Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operators cleanup #4

Merged
merged 1 commit into from
Jun 16, 2017
Merged

operators cleanup #4

merged 1 commit into from
Jun 16, 2017

Conversation

mlorek
Copy link
Owner

@mlorek mlorek commented Jun 16, 2017

Thank you for thinking about contributing to Midnight Commander, but we ARE NOT using pull requests to manage incoming patches!

Instead, please check out our Trac instance to see if the issue has already been reported, or submit a new ticket:

https://midnight-commander.org/wiki/NewTicket

If you chose to submit the pull request instead, keep in mind that we are not checking on them regularly, so it might take ages before we even get to it, if at all.

Unfortunately, GitHub does not allow us to disable the pull requests feature for this repository, so we have to warn you this way...

@mlorek mlorek merged commit f45a614 into master Jun 16, 2017
mlorek pushed a commit that referenced this pull request Oct 26, 2022
@aborodin
Ticket #4222: fix segfault in search.
3c287ce 
(mc_search__g_regex_match_full_safe): fix out of bound read:
g_utf8_get_char_validated() expects a nul-terminated string.

Test case: search for "test" in
https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/linux-firmware-20201218.tar.xz

Found by clang-11

==10142==ERROR: AddressSanitizer: SEGV on unknown address 0x60c001e00000 (pc 0x7ffb352111c0 bp 0x7ffcb5745150 sp 0x7ffcb57450e8 T0)
==10142==The signal is caused by a READ memory access.
    #0 0x7ffb352111c0 in g_utf8_get_char_validated (/usr/lib64/libglib-2.0.so.0+0x811c0)
    #1 0x851e6d in mc_search__g_regex_match_full_safe /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:297:22
    #2 0x851824 in mc_search__regex_found_cond_one /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:328:10
    #3 0x84b955 in mc_search__regex_found_cond /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:377:13
    #4 0x84aa07 in mc_search__run_regex /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:955:17
    #5 0x848969 in mc_search__run_normal /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/normal.c:104:12
    #6 0x77270c in mc_search_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:308:15
    #7 0x514fd9 in search_content /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/find.c:1123:20
    #8 0x511917 in do_search /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/find.c:1405:26
    #9 0x512028 in find_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/find.c:1597:9
    #10 0x7e285f in send_message /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:243:15
    #11 0x7e36d8 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:307:17
    MidnightCommander#12 0x7e34c5 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:583:5
    #13 0x510aa1 in run_process /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/find.c:1755:11
    #14 0x50c29e in do_find /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/find.c:1789:20
    #15 0x5098e7 in find_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/find.c:1917:17
    #16 0x504735 in midnight_execute_cmd /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/filemanager.c:1251:9
    #17 0x502e00 in midnight_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/filemanager.c:1604:21
    #18 0x7eaa5c in send_message /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:243:15
    #19 0x7e7ae9 in group_handle_key /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/group.c:442:19
    MidnightCommander#20 0x7e6a4f in group_default_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/group.c:567:16
    MidnightCommander#21 0x7e31bf in dlg_key_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:251:19
    #22 0x7e2c12 in dlg_process_event /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:549:9
    MidnightCommander#23 0x7e3746 in frontend_dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:320:9
    #24 0x7e34c5 in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:583:5
    MidnightCommander#25 0x502866 in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/filemanager.c:1838:16
    MidnightCommander#26 0x4ceb15 in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:455:21
    #27 0x7ffb34f16b49 in __libc_start_main (/lib64/libc.so.6+0x23b49)
    MidnightCommander#28 0x4230f9 in _start (/tmp/portage/app-misc/mc-9999/work/mc-9999/src/mc+0x4230f9)

Signed-off-by: Andreas Mohr <[email protected]>
Signed-off-by: Andrew Borodin <[email protected]>
mlorek pushed a commit that referenced this pull request Feb 23, 2023
@aborodin
Ticket #4425: (mc_search__change_case_str): fix heap buffer overflow.
8a6b2cb 
Normal start result in this AddressSanitizer hit.

