[LLVMbugs] [Bug 12632] New: off-by-one buffer overflow in llvm::yaml::Scanner::scanToNextToken

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Mon Apr 23 08:16:24 PDT 2012 

http://llvm.org/bugs/show_bug.cgi?id=12632

             Bug #: 12632
           Summary: off-by-one buffer overflow in
                    llvm::yaml::Scanner::scanToNextToken
           Product: new-bugs
           Version: trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: kcc at google.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified


Reproduce: (r155350, x86_64 linux)
1. Build LLVM with AddressSanitizer
(http://code.google.com/p/address-sanitizer/wiki/HowToBuild)
2. Run 'make check ULIMIT='

FAIL: LLVM-Unit ::
Support/Debug+Asserts/SupportTests/YAMLParser.FailsOnMissingQuote (5835 of
5908)                                                                           
******************** TEST 'LLVM-Unit ::
Support/Debug+Asserts/SupportTests/YAMLParser.FailsOnMissingQuote' FAILED
********************                                                            
Note: Google Test filter = YAMLParser.FailsOnMissingQuote                       
[==========] Running 1 test from 1 test case.                                   
[----------] Global test environment set-up.                                    
[----------] 1 test from YAMLParser                                             
[ RUN      ] YAMLParser.FailsOnMissingQuote                                     
YAML:1:5: error: Found unexpected ':' while scanning a plain scalar             
[{a":"b"}]                                                                      
    ^                                                                           
=================================================================               
==10694== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000012ebacb at pc 0x1173922 bp 0x7ffffa2c21f0 sp 0x7ffffa2c21e8              
READ of size 1 at 0x0000012ebacb thread T0                                      
    #0 0x1173922 in llvm::yaml::Scanner::scanToNextToken()
lib/Support/YAMLParser.cpp:984                                                  
    #1 0x1167866 in llvm::yaml::Scanner::fetchMoreTokens()
lib/Support/YAMLParser.cpp:1436                                                 
    #2 0x1167105 in llvm::yaml::Scanner::peekNext()
lib/Support/YAMLParser.cpp:721                                                  
    #3 0x1184985 in llvm::yaml::Document::peekNext()
lib/Support/YAMLParser.cpp:1994                                                 
    #4 0x119212c in llvm::yaml::Document::parseDirectives()
lib/Support/YAMLParser.cpp:2095                                                 
    #5 0x1191dfc in llvm::yaml::Document::Document(llvm::yaml::Stream&)
lib/Support/YAMLParser.cpp:1970                                                 
    #6 0x11831ce in llvm::yaml::Stream::begin() lib/Support/YAMLParser.cpp:1550 
    #7 0x118350c in llvm::yaml::Stream::skip() lib/Support/YAMLParser.cpp:1559  
    #8 0x658eab in llvm::yaml::Stream::validate()
include/llvm/Support/YAMLParser.h:89                                            
    #9 0x63ffc8 in llvm::ExpectParseError(llvm::StringRef, llvm::StringRef)
unittests/Support/YAMLParserTest.cpp:24                                         
    #10 0x641bce in llvm::YAMLParser_FailsOnMissingQuote_Test::TestBody()
unittests/Support/YAMLParserTest.cpp:76                                         
    #11 0x716c5c in void
testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*)
utils/unittest/googletest/gtest.cc:»
    #12 0x6c0e5f in void
testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*)
utils/unittest/googletest/gtest.cc:2142
    #13 0x68c8f7 in testing::Test::Run()
utils/unittest/googletest/gtest.cc:2168                                         
    #14 0x68f171 in testing::TestInfo::Run()
utils/unittest/googletest/gtest.cc:2313                                         
    #15 0x691306 in testing::TestCase::Run()
utils/unittest/googletest/gtest.cc:2415                                         
    #16 0x6a72c1 in testing::internal::UnitTestImpl::RunAllTests()
utils/unittest/googletest/gtest.cc:4204                                         
    #17 0x6f8b0c in bool
testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool
(testing::internal::UnitTestImpl::»
    #18 0x6cd6ae in bool
testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool
(testing::internal::UnitTestImpl::*)(»
    #19 0x6a61ab in testing::UnitTest::Run()
utils/unittest/googletest/gtest.cc:3840                                         
    #20 0x776002 in main utils/unittest/UnitTestMain/TestMain.cpp:41            
    #21 0x2ab0f480bc4d in __libc_start_main
/build/buildd/eglibc-2.11.1/csu/libc-start.c:258                                
0x0000012ebacb is located 0 bytes to the right of global variable '.str45
(unittests/Support/YAMLParserTest.cpp)' (0x12ebac0) of size 11                  
  '.str45 (unittests/Support/YAMLParserTest.cpp)' is ascii string '[{"a":"b}]'  
==10694== ABORTING

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list