Skip to content

out-of-bounds sequence access in act_ostm

Seen with instigator specimen 20221020/00023c3c69cd1253f533c61815b651a9b9d5fc9a0541c2fdc001926c6a24d63c. Does not occur when the parser is run in strict mode (-s).

Backtrace:

#0  thrkill () at /tmp/-:3
#1  0x50b111a5ac92426d in ?? ()
#2  0x00000b3c9205b2ae in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#3  0x00000b3c92075712 in _libc___assert2 (file=Variable "file" is not available.
)
    at /usr/src/lib/libc/gen/assert.c:52
#4  0x00000b3cf3ca8950 in h_carray_index (a=0xb3d78c101e0, i=109)
    at build/debug/src/glue.c:141
#5  0x00000b3cf3ca8ab3 in h_seq_index (p=0xb3d78c101b0, i=109)
    at build/debug/src/glue.c:163
#6  0x00000b3cf3ca8bd9 in h_seq_index_vpath (p=0xb3d78c10c90, i=1, 
    va=0x7f7ffffd8460) at build/debug/src/glue.c:183
#7  0x00000b3cf3ca8b6b in h_seq_index_path (p=0xb3d78c10c90, i=1)
    at build/debug/src/glue.c:171
#8  0x00000b3a89b9f47d in act_ostm (p=0xb3d78c10cc0, u=0xb3cdbe11710)
    at pdf.c:4710
#9  0x00000b3cf3c863e3 in parse_action (env=0xb3d131c15d0, state=0xb3d040f9018)
    at build/debug/src/parsers/action.c:16
#10 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3d040f9018, 
    parser=0xb3d131c15e8) at build/debug/src/backends/packrat.c:49
#11 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3d131c15e8, 
    state=0xb3d040f9018) at build/debug/src/backends/packrat.c:230
#12 0x00000b3cf3c9822d in h_packrat_parse (mm__=0xb3cf3cb1ec0, 
    parser=0xb3d131c15e8, input_stream=0x7f7ffffd8790)
    at build/debug/src/backends/packrat.c:330
#13 0x00000b3cf3caa6fe in h_parse__m (mm__=0xb3cf3cb1ec0, 
    parser=0xb3d131c15e8, 
    input=0xb3d5a00f000 "1415 0 1416 44 1417 88 1418 136 1419 180 1420 228 1421 272 1422 320 1423 364 1424 422 1425 466 1426 510 1427 558 1428 602 1429 660 1430 704 1431 748 1432 806 1433 850 1434 894 1435 985 1436 1029 1437 "..., 
    length=8192) at build/debug/src/hammer.c:588
#14 0x00000b3cf3caa67a in h_parse (parser=0xb3d131c15e8, 
    input=0xb3d5a00f000 "1415 0 1416 44 1417 88 1418 136 1419 180 1420 228 1421 272 1422 320 1423 364 1424 422 1425 466 1426 510 1427 558 1428 602 1429 660 1430 704 1431 748 1432 806 1433 850 1434 894 1435 985 1436 1029 1437 "..., 
    length=8192) at build/debug/src/hammer.c:573
#15 0x00000b3a89b9a716 in FlateDecode (parms=0x0, b=
      {token = 0xb3d5b6fa6ec <Address 0xb3d5b6fa6ec out of bounds>, len = 2596}, p=0xb3d131c15e8) at pdf.c:3194
#16 0x00000b3a89b9e7b5 in decode_stream (d=0xb3ca2b69930, b=
      {token = 0xb3d5b6fa6ec <Address 0xb3d5b6fa6ec out of bounds>, len = 2596}, p=0xb3d131c15e8) at pdf.c:4399
#17 0x00000b3a89b9f10c in act_ks_value (p=0xb3d131c1b90, u=0xb3d131c13d8)
    at pdf.c:4459
#18 0x00000b3cf3c863e3 in parse_action (env=0xb3d131c1618, state=0xb3ce99f2018)
    at build/debug/src/parsers/action.c:16
#19 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3d131c1630) at build/debug/src/backends/packrat.c:49
#20 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3d131c1630, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#21 0x00000b3cf3c939d9 in parse_sequence (env=0xb3d131c1660, 
    state=0xb3ce99f2018) at build/debug/src/parsers/sequence.c:14
#22 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3d131c1680) at build/debug/src/backends/packrat.c:49
#23 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3d131c1680, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#24 0x00000b3cf3c879e1 in parse_bind (be_=0xb3cd2be2fe0, state=0xb3ce99f2018)
    at build/debug/src/parsers/bind.c:48
#25 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2bf6380) at build/debug/src/backends/packrat.c:49
#26 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2bf6380, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#27 0x00000b3cf3c8dfb9 in parse_ignoreseq (env=0xb3cd2c15d60, 
    state=0xb3ce99f2018) at build/debug/src/parsers/ignoreseq.c:24
#28 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2bed000) at build/debug/src/backends/packrat.c:49
#29 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2bed000, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#30 0x00000b3cf3c8af88 in parse_choice (env=0xb3cd2beb4b0, state=0xb3ce99f2018)
    at build/debug/src/parsers/choice.c:30
#31 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2bedb00) at build/debug/src/backends/packrat.c:49
#32 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2bedb00, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#33 0x00000b3cf3c939d9 in parse_sequence (env=0xb3cd2c17530, 
    state=0xb3ce99f2018) at build/debug/src/parsers/sequence.c:14
#34 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2bf8b80) at build/debug/src/backends/packrat.c:49
#35 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2bf8b80, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#36 0x00000b3cf3c9028e in parse_many (env=0xb3cd2c15f00, state=0xb3ce99f2018)
    at build/debug/src/parsers/many.c:26
#37 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2bf2d80) at build/debug/src/backends/packrat.c:49
#38 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2bf2d80, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#39 0x00000b3cf3c939d9 in parse_sequence (env=0xb3cd2be1350, 
    state=0xb3ce99f2018) at build/debug/src/parsers/sequence.c:14
#40 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2c03dc0) at build/debug/src/backends/packrat.c:49
#41 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2c03dc0, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#42 0x00000b3cf3c9028e in parse_many (env=0xb3cd2be2100, state=0xb3ce99f2018)
    at build/debug/src/parsers/many.c:26
#43 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2bf2440) at build/debug/src/backends/packrat.c:49
#44 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2bf2440, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#45 0x00000b3cf3c939d9 in parse_sequence (env=0xb3cd2c179c0, 
    state=0xb3ce99f2018) at build/debug/src/parsers/sequence.c:14
#46 0x00000b3cf3c975f7 in perform_lowlevel_parse (state=0xb3ce99f2018, 
    parser=0xb3cd2c03c00) at build/debug/src/backends/packrat.c:49
#47 0x00000b3cf3c97e33 in h_do_parse (parser=0xb3cd2c03c00, 
    state=0xb3ce99f2018) at build/debug/src/backends/packrat.c:230
#48 0x00000b3cf3c9822d in h_packrat_parse (mm__=0xb3cf3cb1ec0, 
    parser=0xb3cd2c03c00, input_stream=0x7f7ffffd9770)
    at build/debug/src/backends/packrat.c:330
#49 0x00000b3cf3caa6fe in h_parse__m (mm__=0xb3cf3cb1ec0, 
    parser=0xb3cd2c03c00, 
    input=0xb3d5b6f7000 <Address 0xb3d5b6f7000 out of bounds>, length=219803)
    at build/debug/src/hammer.c:588
#50 0x00000b3cf3caa67a in h_parse (parser=0xb3cd2c03c00, 
    input=0xb3d5b6f7000 <Address 0xb3d5b6f7000 out of bounds>, length=219803)
    at build/debug/src/hammer.c:573
#51 0x00000b3a89ba0566 in main (argc=1, argv=0x7f7ffffd9b70) at pdf.c:5134

