heap out of bound read #92
Description
How to reproduce:
0. build tmux with clang-3.6 -fsanitize=address
(version: latest master)
- ./tmux.asan new -d cat tmux-read-error.bug
Input
$ xxd tmux-read-error.bug # use "xxd -r" to revert
0000000: e456 9937 0000 0121 380c 0004 1e00 152d .V.7...!8......-
0000010: 6a6a 1b4b 0040 2052 0001 3e0d 401b 7435 jj.K.@ R..>.@.t5
0000020: 1b5b 3232 3243 321b 5b32 3220 3232 4332 .[222C2.[22 22C2
0000030: 9b5b 3239 3243 3232 3232 1b5b ffff 3243 .[292C2222.[..2C
0000040: 321b 5b32 3232 3232 4332 1b5b 3339 3212 2.[22222C2.[392.
0000050: ee1b 5b32 320f 431f 1b5b 3232 325a 3243 ..[22.C..[222Z2C
0000060: 321b 5b32 3232 64e0 e043 035b 3239 3243 2.[222d..C.[292C
0000070: 3232 3200 805b 3232 3243 321b 5b32 4b32 222..[222C2.[2K2
0000080: 3232 5332 0400 ffff 3232 4543 3200 805b 22S2....22EC2..[
0000090: 64df 647b 62ee 035a 7676 7676 7676 7676 d.d{b..Zvvvvvvvv
00000a0: 7676 7676 7676 7676 7676 7676 7676 40ee vvvvvvvvvvvvvv@.
00000b0: ef00 ef09 1b1b 6f00 ba00 ff00 5b5b 5b5b ......o.....[[[[
00000c0: 1b6a 0040 2000 001b 5b01 3e0d 401b 3a80 .j.@ ...[.>.@.:.
00000d0: 2000 e31a 5b01 3e0d 401b 3a80 8d35 3b31 ...[.>.@.:..5;1
00000e0: 3b74 356d 0397 f6e6 e685 b2ee 4332 3200 ;t5m........C22.
00000f0: 0035 3b1c 3b74 356d 0397 f6e6 e632 4380 .5;.;t5m.....2C.
0000100: 0032 321b 5b50 3245 3232 4330 1b5b f800 .22.[P2E22C0.[..
0000110: 0064 3a45 320b 5b4a 3932 4332 3232 321b .d:E2.[J92C2222.
0000120: 5b50 3232 ffff 0000 3232 4a39 3243 3232 [P22....22J92C22
0000130: 5b32 3932 12ee 1b5b 3232 3243 3220 5b5b [292...[222C2 [[
0000140: 3232 3232 3243 321b 5b33 3932 12ee 1b5b 22222C2.[392...[
0000150: 3232 0f43 1f1b 5b32 3232 5a32 321b 5bff 22.C..[222Z22.[.
0000160: ff44 4332 ff00 0032 32e8 0332 4332 1b5b .DC2...22..2C2.[
0000170: 6f00 ba00 ff00 5b5b 401b o.....[[@.
=================================================================
==10491==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000016f9 at pc 0x00000057504d bp 0x7fff9f38c8d0 sp 0x7fff9f38c8c8
READ of size 1 at 0x6040000016f9 thread T0
#0 0x57504c (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x57504c)
#1 0x577710 (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x577710)
#2 0x66dca0 (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x66dca0)
#3 0x7ff4c35da7c9 (/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5+0x187c9)
#4 0x7ff4c35cff23 (/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5+0xdf23)
#5 0x5dea39 (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x5dea39)
#6 0x4fa830 (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x4fa830)
#7 0x4fb05f (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x4fb05f)
#8 0x5fff02 (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x5fff02)
#9 0x7ff4c24bdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#10 0x44acb6 (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x44acb6)
0x6040000016f9 is located 2 bytes to the right of 39-byte region [0x6040000016d0,0x6040000016f7)
allocated by thread T0 here:
#0 0x4d1deb (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x4d1deb)
#1 0x5c8e7f (/home/kcwu/fuzz/targets/tmux/run/tmux.asan+0x5c8e7f)
Shadow bytes around the buggy address:
0x0c087fff8280: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c087fff8290: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff82a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 01 fa
0x0c087fff82b0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 01 fa
0x0c087fff82c0: fa fa 00 00 00 00 02 fa fa fa 00 00 00 00 01 fa
=>0x0c087fff82d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 07[fa]
0x0c087fff82e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff82f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff8300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff8310: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff8320: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10491==ABORTING
this is found by afl-fuzz