MantisBT
Mantis Bug Tracker Workflow

View Revisions: Issue #30981 All Revisions ] Back to Issue ]
Summary 0030981: Foundation Classes - heap-buffer-overflow reported by Clang address sanitizer in TCollection_ExtendedString
Revision 2019-09-19 14:47 by abv
Description When running OCCT built on Linux with Clang with option -fsanitize=address, error heap-buffer-overflow is reported on many test cases, e.g. bugs fclasses bug11758:

OCC11758
=================================================================
==31451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200026b514 at pc 0x0000004b52e5 bp 0x7fff80a08ea0 sp 0x7fff80a08650

READ of size 6 at 0x60200026b514 thread T0
    # 0 0x4b52e4 in __interceptor_memcmp.part.77 (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4b52e4)
    # 1 0x7f3490aaa41e in TCollection_ExtendedString::IsLess(char16_t const*) const /home/abv/occt/src/TCollection/TCollection_ExtendedString.cxx:501:12
    # 2 0x7f3482649ae1 in OCC11758(Draw_Interpretor&, int, char const**) /home/abv/occt/src/QABugs/QABugs_19.cxx:1080:5
    # 3 0x7f34950f4349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    # 4 0x7f3495101b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    # 5 0x7f348f4b6b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    # 6 0x7f348f4b8fa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    # 7 0x7f348f55787a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    # 8 0x7f348f557756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    # 9 0x7f34951030bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    # 10 0x7f34950e9dad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    # 11 0x7f34950eab90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    # 12 0x7f34950e837b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    # 13 0x7f34950e7973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    # 14 0x7f3495104328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    # 15 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    # 16 0x7f348dee282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    # 17 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x60200026b514 is located 0 bytes to the right of 4-byte region [0x60200026b510,0x60200026b514)
allocated by thread T0 here:
    # 0 0x4df140 in realloc (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4df140)
    # 1 0x7f3490a7bff9 in Standard_MMgrRaw::Reallocate(void*, unsigned long) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:69:51
    # 2 0x7f3490a739a3 in Standard::Reallocate(void*, unsigned long) /home/abv/occt/src/Standard/Standard.cxx:261:43
    # 3 0x7f3490aa81cf in (anonymous namespace)::reallocateExtChars(void*, unsigned long) /home/abv/occt/src/TCollection/TCollection_ExtendedString.cxx:42:37
    # 4 0x7f3490aa7c2b in TCollection_ExtendedString::TCollection_ExtendedString(char const*, bool) /home/abv/occt/src/TCollection/TCollection_ExtendedString.cxx:127:14
    # 5 0x7f348264990b in OCC11758(Draw_Interpretor&, int, char const**) /home/abv/occt/src/QABugs/QABugs_19.cxx:1068:38
    # 6 0x7f34950f4349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    # 7 0x7f3495101b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    # 8 0x7f348f4b6b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4b52e4) in __interceptor_memcmp.part.77
Shadow bytes around the buggy address:
  0x0c0480045650: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0480045660: fa fa 04 fa fa fa fd fa fa fa 04 fa fa fa 04 fa
  0x0c0480045670: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa fd fa
  0x0c0480045680: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480045690: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c04800456a0: fa fa[04]fa fa fa 04 fa fa fa 00 fa fa fa 04 fa
  0x0c04800456b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==31451==ABORTING
Revision 2019-09-19 08:34 by abv
Description When running OCCT built on Linux with Clang with option -fsanitize=address, error heap-buffer-overflow is reported on many test cases, e.g. bugs fclasses bug11758:

OCC11758
=================================================================
==31451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200026b514 at pc 0x0000004b52e5 bp 0x7fff80a08ea0 sp 0x7fff80a08650

