Bug 94760

Summary: ASAN reports heap-buffer-overflow in terminal
Product: Wayland Reporter: comicfans44 <comicfans44>
Component: westonAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description comicfans44 2016-03-30 12:56:06 UTC
hard to re-produce 
=================================================================
==1113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000876e at pc 0x40e426 bp 0x7ffe02b09400 sp 0x7ffe02b093f0
READ of size 1 at 0x60b00000876e thread T0
    #0 0x40e425 in handle_special_char clients/terminal.c:1906
    #1 0x40e7a0 in handle_char clients/terminal.c:1952
    #2 0x4135f6 in terminal_data clients/terminal.c:2169
    #3 0x4135f6 in io_handler clients/terminal.c:3018
    #4 0x430f24 in display_run clients/window.c:5970
    #5 0x406184 in main clients/terminal.c:3106
    #6 0x7fa3092d959f in __libc_start_main (/lib64/libc.so.6+0x2059f)
    #7 0x406388 in _start (/usr/bin/weston-terminal+0x406388)

0x60b00000876e is located 0 bytes to the right of 110-byte region [0x60b000008700,0x60b00000876e)
allocated by thread T0 here:
    #0 0x7fa30b2b4935 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57935)
    #1 0x40fea7 in zalloc shared/zalloc.h:38
    #2 0x40fea7 in terminal_resize_cells clients/terminal.c:782
    #3 0x40fea7 in resize_handler clients/terminal.c:872

SUMMARY: AddressSanitizer: heap-buffer-overflow clients/terminal.c:1906 handle_special_char
Shadow bytes around the buggy address:
  0x0c167fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff90c0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c167fff90d0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
=>0x0c167fff90e0: 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa fa
  0x0c167fff90f0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c167fff9100: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c167fff9110: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c167fff9120: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c167fff9130: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1113==ABORTING
Comment 1 GitLab Migration User 2018-06-08 23:54:29 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/wayland/weston/issues/75.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.