Bash parser abort on `realloc: start and end chunk sizes differ'

Eduardo Bustamante Mon, 08 May 2017 09:07:51 -0700

dualbus@debian:~/bash-fuzzing/bash-parser$ cat -v malloc-read_token_word
P[00000000$(0^A0000000000000000^A000$(0000000000
d0=(^?00^?00000^?00000000>0000000^?0000^A00)000000000000000^?00^?0000000000000)000000^?00000000000)0000000000^A000000000000000000000000000000000000000000000000000000000000000000000000000000^A0000000000000000000000000000000000^?00000000000000^A00000000000000000000^?000^?0^A0^?00000000000000^?0000000000000000000000^?0000000000000000000000000^?00000000000000000000000000000^?0000^?00000000000000000000000^?0000^?000000000000000000000000000000000]0=00^?000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000^A0


dualbus@debian:~/bash-fuzzing/bash-parser$ base64 malloc-read_token_word
UFswMDAwMDAwMCQoMAEwMDAwMDAwMDAwMDAwMDAwATAwMCQoMDAwMDAwMDAwMApkMD0ofzAwfzAw
MDAwfzAwMDAwMDAwPjAwMDAwMDB/MDAwMAEwMCkwMDAwMDAwMDAwMDAwMDB/MDB/MDAwMDAwMDAw
MDAwMCkwMDAwMDB/MDAwMDAwMDAwMDApMDAwMDAwMDAwMAEwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAB
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH8wMDAwMDAwMDAwMDAwMAEwMDAwMDAw
MDAwMDAwMDAwMDAwMH8wMDB/MAEwfzAwMDAwMDAwMDAwMDAwfzAwMDAwMDAwMDAwMDAwMDAwMDAw
MDB/MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMH8wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MH8wMDAwfzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwfzAwMDB/MDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwXTA9MDB/MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwATAK

dualbus@debian:~/bash-fuzzing/bash-parser$ md5sum malloc-read_token_word
2b926f1f4f79b55b02f13d421fe7443e  malloc-read_token_word

dualbus@debian:~/bash-fuzzing/bash-parser$ gdb ~/src/gnu/bash/bash
[...]
(gdb) r -n malloc-read_token_word
Starting program: /home/dualbus/src/gnu/bash/bash -n malloc-read_token_word
malloc-read_token_word: command substitution: line 4: syntax error
near unexpected token `>'
malloc-read_token_word: command substitution: line 4:
`d0=(000000000000000>0000000000000)000000000000000000000000000000)00000000000000000)000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000]0='
TRACE: pid 31372: parse_string: longjmp executed: code = 2

malloc: ./parse.y:5101: assertion botched
malloc: 0x829a08: allocated: last allocated from ./parse.y:4805
realloc: start and end chunk sizes differ
Aborting...
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff76413fa in __GI_abort () at abort.c:89
#2  0x000000000045c745 in programming_error (format=0x551de4 "realloc:
start and end chunk sizes differ") at error.c:175
#3  0x00000000005335c2 in xbotch (mem=0x829a08, e=8, s=0x551de4
"realloc: start and end chunk sizes differ",
    file=0x538059 "./parse.y", line=5101) at malloc.c:329
#4  0x00000000005324a5 in internal_realloc (mem=0x829a08, n=1008,
file=0x538059 "./parse.y", line=5101, flags=1) at malloc.c:1036
#5  0x00000000005321e1 in sh_realloc (ptr=0x829a08, size=1008,
file=0x538059 "./parse.y", line=5101) at malloc.c:1262
#6  0x00000000004b8093 in sh_xrealloc (pointer=0x829a08, bytes=1008,
file=0x538059 "./parse.y", line=5101) at xmalloc.c:206
#7  0x00000000004348fc in read_token_word (character=48) at ./parse.y:5100
#8  0x0000000000431748 in read_token (command=0) at ./parse.y:3330
#9  0x000000000042c14e in yylex () at ./parse.y:2675
#10 0x0000000000428abe in yyparse () at y.tab.c:1827
#11 0x00000000004285ab in parse_command () at eval.c:294
#12 0x0000000000428392 in read_command () at eval.c:338
#13 0x0000000000428091 in reader_loop () at eval.c:140
#14 0x00000000004253bb in main (argc=3, argv=0x7fffffffe458,
env=0x7fffffffe478) at shell.c:794

Bash parser abort on `realloc: start and end chunk sizes differ'

Reply via email to