READ of size 6 at 0x60200026b514 thread T0
    #0 0x4b52e4 in __interceptor_memcmp.part.77 (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4b52e4)
    0000001 0x7f3490aaa41e in TCollection_ExtendedString::IsLess(char16_t const*) const /home/abv/occt/src/TCollection/TCollection_ExtendedString.cxx:501:12
    0000002 0x7f3482649ae1 in OCC11758(Draw_Interpretor&, int, char const**) /home/abv/occt/src/QABugs/QABugs_19.cxx:1080:5
    #3 0x7f34950f4349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    #4 0x7f3495101b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    #5 0x7f348f4b6b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)
    #6 0x7f348f4b8fa6 in TclNRRunCallbacks (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x3afa6)
    0000007 0x7f348f55787a in Tcl_RecordAndEvalObj (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd987a)
    0000008 0x7f348f557756 in Tcl_RecordAndEval (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0xd9756)
    0000009 0x7f34951030bf in Draw_Interpretor::RecordAndEval(char const*, int) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:496:10
    #10 0x7f34950e9dad in Draw_Interprete(char const*) /home/abv/occt/src/Draw/Draw.cxx:608:19
    0000011 0x7f34950eab90 in interpreteTclCommand(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:110:5
    #12 0x7f34950e837b in ReadInitFile(TCollection_AsciiString const&) /home/abv/occt/src/Draw/Draw.cxx:121:3
    0000013 0x7f34950e7973 in Draw_Appli(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw.cxx:497:5
    0000014 0x7f3495104328 in Draw_Main(int, char**, void (*)(Draw_Interpretor&)) /home/abv/occt/src/Draw/Draw_Main.cxx:113:3
    0000015 0x51aaef in main /home/abv/occt/src/DRAWEXE/DRAWEXE.cxx:33:1
    0000016 0x7f348dee282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    0000017 0x41aac8 in _start (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x41aac8)

0x60200026b514 is located 0 bytes to the right of 4-byte region [0x60200026b510,0x60200026b514)
allocated by thread T0 here:
    #0 0x4df140 in realloc (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4df140)
    0000001 0x7f3490a7bff9 in Standard_MMgrRaw::Reallocate(void*, unsigned long) /home/abv/occt/src/Standard/Standard_MMgrRaw.cxx:69:51
    0000002 0x7f3490a739a3 in Standard::Reallocate(void*, unsigned long) /home/abv/occt/src/Standard/Standard.cxx:261:43
    #3 0x7f3490aa81cf in (anonymous namespace)::reallocateExtChars(void*, unsigned long) /home/abv/occt/src/TCollection/TCollection_ExtendedString.cxx:42:37
    #4 0x7f3490aa7c2b in TCollection_ExtendedString::TCollection_ExtendedString(char const*, bool) /home/abv/occt/src/TCollection/TCollection_ExtendedString.cxx:127:14
    #5 0x7f348264990b in OCC11758(Draw_Interpretor&, int, char const**) /home/abv/occt/src/QABugs/QABugs_19.cxx:1068:38
    #6 0x7f34950f4349 in Draw_Interpretor::CallBackDataFunc::Invoke(Draw_Interpretor&, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.hxx:81:31
    0000007 0x7f3495101b7d in CommandCmd(void*, Tcl_Interp*, int, char const**) /home/abv/occt/src/Draw/Draw_Interpretor.cxx:154:40
    0000008 0x7f348f4b6b95 in TclInvokeStringCommand (/usr/lib/x86_64-linux-gnu/libtcl8.6.so+0x38b95)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/abv/tmp/occt-clang/lin64/clang/bini/DRAWEXE-7.4.0+0x4b52e4) in __interceptor_memcmp.part.77
Shadow bytes around the buggy address:
  0x0c0480045650: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0480045660: fa fa 04 fa fa fa fd fa fa fa 04 fa fa fa 04 fa
  0x0c0480045670: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa fd fa
  0x0c0480045680: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480045690: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c04800456a0: fa fa[04]fa fa fa 04 fa fa fa 00 fa fa fa 04 fa
  0x0c04800456b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800456f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==31451==ABORTING


Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker