Crash in ESP parser when SCVR has no variable names
I'm still fuzzing esmtool
, and found an other crash:
jvoisin@grimhilde 8:59 ~/dev/openmw/openmw/build.afl gdb --args ./esmtool dump my_file
Reading symbols from ./esmtool...done.
rgdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
btUsing default (English) font encoding.
Loading file: finding_dirs/crashes/id:000000,sig:11,src:000000,op:arith8,pos:471,val:-14
Author:
Description:
File format version: 1.3
Masters:
Morrowind.esm, 79837557 bytes
Tribunal.esm, 4565686 bytes
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x0
RDX: 0x7fffffffd628 --> 0x7fffffffd768 --> 0x0
RSI: 0xd ('\r')
RDI: 0x0
RBP: 0x5555559f1138 --> 0x5555559f1148 ("treboniusScript")
RSP: 0x7fffffffd5e8 --> 0x555555744509 (<ESM::Script::loadSCVR(ESM::ESMReader&)+2345>: test rax,rax)
RIP: 0x7ffff6cb5f23 (<__strchr_sse2+35>: movdqu xmm0,XMMWORD PTR [rdi])
R8 : 0xff
R9 : 0x0
R10: 0x5555559f1220 --> 0x7000000000000d8
R11: 0x5555559f1210 --> 0xaaaaaaaaaaaaaa00
R12: 0x0
R13: 0x7fffffffded0 --> 0x0
R14: 0x0
R15: 0x7fffffffd6f0 --> 0x0
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6cb5f14 <__strchr_sse2+20>: punpcklwd xmm1,xmm1
0x7ffff6cb5f18 <__strchr_sse2+24>: pshufd xmm1,xmm1,0x0
0x7ffff6cb5f1d <__strchr_sse2+29>: jg 0x7ffff6cb6080 <__strchr_sse2+384>
=> 0x7ffff6cb5f23 <__strchr_sse2+35>: movdqu xmm0,XMMWORD PTR [rdi]
0x7ffff6cb5f27 <__strchr_sse2+39>: pxor xmm3,xmm3
0x7ffff6cb5f2b <__strchr_sse2+43>: movdqa xmm4,xmm0
0x7ffff6cb5f2f <__strchr_sse2+47>: pcmpeqb xmm0,xmm1
0x7ffff6cb5f33 <__strchr_sse2+51>: pcmpeqb xmm4,xmm3
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd5e8 --> 0x555555744509 (<ESM::Script::loadSCVR(ESM::ESMReader&)+2345>: test rax,rax)
0008| 0x7fffffffd5f0 --> 0x0
0016| 0x7fffffffd5f8 --> 0x0
0024| 0x7fffffffd600 --> 0x7fffffffded0 --> 0x0
0032| 0x7fffffffd608 --> 0x7fffffffd628 --> 0x7fffffffd768 --> 0x0
0040| 0x7fffffffd610 --> 0x7ffff75be310 --> 0xd001200006b3c
0048| 0x7fffffffd618 --> 0x3f874e83
0056| 0x7fffffffd620 --> 0x7ffff7fccd88 --> 0x7ffff7ffe428 --> 0x7ffff7fcdfa8 --> 0x7ffff7ffe170 --> 0x555555554000 --> 0x10102464c457f
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
32 ../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.
gdb-peda$ bt
#0 __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
#1 0x0000555555744509 in strchr (__c=0xd, __s=0x0) at /usr/include/string.h:214
#2 ESM::Script::loadSCVR (this=this@entry=0x5555559f1138, esm=...) at /home/jvoisin/dev/openmw/openmw/components/esm/loadscpt.cpp:36
#3 0x000055555574798b in ESM::Script::load (this=0x5555559f1138, esm=..., isDeleted=@0x5555559f11c0: 0x0)
at /home/jvoisin/dev/openmw/openmw/components/esm/loadscpt.cpp:83
#4 0x0000555555588f3a in load (info=...) at /home/jvoisin/dev/openmw/openmw/apps/esmtool/esmtool.cpp:375
#5 0x0000555555580c40 in main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe2d8) at /home/jvoisin/dev/openmw/openmw/apps/esmtool/esmtool.cpp:221
#6 0x00007ffff6c26b97 in __libc_start_main (main=0x555555580b30 <main(int, char**)>, argc=0x3, argv=0x7fffffffe2d8, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:310
#7 0x000055555558633a in _start ()
gdb-peda$
The crash is happening here, where strchr
is trying to dereference a NULL pointer.
Edited by jvoisin