Skip to content

Possible stack buffer overflow #17

New issue
New issue
Open
#13
Open
Possible stack buffer overflow#17
#13
Labels
bugSomething isn't working
@dodomorandi

Description

@dodomorandi
dodomorandi
opened on Mar 25, 2020

The following issue has been detected by ASAN:

=================================================================
==126509==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f80613f566f at pc 0x560347e7ad9e bp 0x7f80613f5630 sp 0x7f80613f5628
READ of size 16 at 0x7f80613f566f thread T47 (tests::highligh)
test generate::build_tables::token_conflicts::tests::test_token_conflicts_with_open_ended_tokens ... ok
    #0 0x560347e7ad9d in ts_lexer_set_included_ranges /home/user/src/tree-sitter-core/src/treesitter.rs:3343:4
    #1 0x560347e7879b in ts_lexer_init /home/user/src/tree-sitter-core/src/treesitter.rs:3174:4
    #2 0x560347eadc31 in ts_parser_new /home/user/src/tree-sitter-core/src/treesitter.rs:7008:4
    #3 0x56034671cb49 in tree_sitter_tests::bindings::Parser::new::h41d899d8120a42a8 /home/user/src/tree-sitter-core/tree-sitter-tests/src/bindings.rs:267:25
    #4 0x560347ae2a0f in tree_sitter_tests::tree_sitter_highlight::Highlighter::new::h03bf3b8376e74daf /home/user/src/tree-sitter-core/tree-sitter-tests/src/tree_sitter_highlight.rs:114:20
    #5 0x56034793ff00 in tree_sitter_tests::tests::highlight_test::test_highlighting_cancellation::h0aac08600263f875 /home/user/src/tree-sitter-core/tree-sitter-tests/src/tests/highlight_test.rs:461:26
    #6 0x560347783519 in tree_sitter_tests::tests::highlight_test::test_highlighting_cancellation::_$u7b$$u7b$closure$u7d$$u7d$::hf4e1043559a9e0d9 /home/user/src/tree-sitter-core/tree-sitter-tests/src/tests/highlight_test.rs:445
    #7 0x5603476d31d4 in core::ops::function::FnOnce::call_once::h3baaea5d57128928 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libcore/ops/function.rs:232:4
    #8 0x560347c5afde in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h54cafa374ab34525 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/liballoc/boxed.rs:1017:8
    #9 0x560348b506f6 in __rust_maybe_catch_panic /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libpanic_unwind/lib.rs:86:7
    #10 0x560347c77075 in std::panicking::try::hdb3afd9dbfb1735a /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/panicking.rs:281:12
    #11 0x560347c77075 in std::panic::catch_unwind::he37a5000b2342b42 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/panic.rs:394:13
    #12 0x560347c77075 in test::run_test_in_process::hded38bdfc5e182bb /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libtest/lib.rs:542:17
    #13 0x560347c77075 in test::run_test::run_test_inner::_$u7b$$u7b$closure$u7d$$u7d$::h4e0821f6e020b4a3 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libtest/lib.rs:451:38
    #14 0x560347c4df85 in std::sys_common::backtrace::__rust_begin_short_backtrace::ha11826041a7b4c8a /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/sys_common/backtrace.rs:130:4
    #15 0x560347c528c5 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h7d36e382c44c16eb /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/thread/mod.rs:475:16
    #16 0x560347c528c5 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::hc1169e20e754690b /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/panic.rs:318:8
    #17 0x560347c528c5 in std::panicking::try::do_call::h02a3da2eeb8ce499 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/panicking.rs:303:39
    #18 0x560348b506f6 in __rust_maybe_catch_panic /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libpanic_unwind/lib.rs:86:7
    #19 0x560347c53525 in std::panicking::try::hd3231604341ca4c0 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/panicking.rs:281:12
    #20 0x560347c53525 in std::panic::catch_unwind::h5fd0af445d305910 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/panic.rs:394:13
    #21 0x560347c53525 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::he65e2e4407c31ce3 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/thread/mod.rs:474:29
    #22 0x560347c53525 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h96f199b2e1aab86d /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libcore/ops/function.rs:232:4
    #23 0x560348b384be in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h17bc559ade1f3898 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/liballoc/boxed.rs:1017:8
    #24 0x560348b4f80f in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h5f4de8825e11517b /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/liballoc/boxed.rs:1017:8
    #25 0x560348b4f80f in std::sys_common::thread::start_thread::h9d05d51d7326efdc /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/sys_common/thread.rs:13:4
    #26 0x560348b4f80f in std::sys::unix::thread::Thread::new::thread_start::hc91805f14c4a4cf3 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/sys/unix/thread.rs:80:16
    #27 0x7f80658a546e in start_thread (/usr/lib/libpthread.so.0+0x946e)
    #28 0x7f80657b93d2 in clone (/usr/lib/libc.so.6+0xff3d2)

Address 0x7f80613f566f is located in stack of thread T47 (tests::highligh) at offset 47 in frame
    #0 0x560347e7a77f in ts_lexer_set_included_ranges /home/user/src/tree-sitter-core/src/treesitter.rs:3313

  This frame has 1 object(s):
    [32, 44) '_55' (line 3343) <== Memory access at offset 47 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T47 (tests::highligh) created by T0 here:
    #0 0x5603466e7d2a in pthread_create /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x560348b4f49d in std::sys::unix::thread::Thread::new::hdbcc90f5b5e6b844 /rustc/564758c4c329e89722454dd2fbb35f1ac0b8b47c/src/libstd/sys/unix/thread.rs:68:18

SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/src/tree-sitter-core/src/treesitter.rs:3343:4 in ts_lexer_set_included_ranges
Shadow bytes around the buggy address:
  0x0ff08c276a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff08c276ac0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[04]f3 f3
  0x0ff08c276ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff08c276b00: 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8
  0x0ff08c276b10: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==126509==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions