Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A crash in ast.hpp #3024

Closed
E4ck opened this issue Oct 30, 2019 · 0 comments · Fixed by #3027
Closed

A crash in ast.hpp #3024

E4ck opened this issue Oct 30, 2019 · 0 comments · Fixed by #3027
Labels
Bug - Confirmed Dev - Needs Test Fuzzy

Comments

@E4ck
Copy link

E4ck commented Oct 30, 2019

A crash in libsass-3.6.2/src/ast.hpp:153:5 in Sass::Expression::is_interpolant() const

Compile and reproduce:
C=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4

Version: libsass-3.6.2、sassc-3.6.1

Poc: crash_140.zip

Run: cat crash140 | ./sassc

ASAN:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4261==ERROR: AddressSanitizer: SEGV on unknown address 0x00000036 (pc 0x0876c023 bp 0xbf88c808 sp 0xbf88c580 T0)
==4261==The signal is caused by a READ memory access.
==4261==Hint: address points to the zero page.
    #0 0x876c022 in Sass::Expression::is_interpolant() const /home/eack/libsass-3.6.2/src/ast.hpp:153:5
    #1 0x876c022 in Sass::Eval::operator()(Sass::String_Schema*) /home/eack/libsass-3.6.2/src/eval.cpp:1279:35
    #2 0x87257e8 in Sass::String_Schema::perform(Sass::Operation<Sass::Expression*>*) /home/eack/libsass-3.6.2/src/ast_values.hpp:412:5
    #3 0x87257e8 in Sass::Eval::operator()(Sass::Binary_Expression*) /home/eack/libsass-3.6.2/src/eval.cpp:710:28
    #4 0x8afd36c in Sass::Binary_Expression::perform(Sass::Operation<Sass::Expression*>*) /home/eack/libsass-3.6.2/src/ast_values.hpp:130:5
    #5 0x87bfb57 in Sass::Expand::operator()(Sass::Declaration*) /home/eack/libsass-3.6.2/src/expand.cpp:317:31
    #6 0x8a9fbba in Sass::Declaration::perform(Sass::Operation<Sass::Statement*>*) /home/eack/libsass-3.6.2/src/ast.hpp:611:5
    #7 0x88073ed in Sass::Expand::append_block(Sass::Block*) /home/eack/libsass-3.6.2/src/expand.cpp:838:32
    #8 0x87a366c in Sass::Expand::operator()(Sass::Block*) /home/eack/libsass-3.6.2/src/expand.cpp:140:11
    #9 0x87a7c7b in Sass::Expand::operator()(Sass::Ruleset*) /home/eack/libsass-3.6.2/src/expand.cpp:196:27
    #10 0x8a9d3ca in Sass::Ruleset::perform(Sass::Operation<Sass::Statement*>*) /home/eack/libsass-3.6.2/src/ast.hpp:540:5
    #11 0x88073ed in Sass::Expand::append_block(Sass::Block*) /home/eack/libsass-3.6.2/src/expand.cpp:838:32
    #12 0x87a366c in Sass::Expand::operator()(Sass::Block*) /home/eack/libsass-3.6.2/src/expand.cpp:140:11
    #13 0x82a28f5 in Sass::Context::compile() /home/eack/libsass-3.6.2/src/context.cpp:650:12
    #14 0x829ece6 in Sass::File_Context::parse() /home/eack/libsass-3.6.2/src/context.cpp:579:12
    #15 0x823eb26 in Sass::sass_parse_block(Sass_Compiler*) /home/eack/libsass-3.6.2/src/sass_context.cpp:180:31
    #16 0x823eb26 in sass_compiler_parse /home/eack/libsass-3.6.2/src/sass_context.cpp:434:22
    #17 0x823dd32 in sass_compile_context(Sass_Context*, Sass::Context*) /home/eack/libsass-3.6.2/src/sass_context.cpp:317:7
    #18 0x823e09c in sass_compile_file_context /home/eack/libsass-3.6.2/src/sass_context.cpp:421:12
    #19 0x822e52d in compile_file /home/eack/sassc-3.6.1/sassc.c:158:5
    #20 0x822fce6 in main /home/eack/sassc-3.6.1/sassc.c:370:18
    #21 0xb7bd3636 in __libc_start_main /build/glibc-GoSbp4/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x8185547 in _start (/home/eack/sassc-3.6.1/bin/sassc+0x8185547)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/eack/libsass-3.6.2/src/ast.hpp:153:5 in Sass::Expression::is_interpolant() const
==4261==ABORTING

Valgrind:

