libucl icon indicating copy to clipboard operation
libucl copied to clipboard
verified publisher icon vstakhov

Segmentation fault at line 430 in ucl_emitter.c

Open gabe-sherman opened this issue 2 years ago • 1 comments

A segmentation fault occurs in the below program. This behavior occurs at line 430 in ucl_emitter.c.

#include "ucl.h"
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <math.h>
typedef uint8_t   u8;   
typedef uint16_t  u16;  
typedef uint32_t  u32;  
typedef uint64_t  u64;
typedef unsigned int usize;
typedef int8_t  i8;
typedef int16_t i16;
typedef int32_t i32;
typedef int64_t i64;
typedef int isize;
typedef float f32;
typedef double f64;
int main(int argc, char** argv) {
    enum ucl_type v0 = { 7,  }; // type_
    struct ucl_object_s *v1 = ucl_object_typed_new(v0); // obj
    if (v1 == NULL) return 0;
    struct ucl_object_s *v3 = v1; // obj
    enum ucl_emitter v4 = { 0,  }; // emit_type
    u8 v5_tmp[] = {113, 0, }; // file_buf
    u8 *v5 = malloc(sizeof v5_tmp);
    memcpy(v5, v5_tmp, sizeof v5_tmp);
    char* path_v6 = argv[1];
    FILE *f_v6 = fopen(path_v6, "wb");
    fwrite(v5, sizeof v5_tmp, 1, f_v6);
    int v6 = fileno(f_v6); // fd
    struct ucl_emitter_functions *v7 = ucl_object_emit_fd_funcs(v6); // emitter
    if (v7 == NULL) return 0;
    struct ucl_emitter_functions *v9 = v7; // emitter
    struct ucl_emitter_context *v10 = ucl_object_emit_streamline_new(v3, v4, v9); // ctx
    if (v10 == NULL) return 0;
    struct ucl_emitter_context *v12 = v10; // ctx
    ucl_object_emit_streamline_start_container(v12, v3); // $relative
    ucl_object_emit_streamline_end_container(v12); // $relative
    struct ucl_object_s *v15 = NULL; // obj
    ucl_object_emit_streamline_add_object(v12, v15); // $target
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

POC File

https://github.com/FuturesLab/POC/blob/main/ucl/hop-poc19

Version

Latest: f897d5a0fed3a4474a4c3137c7b92853845fed47

Address Sanitizer Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1683308==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002e (pc 0x5555557a66d5 bp 0x7fffffffd0f0 sp 0x7fffffffc7e0 T0)
==1683308==The signal is caused by a READ memory access.
==1683308==Hint: address points to the zero page.
    #0 0x5555557a66d5 in ucl_emitter_common_elt /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter.c:430:15
    #1 0x5555557a2d9a in ucl_emit_json_elt /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter.c:537:1
    #2 0x55555575afab in ucl_object_emit_streamline_add_object /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter_streamline.c:149:2
    #3 0x5555556ae2e6 in main /home/gabesherman/harness_test/AutoHarn-Results/ucl/hopper-19/reproducer.c:42:5
    #4 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x5555555f03f4 in _start (/home/gabesherman/harness_test/AutoHarn-Results/ucl/hopper-19/reproducer+0x9c3f4) (BuildId: cf4a05e722932a2507e614e067b5eeabfbc5db26)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter.c:430:15 in ucl_emitter_common_elt
==1683308==ABORTING

gabe-sherman avatar Apr 24 '24 15:04 gabe-sherman

You cannot emit NULL, clearly misuse of API.

vstakhov avatar Apr 25 '24 14:04 vstakhov