=================================================================
==17167==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200005b251 at pc 0x5983b1c3be5f bp 0x7ffcc27f4310 sp 0x7ffcc27f4308
WRITE of size 1 at 0x60200005b251 thread T0
    #0 0x5983b1c3be5e in mc_search__change_case_str /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/lib.c:84:14
    #1 0x5983b1c3c03f in mc_search__toupper_case_str /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/lib.c:200:12
    #2 0x5983b1d1b434 in mc_search__cond_struct_new_regex_hex_add /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:130:11
    #3 0x5983b1d1ad7f in mc_search__cond_struct_new_regex_accum_append /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:180:17
    #4 0x5983b1d147c9 in mc_search__cond_struct_new_regex_ci_str /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:251:5
    #5 0x5983b1d136fa in mc_search__cond_struct_new_init_regex /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:817:39
    #6 0x5983b1c3d7f0 in mc_search__cond_struct_new /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:80:9
    #7 0x5983b1c3d2e5 in mc_search_prepare /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:219:26
    #8 0x5983b1c3d9c3 in mc_search_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:297:10
    #9 0x5983b1c359f2 in mc_fhl_get_color_regexp /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/filehighlight/get-color.c:243:9
    #10 0x5983b1c35385 in mc_fhl_get_color /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/filehighlight/get-color.c:278:19
    #11 0x5983b1a1208f in file_compute_color /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:784:12
    MidnightCommander#12 0x5983b1a10bfd in format_file /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:814:17
    #13 0x5983b1a0fb17 in repaint_file /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:954:15
    #14 0x5983b1a0c0b6 in paint_dir /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:1071:9
    #15 0x5983b19fab96 in panel_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:3731:9
    #16 0x5983b1d08775 in widget_draw /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/widget-common.c:539:19
    #17 0x5983b1d078eb in widget_default_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/widget-common.c:841:17
    #18 0x5983b1cb3c0b in widget_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:383:12
    #19 0x5983b1cb286c in group_default_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/group.c:691:17
    MidnightCommander#20 0x5983b1caa8ab in widget_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:383:12
    MidnightCommander#21 0x5983b1cacd14 in dlg_init /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:540:5
    #22 0x5983b1cada9d in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:601:5
    MidnightCommander#23 0x5983b19cddd9 in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/filemanager.c:1827:16
    #24 0x5983b1999605 in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:455:21
    MidnightCommander#25 0x7d3944d620cb  (/lib64/libc.so.6+0x220cb)
    MidnightCommander#26 0x7d3944d6217b in __libc_start_main (/lib64/libc.so.6+0x2217b)
    #27 0x5983b18d7d10 in _start (/usr/bin/mc+0x277d10)

0x60200005b251 is located 0 bytes to the right of 1-byte region [0x60200005b250,0x60200005b251)
allocated by thread T0 here:
    #0 0x5983b195ee89 in malloc (/usr/bin/mc+0x2fee89)
    #1 0x7d3945014ef9 in g_malloc (/usr/lib64/libglib-2.0.so.0+0x54ef9)
    #2 0x5983b1c3c03f in mc_search__toupper_case_str /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/lib.c:200:12
    #3 0x5983b1d1b434 in mc_search__cond_struct_new_regex_hex_add /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:130:11
    #4 0x5983b1d1ad7f in mc_search__cond_struct_new_regex_accum_append /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:180:17
    #5 0x5983b1d147c9 in mc_search__cond_struct_new_regex_ci_str /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:251:5
    #6 0x5983b1d136fa in mc_search__cond_struct_new_init_regex /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/regex.c:817:39
    #7 0x5983b1c3d7f0 in mc_search__cond_struct_new /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:80:9
    #8 0x5983b1c3d2e5 in mc_search_prepare /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:219:26
    #9 0x5983b1c3d9c3 in mc_search_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/search.c:297:10
    #10 0x5983b1c359f2 in mc_fhl_get_color_regexp /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/filehighlight/get-color.c:243:9
    #11 0x5983b1c35385 in mc_fhl_get_color /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/filehighlight/get-color.c:278:19
    MidnightCommander#12 0x5983b1a1208f in file_compute_color /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:784:12
    #13 0x5983b1a10bfd in format_file /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:814:17
    #14 0x5983b1a0fb17 in repaint_file /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:954:15
    #15 0x5983b1a0c0b6 in paint_dir /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:1071:9
    #16 0x5983b19fab96 in panel_callback /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/panel.c:3731:9
    #17 0x5983b1d08775 in widget_draw /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/widget-common.c:539:19
    #18 0x5983b1d078eb in widget_default_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/widget-common.c:841:17
    #19 0x5983b1cb3c0b in widget_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:383:12
    MidnightCommander#20 0x5983b1cb286c in group_default_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/group.c:691:17
    MidnightCommander#21 0x5983b1caa8ab in widget_set_state /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/../../lib/widget/widget-common.h:383:12
    #22 0x5983b1cacd14 in dlg_init /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:540:5
    MidnightCommander#23 0x5983b1cada9d in dlg_run /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/widget/dialog.c:601:5
    #24 0x5983b19cddd9 in do_nc /tmp/portage/app-misc/mc-9999/work/mc-9999/src/filemanager/filemanager.c:1827:16
    MidnightCommander#25 0x5983b1999605 in main /tmp/portage/app-misc/mc-9999/work/mc-9999/src/main.c:455:21
    MidnightCommander#26 0x7d3944d620cb  (/lib64/libc.so.6+0x220cb)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-misc/mc-9999/work/mc-9999/lib/search/lib.c:84:14 in mc_search__change_case_str
Shadow bytes around the buggy address:
  0x0c04800035f0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480003600: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003610: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0480003620: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480003630: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c0480003640: fa fa fd fa fa fa fd fa fa fa[01]fa fa fa fa fa
  0x0c0480003650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480003690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17167==ABORTING

Found by clang 15.

Signed-off-by: Andreas Mohr <[email protected]>
Signed-off-by: Andrew Borodin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mlorek