Segment Fault glyph.c:205 in glyph_out #73
Comments
|
Sorry but the code has been validated a long time ago and I could not reproduce the problem in my machine (ARM 32 bits). |
|
It's a little wired, I get the crash in my system (x86 ubuntu), and I also reproduce it in my qemu-arm 32bit. root@ubuntu:/abc2music/origin/32bit# cp abcm2ps-8.14.9/abcm2ps ./ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
$ unzip poc1
gdb-peda$ set args ./poc1/poc1
gdb-peda$ r
Starting program: /root/Intriguer/intriguer/opensoft/abc2music/origin/abcm2ps poc1
abcm2ps-8.14.9 (2020-06-21)
File poc1
Line 7: Unexpected EOF in header definition
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffddf0 --> 0xfbad8001
RCX: 0xffffffffffffffff
RDX: 0x10
RSI: 0x7fffffffdda8 --> 0x7fffffffdde0 --> 0xffc0
RDI: 0x6563696f76206e69 ('in voice')
RBP: 0x7fffffffdde0 --> 0xffc0
RSP: 0x7fffffffd870 --> 0x0
RIP: 0x7ffff7752cd0 (<_IO_vfprintf_internal+6992>: repnz scas al,BYTE PTR es:[rdi])
R8 : 0x0
R9 : 0x1
R10: 0x73 ('s')
R11: 0x6563696f76206e69 ('in voice')
R12: 0x44a070 --> 0x206461420073252f ('/%s')
R13: 0x7fffffffdf60 --> 0x3000000010
R14: 0x0
R15: 0x44a071 --> 0x7520646142007325 ('%s')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7752cc7 <_IO_vfprintf_internal+6983>: xor eax,eax
0x7ffff7752cc9 <_IO_vfprintf_internal+6985>: or rcx,0xffffffffffffffff
0x7ffff7752ccd <_IO_vfprintf_internal+6989>: mov rdi,r11
=> 0x7ffff7752cd0 <_IO_vfprintf_internal+6992>: repnz scas al,BYTE PTR es:[rdi]
0x7ffff7752cd2 <_IO_vfprintf_internal+6994>: mov DWORD PTR [rbp-0x4d8],0x0
0x7ffff7752cdc <_IO_vfprintf_internal+7004>: mov rax,rcx
0x7ffff7752cdf <_IO_vfprintf_internal+7007>: not rax
0x7ffff7752ce2 <_IO_vfprintf_internal+7010>: lea r10,[rax-0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd870 --> 0x0
0008| 0x7fffffffd878 --> 0x7ffff775193d (<_IO_vfprintf_internal+1981>: mov rdx,QWORD PTR [rbp-0x498])
0016| 0x7fffffffd880 --> 0x0
0024| 0x7fffffffd888 --> 0x7fffffffd958 --> 0x44c63f --> 0x202d2d2d20252500 ('')
0032| 0x7fffffffd890 --> 0x7fffffffd948 --> 0x44a072 --> 0x6e75206461420073 ('s')
0040| 0x7fffffffd898 --> 0x7fff00000000
0048| 0x7fffffffd8a0 --> 0x7fff00000000
0056| 0x7fffffffd8a8 --> 0x7fffffffd960 --> 0x7fffffffd970 --> 0x4030000000000000 ('')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7752cd0 in _IO_vfprintf_internal (s=s@entry=0x7fffffffddf0, format=, format@entry=0x44a070 "/%s", ap=ap@entry=0x7fffffffdf60) at vfprintf.c:1632
1632 vfprintf.c:no such file or directory
poc1.zip
it seems that this piece of code treats one-dimensional array as a two-dimensional array, makes q point to an invalid address, results in an segment fault.
if (i1 >= 0 && i2 >= 0) { g = (char **) utf_1[i1]; if (g) { g = (char **) g[i2]; if (i3 >= 0 && g) { g = (char **) g[i3]; if (i4 >= 0 && g) g = (char **) g[i4]; } } q = (char *) g;The text was updated successfully, but these errors were encountered: