There is an out of bounds read error in the function TclObjLookupVarEx. It can be seen by running the test http11.test with address sanitizer enabled. To reproduce:
./configure CFLAGS="-fsanitize=address -g"; make; make test
This is the code line where this happens:
if (!parsed && (*(part1 + len1 - 1) == ')')) {
Full Address Sanitizer error:
==20827==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2f3ea97bf at pc 0x7fe2f3b513ab bp 0x7ffeff9179f0 sp 0x7ffeff9179e0
READ of size 1 at 0x7fe2f3ea97bf thread T0
#0 0x7fe2f3b513aa in TclObjLookupVarEx /mnt/ram/tcl8.6.4/generic/tclVar.c:677
#1 0x7fe2f3b52e01 in Tcl_ObjSetVar2 /mnt/ram/tcl8.6.4/generic/tclVar.c:1788
#2 0x7fe2f388f3eb in Tcl_RegexpObjCmd /mnt/ram/tcl8.6.4/generic/tclCmdMZ.c:416
#3 0x7fe2f3848a1b in TclNRRunCallbacks /mnt/ram/tcl8.6.4/generic/tclBasic.c:4392
#4 0x7fe2f3a8894e in TclChannelEventScriptInvoker /mnt/ram/tcl8.6.4/generic/tclIO.c:8760
#5 0x7fe2f3a97abc in Tcl_NotifyChannel /mnt/ram/tcl8.6.4/generic/tclIO.c:8259
#6 0x7fe2f3a97d23 in ChannelTimerProc /mnt/ram/tcl8.6.4/generic/tclIO.c:8420
#7 0x7fe2f3b2bb18 in TimerHandlerEventProc /mnt/ram/tcl8.6.4/generic/tclTimer.c:593
#8 0x7fe2f3adc523 in Tcl_ServiceEvent /mnt/ram/tcl8.6.4/generic/tclNotify.c:670
#9 0x7fe2f3adcd08 in Tcl_DoOneEvent /mnt/ram/tcl8.6.4/generic/tclNotify.c:967
#10 0x7fe2f3a34bfe in Tcl_VwaitObjCmd /mnt/ram/tcl8.6.4/generic/tclEvent.c:1413
#11 0x7fe2f3848a1b in TclNRRunCallbacks /mnt/ram/tcl8.6.4/generic/tclBasic.c:4392
#12 0x7fe2f384f0b1 in TclEvalEx /mnt/ram/tcl8.6.4/generic/tclBasic.c:5261
#13 0x7fe2f3aba7ee in Tcl_FSEvalFileEx /mnt/ram/tcl8.6.4/generic/tclIOUtil.c:1815
#14 0x7fe2f3acd91c in Tcl_MainEx /mnt/ram/tcl8.6.4/generic/tclMain.c:417
#15 0x401713 in main /mnt/ram/tcl8.6.4/unix/tclAppInit.c:84
#16 0x7fe2f2ac8f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#17 0x401866 (/mnt/ram/tcl8.6.4/unix/tcltest+0x401866)
0x7fe2f3ea97bf is located 1 bytes to the left of global variable 'tclEmptyString' from '/mnt/ram/tcl8.6.4/generic/tclObj.c' (0x7fe2f3ea97c0) of size 1
'tclEmptyString' is ascii string ''
0x7fe2f3ea97bf is located 55 bytes to the right of global variable 'dataKey' from '/mnt/ram/tcl8.6.4/generic/tclObj.c' (0x7fe2f3ea9780) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/tcl8.6.4/generic/tclVar.c:677 TclObjLookupVarEx
Shadow bytes around the buggy address:
0x0ffcde7cd2a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ffcde7cd2b0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0ffcde7cd2c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ffcde7cd2d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0ffcde7cd2e0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ffcde7cd2f0: 00 f9 f9 f9 f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9
0x0ffcde7cd300: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ffcde7cd310: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffcde7cd320: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ffcde7cd330: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ffcde7cd340: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
|