From 1f2e49e9ccabafc92ecae1cb09638a6c102ad0e2 Mon Sep 17 00:00:00 2001 From: firewave Date: Thu, 15 Feb 2024 09:35:32 +0100 Subject: [PATCH] fixed fuzzing crash ==332324==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x5602eb271504 bp 0x7ffe7cc5b430 sp 0x7ffe7cc5b420 T0) ==332324==The signal is caused by a READ memory access. ==332324==Hint: address points to the zero page. #0 0x5602eb271504 in previous /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:867:16 #1 0x5602eb271504 in tokAtImpl /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:796:20 #2 0x5602eb271504 in tokAt /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:804:12 #3 0x5602eb271504 in Token::strAt[abi:cxx11](int) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:834:30 #4 0x5602ea7a2a76 in skipPointers(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7573:18 #5 0x5602ea7a4555 in skipPointersAndQualifiers(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7588:11 #6 0x5602ea79fc18 in Scope::isVariableDeclaration(Token const*, Token const*&, Token const*&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7639:27 #7 0x5602ea704b0b in Scope::checkVariable(Token const*, AccessControl, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7520:16 #8 0x5602ea79adc0 in Scope::getVariableList(Settings const&, Token const*, Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7466:15 #9 0x5602ea6b687d in getVariableList /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7358:9 #10 0x5602ea6b687d in SymbolDatabase::createSymbolDatabaseVariableInfo() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:3376:15 #11 0x5602ea699ec3 in SymbolDatabase::SymbolDatabase(Tokenizer&, Settings const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:2616:5 #12 0x5602ea4e75f7 in createSymbolDatabase /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:17214:31 #13 0x5602ea4e75f7 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10687:9 #14 0x5602eae99afd in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:909:32 #15 0x5602eaea4e81 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12 #16 0x5602eb321fa4 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18 #17 0x5602e9feb1e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) #18 0x5602e9febec0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x683ec0) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) #19 0x5602e9fecf51 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x684f51) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) #20 0x5602e9fedd77 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x685d77) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) #21 0x5602e9fce262 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666262) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) #22 0x5602e9f53f77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) #23 0x7f9479558ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #24 0x7f9479558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #25 0x5602e9fb8004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:867:16 in previous --- lib/symboldatabase.cpp | 2 +- .../fuzz-crash/crash-8a24e81ac1d7627233a227e6cc156dd20d57b058 | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-8a24e81ac1d7627233a227e6cc156dd20d57b058 diff --git a/lib/symboldatabase.cpp b/lib/symboldatabase.cpp index a14b78e7015..ab8a6fe080f 100644 --- a/lib/symboldatabase.cpp +++ b/lib/symboldatabase.cpp @@ -5030,7 +5030,7 @@ static const Token* skipPointers(const Token* tok) { while (Token::Match(tok, "*|&|&&") || (Token::Match(tok, "( [*&]") && Token::Match(tok->link()->next(), "(|["))) { tok = tok->next(); - if (tok->strAt(-1) == "(" && Token::Match(tok, "%type% ::")) + if (tok && tok->strAt(-1) == "(" && Token::Match(tok, "%type% ::")) tok = tok->tokAt(2); } diff --git a/test/cli/fuzz-crash/crash-8a24e81ac1d7627233a227e6cc156dd20d57b058 b/test/cli/fuzz-crash/crash-8a24e81ac1d7627233a227e6cc156dd20d57b058 new file mode 100644 index 00000000000..cfb3a566403 --- /dev/null +++ b/test/cli/fuzz-crash/crash-8a24e81ac1d7627233a227e6cc156dd20d57b058 @@ -0,0 +1,2 @@ +#i~clude