From 795d53842d2c18c39e2e8c61436cbc86ec5b8a2b Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 09:49:32 +0100 Subject: [PATCH] fixed fuzzing crash AddressSanitizer:DEADLYSIGNAL ================================================================= ==239799==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x559dd20fb7f0 bp 0x7fff65cb9cf0 sp 0x7fff65cb96e0 T0) ==239799==The signal is caused by a READ memory access. ==239799==Hint: address points to the zero page. #0 0x559dd20fb7f0 in Token::exprId() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:884:13 #1 0x559dd20fb7f0 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:323:21 #2 0x559dd20fb3b5 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:307:9 #3 0x559dd20fb3b5 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:307:9 #4 0x559dd210c712 in fillProgramMemoryFromConditions(ProgramMemory&, Scope const*, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:350:13 #5 0x559dd210c58c in fillProgramMemoryFromConditions(ProgramMemory&, Scope const*, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:341:5 #6 0x559dd20fec3d in fillProgramMemoryFromConditions(ProgramMemory&, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:356:5 #7 0x559dd20fec3d in ProgramMemoryState::addState(Token const*, std::unordered_map, std::allocator>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:471:5 #8 0x559dd2538e25 in ValueFlowAnalyzer::updateState(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:3046:13 #9 0x559dd1fa7380 in valueFlowGenericForward(Token*, Token const*, ValuePtr const&, TokenList const&, ErrorLogger*, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/forwardanalyzer.cpp:913:22 #10 0x559dd252f52a in valueFlowForward(Token*, Token const*, Token const*, ValueFlow::Value, TokenList const&, ErrorLogger*, Settings const&, SourceLocation) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:2119:12 #11 0x559dd2579491 in valueFlowSymbolic(TokenList const&, SymbolDatabase const&, ErrorLogger*, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:5513:13 #12 0x559dd2579491 in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*)::$_10::operator()(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, std::set, std::allocator> const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9565:9 #13 0x559dd2579491 in ValueFlowPassAdaptor::run(ValueFlowState const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9500:9 #14 0x559dd24dfda4 in ValueFlowPassRunner::run(ValuePtr const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9428:19 #15 0x559dd24df868 in ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)::operator()(ValuePtr const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9385:20 #16 0x559dd24df868 in bool __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>::operator() const*>(ValuePtr const*) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/predefined_ops.h:318:16 #17 0x559dd24df868 in ValuePtr const* std::__find_if const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>>(ValuePtr const*, ValuePtr const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>, std::random_access_iterator_tag) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algobase.h:2080:8 #18 0x559dd24ac9b3 in ValuePtr const* std::__find_if const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>>(ValuePtr const*, ValuePtr const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algobase.h:2117:14 #19 0x559dd24ac9b3 in ValuePtr const* std::find_if const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:3923:14 #20 0x559dd24ac9b3 in bool std::none_of const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:477:24 #21 0x559dd24ac9b3 in bool std::any_of const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:496:15 #22 0x559dd24ac9b3 in ValueFlowPassRunner::run_once(std::initializer_list>) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9384:16 #23 0x559dd24ac9b3 in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9554:12 #24 0x559dd2392276 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenize.cpp:3395:13 #25 0x559dd1ed4304 in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:906:32 #26 0x559dd1ee0521 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12 #27 0x559dd18e9d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18 #28 0x559dd1790538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #29 0x559dd1791210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #30 0x559dd17922a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #31 0x559dd17930c7 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #32 0x559dd17735b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #33 0x559dd16f7fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #34 0x7feca7a45ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #35 0x7feca7a45d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #36 0x559dd175d354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:884:13 in Token::exprId() const ==239799==ABORTING --- lib/programmemory.cpp | 2 +- .../crash-9ef938bba7d752386e24f2438c73cec66f6b972b | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b diff --git a/lib/programmemory.cpp b/lib/programmemory.cpp index 6b082514f14..b5558233206 100644 --- a/lib/programmemory.cpp +++ b/lib/programmemory.cpp @@ -320,7 +320,7 @@ void programMemoryParseCondition(ProgramMemory& pm, const Token* tok, const Toke else pm.setIntValue(tok, 0, then); } - } else if (tok->exprId() > 0) { + } else if (tok && tok->exprId() > 0) { if (endTok && findExpressionChanged(tok, tok->next(), endTok, settings, true)) return; pm.setIntValue(tok, 0, then); diff --git a/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b b/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b new file mode 100644 index 00000000000..cf4921c19c7 --- /dev/null +++ b/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b @@ -0,0 +1,12 @@ +#include +sho main() +{ + std::veCtor items(2); + stdtryector::iterator iter; + for (iter -= items.begin(); i&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&ter != items.end();) { + if (*iter == 2) { + iter = items.erase//(iter); + } else { + } + } +}