Context:

#8  0x00000b3a89b9f47d in act_ostm (p=0xb3d78c10cc0, u=0xb3cdbe11710)
    at pdf.c:4710
4710                    ostrm->tok[i].obj     = H_FIELD_TOKEN(1, i);
Current language:  auto; currently minimal
(gdb) list  
4705            for (int i=0; i<ostrm->numObjs; i++) {
4706                    const HParsedToken *num = H_FIELD_TOKEN(0, 2*i);
4707                    assert(num->token_type == TT_UINT);
4708                    ostrm->tok[i].oid.nr  = H_CAST_UINT(num);
4709                    ostrm->tok[i].oid.gen = 0;
4710                    ostrm->tok[i].obj     = H_FIELD_TOKEN(1, i);
4711            }
4712    
4713    //      const HCountedArray *indices = H_FIELD_SEQ(0);
4714    //      const HCountedArray *ostrm   = H_FIELD_SEQ(1);
(gdb) print *p 
$1 = {ast = 0xb3d78c10c90, bit_length = 65144, arena = 0xb3cd2bf7480}
(gdb) print *p->ast
$2 = {token_type = TT_SEQUENCE, {bytes = {token = 0xb3c8bf7e938 "\004", 
      len = 0}, sint = 12354674223416, uint = 12354674223416, 
    dbl = 6.1040200993502271e-311, flt = -9.54918478e-32, seq = 0xb3c8bf7e938, 
    user = 0xb3c8bf7e938}, index = 0, bit_length = 0, bit_offset = 0 '\0'}
(gdb) print *p->ast->seq
$3 = {capacity = 4, used = 2, arena = 0xb3cd2bf7480, elements = 0xb3c8bf7e958}
(gdb) print *p->ast->seq->elements[1]
$5 = {token_type = TT_SEQUENCE, {bytes = {token = 0xb3d78c101e0 "\200", 
      len = 0}, sint = 12358646825440, uint = 12358646825440, 
    dbl = 6.1059828255348849e-311, flt = 3.13172289e+34, seq = 0xb3d78c101e0, 
    user = 0xb3d78c101e0}, index = 0, bit_length = 0, bit_offset = 0 '\0'}
(gdb) print *p->ast->seq->elements[1]->seq
$6 = {capacity = 128, used = 109, arena = 0xb3cd2bf7480, 
  elements = 0xb3d78c105e0}
(gdb) print i
$7 = 109

One past the end.

Edited by Sven M. Hallberg