==9589== Memcheck, a memory error detector
==9589== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==9589== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==9589== Command: ./sassc_org /home/eack/dj_crashes/140
==9589== 
==9589== Invalid read of size 1
==9589==    at 0x82EFEB9: is_interpolant (ast.hpp:153)
==9589==    by 0x82EFEB9: Sass::Eval::operator()(Sass::String_Schema*) (eval.cpp:1279)
==9589==    by 0x82D856F: perform (ast_values.hpp:412)
==9589==    by 0x82D856F: Sass::Eval::operator()(Sass::Binary_Expression*) (eval.cpp:710)
==9589==    by 0x8479FD7: Sass::Binary_Expression::perform(Sass::Operation<Sass::Expression*>*) (ast_values.hpp:130)
==9589==    by 0x8309445: Sass::Expand::operator()(Sass::Declaration*) (expand.cpp:317)
==9589==    by 0x8451974: Sass::Declaration::perform(Sass::Operation<Sass::Statement*>*) (ast.hpp:611)
==9589==    by 0x831F7BE: Sass::Expand::append_block(Sass::Block*) (expand.cpp:838)
==9589==    by 0x8302044: Sass::Expand::operator()(Sass::Block*) (expand.cpp:140)
==9589==    by 0x8303E08: Sass::Expand::operator()(Sass::Ruleset*) (expand.cpp:196)
==9589==    by 0x8450464: Sass::Ruleset::perform(Sass::Operation<Sass::Statement*>*) (ast.hpp:540)
==9589==    by 0x831F7BE: Sass::Expand::append_block(Sass::Block*) (expand.cpp:838)
==9589==    by 0x8302044: Sass::Expand::operator()(Sass::Block*) (expand.cpp:140)
==9589==    by 0x80E278F: Sass::Context::compile() (context.cpp:650)
==9589==  Address 0x36 is not stack'd, malloc'd or (recently) free'd
==9589== 
==9589== 
==9589== Process terminating with default action of signal 11 (SIGSEGV)
==9589==  Access not within mapped region at address 0x36
==9589==    at 0x82EFEB9: is_interpolant (ast.hpp:153)
==9589==    by 0x82EFEB9: Sass::Eval::operator()(Sass::String_Schema*) (eval.cpp:1279)
==9589==    by 0x82D856F: perform (ast_values.hpp:412)
==9589==    by 0x82D856F: Sass::Eval::operator()(Sass::Binary_Expression*) (eval.cpp:710)
==9589==    by 0x8479FD7: Sass::Binary_Expression::perform(Sass::Operation<Sass::Expression*>*) (ast_values.hpp:130)
==9589==    by 0x8309445: Sass::Expand::operator()(Sass::Declaration*) (expand.cpp:317)
==9589==    by 0x8451974: Sass::Declaration::perform(Sass::Operation<Sass::Statement*>*) (ast.hpp:611)
==9589==    by 0x831F7BE: Sass::Expand::append_block(Sass::Block*) (expand.cpp:838)
==9589==    by 0x8302044: Sass::Expand::operator()(Sass::Block*) (expand.cpp:140)
==9589==    by 0x8303E08: Sass::Expand::operator()(Sass::Ruleset*) (expand.cpp:196)
==9589==    by 0x8450464: Sass::Ruleset::perform(Sass::Operation<Sass::Statement*>*) (ast.hpp:540)
==9589==    by 0x831F7BE: Sass::Expand::append_block(Sass::Block*) (expand.cpp:838)
==9589==    by 0x8302044: Sass::Expand::operator()(Sass::Block*) (expand.cpp:140)
==9589==    by 0x80E278F: Sass::Context::compile() (context.cpp:650)
==9589==  If you believe this happened as a result of a stack
==9589==  overflow in your program's main thread (unlikely but
==9589==  possible), you can try to increase the size of the
==9589==  main thread stack using the --main-stacksize= flag.
==9589==  The main thread stack size used in this run was 8388608.
==9589== 
==9589== HEAP SUMMARY:
==9589==     in use at exit: 86,408 bytes in 1,194 blocks
==9589==   total heap usage: 1,686 allocs, 492 frees, 108,193 bytes allocated
==9589== 
==9589== 184 (88 direct, 96 indirect) bytes in 1 blocks are definitely lost in loss record 766 of 806
==9589==    at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9589==    by 0x82FDC05: Sass::Eval::operator()(Sass::SelectorList*) (eval_selectors.cpp:14)
==9589==    by 0x82F8FF4: Sass::Eval::operator()(Sass::Parent_Reference*) (eval.cpp:1520)
==9589==    by 0x847E207: Sass::Parent_Reference::perform(Sass::Operation<Sass::Expression*>*) (ast_values.hpp:493)
==9589==    by 0x82D83D1: Sass::Eval::operator()(Sass::Binary_Expression*) (eval.cpp:708)
==9589==    by 0x8479FD7: Sass::Binary_Expression::perform(Sass::Operation<Sass::Expression*>*) (ast_values.hpp:130)
==9589==    by 0x8309445: Sass::Expand::operator()(Sass::Declaration*) (expand.cpp:317)
==9589==    by 0x8451974: Sass::Declaration::perform(Sass::Operation<Sass::Statement*>*) (ast.hpp:611)
==9589==    by 0x831F7BE: Sass::Expand::append_block(Sass::Block*) (expand.cpp:838)
==9589==    by 0x8302044: Sass::Expand::operator()(Sass::Block*) (expand.cpp:140)
==9589==    by 0x8303E08: Sass::Expand::operator()(Sass::Ruleset*) (expand.cpp:196)
==9589==    by 0x8450464: Sass::Ruleset::perform(Sass::Operation<Sass::Statement*>*) (ast.hpp:540)
==9589== 
==9589== LEAK SUMMARY:
==9589==    definitely lost: 88 bytes in 1 blocks
==9589==    indirectly lost: 96 bytes in 3 blocks
==9589==      possibly lost: 0 bytes in 0 blocks
==9589==    still reachable: 86,224 bytes in 1,190 blocks
==9589==         suppressed: 0 bytes in 0 blocks
==9589== Reachable blocks (those to which a pointer was found) are not shown.
==9589== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==9589== 
==9589== For counts of detected and suppressed errors, rerun with: -v
==9589== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug - Confirmed Dev - Needs Test Fuzzy
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix a few segfaults mgreter/libsass
2 participants
@mgreter @E4ck