<html>

    <head>

      <base href="http://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - clang: heap-buffer-overflow on invalid input with unicode in clang::Lexer::LexAngledStringLiteral"

   href="http://llvm.org/bugs/show_bug.cgi?id=22407">22407</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>clang: heap-buffer-overflow on invalid input with unicode in clang::Lexer::LexAngledStringLiteral

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>kcc@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvmbugs@cs.uiuc.edu

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=13776" name="attach_13776" title="reproducer">attachment 13776</a> <a href="attachment.cgi?id=13776&action=edit" title="reproducer">[details]</a></span>

reproducer

Found with fuzzing...

$ clang -cc1 hbo.cc

READ of size 1 at 0x60e00000dc79 thread T0

    #0 0xb70b6fb in getAndAdvanceChar

tools/clang/include/clang/Lex/Lexer.h:529:36

    #1 0xb70b6fb in clang::Lexer::LexAngledStringLiteral(clang::Token&, char

const*) tools/clang/lib/Lex/Lexer.cpp:1876

    #2 0xb728647 in clang::Lexer::LexTokenInternal(clang::Token&, bool)

tools/clang/lib/Lex/Lexer.cpp:3393:14

    #3 0xb97d3d9 in clang::Preprocessor::Lex(clang::Token&)

tools/clang/lib/Lex/Preprocessor.cpp:692:23

    #4 0xb983202 in clang::PreprocessorLexer::LexIncludeFilename(clang::Token&)

tools/clang/lib/Lex/PreprocessorLexer.cpp:44:5

    #5 0xb84a845 in

clang::Preprocessor::HandleIncludeDirective(clang::SourceLocation,

clang::Token&, clang::DirectoryLookup const*, clang::FileEntry const*, bool)»

    #6 0xb83d85e in clang::Preprocessor::HandleDirective(clang::Token&)

tools/clang/lib/Lex/PPDirectives.cpp:853:14

    #7 0xb72fe86 in clang::Lexer::LexTokenInternal(clang::Token&, bool)

tools/clang/lib/Lex/Lexer.cpp:3639:3

    #8 0xb97d3d9 in clang::Preprocessor::Lex(clang::Token&)

tools/clang/lib/Lex/Preprocessor.cpp:692:23

    #9 0x7aa82fa in ConsumeToken tools/clang/include/clang/Parse/Parser.h:285:5

0x60e00000dc79 is located 0 bytes to the right of 153-byte region

[0x60e00000dbe0,0x60e00000dc79)

allocated by thread T0 here:

    #0 0x8048fb in operator new(unsigned long, std::nothrow_t const&)

projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3

    #1 0x4cfc483 in getNewUninitMemBuffer lib/Support/MemoryBuffer.cpp:140:34

    #2 0x4cfc483 in getOpenFileImpl(int, llvm::Twine const&, unsigned long,

unsigned long, long, bool, bool) lib/Support/MemoryBuffer.cpp:369

    #3 0x4cfbb0c in llvm::MemoryBuffer::getOpenFile(int, llvm::Twine const&,

unsigned long, bool, bool) lib/Support/MemoryBuffer.cpp:410:10

    #4 0x53610f1 in (anonymous namespace)::RealFile::getBuffer(llvm::Twine

const&, long, bool, bool) tools/clang/lib/Basic/VirtualFileSystem.cpp:124:10

    #5 0x533b4dc in clang::FileManager::getBufferForFile(clang::FileEntry

const*, bool, bool) tools/clang/lib/Basic/FileManager.cpp:416:9

    #6 0x52d409d in

clang::SrcMgr::ContentCache::getBuffer(clang::DiagnosticsEngine&,

clang::SourceManager const&, clang::SourceLocation, bool*) const tools/clang/»

    #7 0xb8abe42 in clang::SourceManager::getBuffer(clang::FileID,

clang::SourceLocation, bool*) const

tools/clang/include/clang/Basic/SourceManager.h:887:12

    #8 0xb8a8a06 in clang::Preprocessor::EnterSourceFile(clang::FileID,

clang::DirectoryLookup const*, clang::SourceLocation)

tools/clang/lib/Lex/PPLexerChange.cpp»

    #9 0xb976ce9 in clang::Preprocessor::EnterMainSourceFile()

tools/clang/lib/Lex/Preprocessor.cpp:490:5

    #10 0x7a9e4b8 in clang::ParseAST(clang::Sema&, bool, bool)

tools/clang/lib/Parse/ParseAST.cpp:122:3</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>