Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed fuzzing crash in simplecpp::Macro::expandToken() #345

Merged
merged 1 commit into from
Feb 27, 2024
Merged

fixed fuzzing crash in simplecpp::Macro::expandToken() #345

merged 1 commit into from
Feb 27, 2024

Conversation

firewave
Copy link
Collaborator 

/usr/bin/../include/c++/v1/vector:570:16: runtime error: reference binding to null pointer of type 'const value_type' (aka 'const simplecpp::Token *const')
    #0 0x641340cb01e2 in front /usr/bin/../include/c++/v1/vector:570:9
    #1 0x641340cb01e2 in simplecpp::Macro::expandToken(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>> const&, std::__1::set<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<simplecpp::Token const*, std::__1::allocator<simplecpp::Token const*>> const&) const /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:1994:49
    #2 0x641340ca99ee in simplecpp::Macro::expand(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>> const&, std::__1::set<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>, bool) const /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:1887:31
    #3 0x641340ca4c53 in simplecpp::Macro::expand(simplecpp::TokenList*, simplecpp::Token const*, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&) const /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:1529:26
    #4 0x641340c74fa5 in preprocessToken(simplecpp::TokenList&, simplecpp::Token const**, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>>&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&, std::__1::list<simplecpp::Output, std::__1::allocator<simplecpp::Output>>*) /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:3210:32
    #5 0x641340c60ba7 in simplecpp::preprocess(simplecpp::TokenList&, simplecpp::TokenList const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&, std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::TokenList*, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::TokenList*>>>&, simplecpp::DUI const&, std::__1::list<simplecpp::Output, std::__1::allocator<simplecpp::Output>>*, std::__1::list<simplecpp::MacroUsage, std::__1::allocator<simplecpp::MacroUsage>>*, std::__1::list<simplecpp::IfCond, std::__1::allocator<simplecpp::IfCond>>*) /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:3681:14
    #6 0x641340cece61 in LLVMFuzzerTestOneInput /home/user/CLionProjects/simplecpp-rider/fuzz.cpp:31:5
    #7 0x641340ad3168 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xd3168) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    #8 0x641340ad3866 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, std::allocator<unsigned char>> const&) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xd3866) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    #9 0x641340aa9a8b in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xa9a8b) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    #10 0x641340ab6198 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xb6198) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    #11 0x641340a9d947 in main (/home/user/CLionProjects/simplecpp-rider/fuzz+0x9d947) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    #12 0x7e81557e7ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #13 0x7e81557e7d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #14 0x641340a9ff84 in _start (/home/user/CLionProjects/simplecpp-rider/fuzz+0x9ff84) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/bin/../include/c++/v1/vector:570:16 in

firewave
firewave commented Feb 22, 2024
View reviewed changes
simplecpp.cpp
@@ -1984,7 +1984,7 @@ namespace simplecpp {
if (paren == 0)
return tok->next->next;
tok = tok->next;
if (parametertokens.front()->next->str() != ")" && parametertokens.size() > args.size())
if (parametertokens.size() > args.size() && parametertokens.front()->next->str() != ")")
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like something we could/should detect. I filed https://trac.cppcheck.net/ticket/12466 about it.

@firewave
fixed fuzzing crash in simplecpp::Macro::expandToken()
67a5466 
/usr/bin/../include/c++/v1/vector:570:16: runtime error: reference binding to null pointer of type 'const value_type' (aka 'const simplecpp::Token *const')
    #0 0x641340cb01e2 in front /usr/bin/../include/c++/v1/vector:570:9
    danmar#1 0x641340cb01e2 in simplecpp::Macro::expandToken(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>> const&, std::__1::set<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<simplecpp::Token const*, std::__1::allocator<simplecpp::Token const*>> const&) const /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:1994:49
    danmar#2 0x641340ca99ee in simplecpp::Macro::expand(simplecpp::TokenList*, simplecpp::Location const&, simplecpp::Token const*, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>> const&, std::__1::set<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>, bool) const /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:1887:31
    danmar#3 0x641340ca4c53 in simplecpp::Macro::expand(simplecpp::TokenList*, simplecpp::Token const*, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&) const /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:1529:26
    danmar#4 0x641340c74fa5 in preprocessToken(simplecpp::TokenList&, simplecpp::Token const**, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::Macro, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::Macro>>>&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&, std::__1::list<simplecpp::Output, std::__1::allocator<simplecpp::Output>>*) /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:3210:32
    danmar#5 0x641340c60ba7 in simplecpp::preprocess(simplecpp::TokenList&, simplecpp::TokenList const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>&, std::__1::map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, simplecpp::TokenList*, std::__1::less<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, simplecpp::TokenList*>>>&, simplecpp::DUI const&, std::__1::list<simplecpp::Output, std::__1::allocator<simplecpp::Output>>*, std::__1::list<simplecpp::MacroUsage, std::__1::allocator<simplecpp::MacroUsage>>*, std::__1::list<simplecpp::IfCond, std::__1::allocator<simplecpp::IfCond>>*) /home/user/CLionProjects/simplecpp-rider/simplecpp.cpp:3681:14
    danmar#6 0x641340cece61 in LLVMFuzzerTestOneInput /home/user/CLionProjects/simplecpp-rider/fuzz.cpp:31:5
    danmar#7 0x641340ad3168 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xd3168) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    danmar#8 0x641340ad3866 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, std::allocator<unsigned char>> const&) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xd3866) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    danmar#9 0x641340aa9a8b in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xa9a8b) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    danmar#10 0x641340ab6198 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/simplecpp-rider/fuzz+0xb6198) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    danmar#11 0x641340a9d947 in main (/home/user/CLionProjects/simplecpp-rider/fuzz+0x9d947) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)
    danmar#12 0x7e81557e7ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#13 0x7e81557e7d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#14 0x641340a9ff84 in _start (/home/user/CLionProjects/simplecpp-rider/fuzz+0x9ff84) (BuildId: c67f7ae0ae4f90bce06e963fc0d95c2c7f3417a7)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/bin/../include/c++/v1/vector:570:16 in
@danmar danmar merged commit c5c02ff into danmar:master Feb 27, 2024
14 checks passed
@firewave firewave deleted the fuzz-crash branch February 27, 2024 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@firewave @danmar