Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seg fault in fy-atom.c on malformed input #118

Open
gabe-sherman opened this issue Aug 9, 2024 · 0 comments
Open

Seg fault in fy-atom.c on malformed input #118

gabe-sherman opened this issue Aug 9, 2024 · 0 comments

Comments

@gabe-sherman
Copy link

A seg faults occurs at line 708 in fy-atom.c when the below code is provided a malformed input:

#include <stdarg.h>
#include <libfyaml.h>

int main(int argc, char *argv[])
{
   struct fy_document* doc = fy_document_build_from_file(NULL, argv[1]);
   fy_emit_document_to_file(doc, FYECF_MODE_JSON, "/tmp/file");
   return 0;
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 592ccc1

POC File

https://github.com/gabe-sherman/bug-pocs/blob/main/fyaml/c1

Address Sanitizer Output

==1994304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555559392b7 bp 0x7ffff5a01440 sp 0x7fffffffd600 T0)
==1994304==The signal is caused by a READ memory access.
==1994304==Hint: address points to the zero page.
    #0 0x5555559392b7 in fy_atom_iter_line /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:708:11
    #1 0x55555592f7af in fy_atom_iter_format /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:829:7
    #2 0x5555559334a7 in fy_atom_iter_read /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1326:10
    #3 0x555555933b98 in fy_atom_iter_utf8_get /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1408:10
    #4 0x555555934fcc in fy_atom_iter_utf8_peek /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1497:6
    #5 0x555555934fcc in fy_atom_is_number /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-atom.c:1587:14
    #6 0x5555557a5398 in fy_emit_token_scalar_style /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:1315:4
    #7 0x5555557a5398 in fy_emit_token_scalar /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:1411:10
    #8 0x55555579bfa6 in fy_emit_node_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:714:3
    #9 0x5555557b1e3c in fy_emit_root_node_no_check /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2218:2
    #10 0x5555557b1e3c in fy_emit_document_no_check /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2262:7
    #11 0x5555557b433e in fy_emit_document_to_fp /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2681:7
    #12 0x5555557b44e3 in fy_emit_document_to_file /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-emit.c:2699:7
    #13 0x555555744222 in main /home/gabriel/fuzzing-trials/fyaml/crashes/c1/rep.c:7:4
    #14 0x7ffff765ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7ffff765ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #16 0x55555566b3a4 in _start (/home/gabriel/fuzzing-trials/fyaml/crashes/c1/r.out+0x1173a4) (BuildId: 7d209317532d4cbd470fda6bbafb6be8926018c2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gabe-sherman