------------------------------------------
Summary: ASAN heap-buffer-overflow c_setpat
Key: ASTERISK-24804
URL: https://issues.asterisk.org/jira/browse/ASTERISK-24804
Project: Asterisk
Issue Type: Bug
Security Level: None
Affects Versions: 11.15.0
Reporter: Badalian Vyacheslav
Severity: Minor
# asterisk -r
and type 'з' (Add RU keyboard UTF8 and type 'p' key)
{code}
==2802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001d80 at pc 0x77585e bp 0x7fff723064e0 sp 0x7fff723064d8
READ of size 1 at 0x619000001d80 thread T0
#0 0x77585d in c_setpat /root/asterisk-11.15.0/main/editline/search.c:184
#1 0x776b0e in ed_search_prev_history /root/asterisk-11.15.0/main/editline/common.c:756
#2 0x78707c in el_gets /root/asterisk-11.15.0/main/editline/read.c:475
#3 0x47c316 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3182
#4 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
#5 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
#6 0x42d304 (/usr/sbin/asterisk+0x42d304)
0x619000001d80 is located 0 bytes to the right of 1024-byte region [0x619000001980,0x619000001d80)
allocated by thread T0 here:
#0 0x394ae547ef in malloc (/usr/lib64/libasan.so.1+0x394ae547ef)
#1 0x780b89 in search_init /root/asterisk-11.15.0/main/editline/search.c:73
#2 0x780b89 in el_init /root/asterisk-11.15.0/main/editline/el.c:92
#3 0x46d43b in ast_el_initialize /root/asterisk-11.15.0/main/asterisk.c:2988
#4 0x47c5a4 in ast_remotecontrol /root/asterisk-11.15.0/main/asterisk.c:3174
#5 0x42a652 in main /root/asterisk-11.15.0/main/asterisk.c:4029
#6 0x7f5190f71d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asterisk-11.15.0/main/editline/search.c:184 c_setpat
Shadow bytes around the buggy address:
0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff83b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==2802==ABORTING
{code}
May be related to ASTERISK-24801
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list