On 6/16/17 10:57 AM, Eduardo A. Bustamante López wrote:
> On Thu, Jun 15, 2017 at 09:41:08AM -0500, Eduardo Bustamante wrote:
>> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
>> Sanitizer is followed by the base64 encoded crashing input.
>>
>>
>> ==1098==ERROR: AddressSanitizer: global-buffer-overflow on address
>> 0x55e61a6b4c5c at pc 0x55e61a3426ca bp 0x7fff1820a300 sp 0x7fff1820a2f8
>> READ of size 4 at 0x55e61a6b4c5c thread T0
>> #0 0x55e61a3426c9 in bash_dequote_filename
>> (/home/dualbus/src/gnu/bash-build/bash+0x17a6c9)
>
> Easy fix. `p' is a signed char pointer, therefore when `*p = 255', it tries to
> dereference `sh_syntaxtab[-1]'.
This is right.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
