| タイトル | rxi fe master-branch Out-of-Bounds Read |
|---|
| 説明 | ### Description
The crash occurs within the read_ function in src/fe.c at line 516, leading to an invalid read access of size 1.
### Environment
- OS: Linux x86_64
- Complier: Clang
- Affected Version: master-branch
- Build Configuration: Release mode with ASan enabled.
### Reproduce
1. Build fe with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0211/blob/main/fe/repro):
```
./fe repro
```
<details>
<summary>ASAN report</summary>
```
==3550135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5f51d562d067 at pc 0x5f51d560c8fd bp 0x7ffeb5199d90 sp 0x7ffeb5199d88
READ of size 1 at 0x5f51d562d067 thread T0
#0 0x5f51d560c8fc in read_ /home/cobot001/src/fe/src/fe.c:516:43
#1 0x5f51d560c165 in read_ /home/cobot001/src/fe/src/fe.c:488:20
#2 0x5f51d560ba8f in read_ /home/cobot001/src/fe/src/fe.c:488:20
#3 0x5f51d5611d55 in fe_read /home/cobot001/src/fe/src/fe.c:541:20
#4 0x5f51d5611d55 in fe_readfp /home/cobot001/src/fe/src/fe.c:554:10
#5 0x5f51d5611d55 in main /home/cobot001/src/fe/src/fe.c:871:17
#6 0x7392be82a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7392be82a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#8 0x5f51d552c474 in _start (/home/cobot001/src/fe/fe_asan+0x2e474) (BuildId: b00c01becada2eac51acf1c9c6d235cca9ef45f5)
0x5f51d562d067 is located 57 bytes before global variable '.str.38' defined in '/home/cobot001/src/fe/src/fe.c:769' (0x5f51d562d0a0) of size 33
'.str.38' is ascii string 'tried to call non-callable value'
0x5f51d562d067 is located 25 bytes before global variable '.str.36' defined in '/home/cobot001/src/fe/src/fe.c:526' (0x5f51d562d080) of size 16
'.str.36' is ascii string 'symbol too long'
0x5f51d562d067 is located 0 bytes after global variable '.str.35' defined in '/home/cobot001/src/fe/src/fe.c:516' (0x5f51d562d060) of size 7
'.str.35' is ascii string 'n
t '
SUMMARY: AddressSanitizer: global-buffer-overflow /home/cobot001/src/fe/src/fe.c:516:43 in read_
Shadow bytes around the buggy address:
0x5f51d562cd80: 03 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 03 f9 f9 f9
0x5f51d562ce00: 00 06 f9 f9 00 00 04 f9 f9 f9 f9 f9 05 f9 f9 f9
0x5f51d562ce80: 05 f9 f9 f9 07 f9 f9 f9 07 f9 f9 f9 07 f9 f9 f9
0x5f51d562cf00: 05 f9 f9 f9 06 f9 f9 f9 05 f9 f9 f9 06 f9 f9 f9
0x5f51d562cf80: 04 f9 f9 f9 00 06 f9 f9 02 f9 f9 f9 00 02 f9 f9
=>0x5f51d562d000: 06 f9 f9 f9 00 00 f9 f9 04 f9 f9 f9[07]f9 f9 f9
0x5f51d562d080: 00 00 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x5f51d562d100: 04 f9 f9 f9 02 f9 f9 f9 03 f9 f9 f9 03 f9 f9 f9
0x5f51d562d180: 04 f9 f9 f9 06 f9 f9 f9 04 f9 f9 f9 03 f9 f9 f9
0x5f51d562d200: 03 f9 f9 f9 05 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9
0x5f51d562d280: 07 f9 f9 f9 07 f9 f9 f9 05 f9 f9 f9 04 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3550135==ABORTING
```
</details> |
|---|
| ソース | ⚠️ https://github.com/rxi/fe/issues/34 |
|---|
| ユーザー | Oneafter (UID 92781) |
|---|
| 送信 | 2026年03月02日 04:14 (2 月 ago) |
|---|
| モデレーション | 2026年03月11日 20:05 (10 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 350534 [rxi fe 迄 ed4cda96bd582cbb08520964ba627efb40f3dd91 src/fe.c read_ 情報漏えい] |
|---|
| ポイント | 20 |
|---|