GNOME Bugzilla – Bug 708026
Call "pango_layout_get_line_readonly" causes reading of unallocated memory
Last modified: 2013-09-13 15:19:39 UTC
Created attachment 254855 [details] This source file causes reading of unallocated memory in pango-indic module. Compile with "clang" using flag -fsanitize=address It's possible to force pango to read unallocated memory in file indic/indic-ot.c The source file in attach may be used to reproduce that. Possible explanation: In function "indic_ot_reorder" in modules/indic/indic-ot.c:212 Variable "prev" declared on line 216 assigned to 0. After that, in "case CC_VIRAMA:" on line 260: In condition on line 262: "if (chars[prev - 1] == 0x0D41) {" when variable "prev" equals to 0, reading from chars[-1] is not valid. After all, I've compiled "libpango" with additional "printf" before that condition and printed value of "prev" variable. It was equal to 0. This bug was found using "addresssanitizer" tool. Here is the output: ================================================================= ==17612==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200006eccc at pc 0x7f8bb67e905b bp 0x7fff4e434ae0 sp 0x7fff4e434ad8 READ of size 4 at 0x60200006eccc thread T0 #0 in indic_ot_reorder pango1.0-1.30.0/modules/indic/indic-ot.c:263 #1 in indic_engine_shape pango1.0-1.30.0/modules/indic/indic-fc.c:245 #2 in pango_shape pango1.0-1.30.0/pango/shape.c:55 #3 in shape_run pango1.0-1.30.0/pango/pango-layout.c:3182 #4 in process_item pango1.0-1.30.0/pango/pango-layout.c:3293 #5 in process_line pango1.0-1.30.0/pango/pango-layout.c:3591 #6 in pango_layout_check_lines pango1.0-1.30.0/pango/pango-layout.c:3912 #7 in pango_layout_check_lines pango1.0-1.30.0/pango/pango-layout.c:3787 #8 in pango_layout_get_line_readonly pango1.0-1.30.0/pango/pango-layout.c:1485 #9 in main 0x60200006eccc is located 4 bytes to the left of 4-byte region [0x60200006ecd0,0x60200006ecd4) allocated by thread T0 here: #0 0x45cbf4 in malloc clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x7f8bbb606a38 in g_malloc glib2.0-2.32.4/./glib/gmem.c:159 #2 0x7f8bbc9e31a9 in pango_shape pango1.0-1.30.0/./pango/shape.c:55 SUMMARY: AddressSanitizer: heap-buffer-overflow pango1.0-1.30.0/./modules/indic/indic-ot.c:263 indic_ot_reorder Shadow bytes around the buggy address: 0x0c0480005d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480005d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480005d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480005d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0480005d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0480005d90: fa fa fa fa fa fa 00 00 fa[fa]04 fa fa fa fd fd 0x0c0480005da0: fa fa fd fa fa fa 00 fa fa fa 00 06 fa fa 00 06 0x0c0480005db0: fa fa 04 fa fa fa 00 fa fa fa 00 00 fa fa fd fd 0x0c0480005dc0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 00 0x0c0480005dd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa 0x0c0480005de0: fa fa 00 fa fa fa 00 06 fa fa 00 04 fa fa 00 04 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==17612==ABORTING
ADD: To reproduce it with "addresssanitizer" you need to compile "libpango" by "clang" using flag "-fsanitize=address". Also, "valgrind" tool can detect this with message "Invalid read of size 4". To reproduce it with valgrind, just compile thie source with "gcc" or clang ang launch it under "valgrind": # valgrind ./a.out.
That piece of code is long gone...