OOB Read in left2right - 71467735
Hello graphviz team,
As part of our fuzzing efforts at Google, we have identified an issue affecting graphviz (tested with revision * master bd97cff6).
To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
TL;DR instructions:
mkdir project
cp Dockerfile /path/to/project
docker build --no-cache /path/to/project
docker run -it image_id_from_docker_build
From another terminal, outside the container:
docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer
(reference: https://docs.docker.com/engine/reference/commandline/cp/)
And, back inside the container:
/fuzzing/repro.sh /fuzzing/reproducer
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:
bd97cff6 INFO: Seed: 2035254283 /fuzzing/graphviz/fuzzer: Running 1 inputs 1 time(s) each. Running: /tmp/poc
REPRO_START:* master==11==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400001584e at pc 0x7fe0d5ef0be0 bp 0x7fff7edfd410 sp 0x7fff7edfd408 READ of size 1 at 0x60400001584e thread T0 #0 0x7fe0d5ef0bdf in left2right /fuzzing/graphviz/lib/dotgen/mincross.c:558:7 #1 (closed) 0x7fe0d5ef3713 in transpose_step /fuzzing/graphviz/lib/dotgen/mincross.c:771:6 #2 0x7fe0d5ee8258 in transpose /fuzzing/graphviz/lib/dotgen/mincross.c:819:12 #3 (closed) 0x7fe0d5ee73d5 in build_ranks /fuzzing/graphviz/lib/dotgen/mincross.c:1437:2 #4 0x7fe0d5ee37b8 in mincross /fuzzing/graphviz/lib/dotgen/mincross.c:840:3 #5 0x7fe0d5ee2faa in dot_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:341:8 #6 0x7fe0d5ee08d1 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:321:9 #7 0x7fe0d5edffe7 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2 #8 0x7fe0d5edfee9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22 #9 0x7fe0d68f2ac3 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2 #10 0x7fe0d6903c43 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9 #11 0x51d62b in LLVMFuzzerTestOneInput /fuzzing/graphviz/./fuzzer.cc:13:18 #12 0x50f9cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/fuzzer+0x50f9cc) #13 (closed) 0x50f18e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/graphviz/fuzzer+0x50f18e) #14 (closed) 0x508fed in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/graphviz/fuzzer+0x508fed) #15 (closed) 0x50a4bf in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) (/fuzzing/graphviz/fuzzer+0x50a4bf) #16 0x508e9c in main (/fuzzing/graphviz/fuzzer+0x508e9c) #17 0x7fe0d488f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #18 0x41e5a9 in _start (/fuzzing/graphviz/fuzzer+0x41e5a9)
0x60400001584e is located 2 bytes to the left of 40-byte region [0x604000015850,0x604000015878) allocated by thread T0 here: #0 0x4ce2e0 in realloc (/fuzzing/graphviz/fuzzer+0x4ce2e0) #1 (closed) 0x7fe0d6930ace in grealloc /fuzzing/graphviz/lib/common/memory.c:56:15 #2 0x7fe0d5ed74bf in fast_edge /fuzzing/graphviz/lib/dotgen/fastgr.c:94:5 #3 (closed) 0x7fe0d5eca8b3 in make_chain /fuzzing/graphviz/lib/dotgen/class2.c:99:6 #4 0x7fe0d5ec9984 in class2 /fuzzing/graphviz/lib/dotgen/class2.c:296:3 #5 0x7fe0d5ee32e6 in init_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:1195:5 #6 0x7fe0d5ee2f3b in dot_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:337:5 #7 0x7fe0d5ee08d1 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:321:9 #8 0x7fe0d5edffe7 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2 #9 0x7fe0d5edfee9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22 #10 0x7fe0d68f2ac3 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2 #11 0x7fe0d6903c43 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9 #12 0x51d62b in LLVMFuzzerTestOneInput /fuzzing/graphviz/./fuzzer.cc:13:18 #13 (closed) 0x50f9cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/fuzzer+0x50f9cc) #14 (closed) 0x508e9c in main (/fuzzing/graphviz/fuzzer+0x508e9c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/graphviz/lib/dotgen/mincross.c:558:7 in left2right Shadow bytes around the buggy address: 0x0c087fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fffaad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fffaae0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 00 0x0c087fffaaf0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd =>0x0c087fffab00: fa fa fd fd fd fd fd fa fa[fa]00 00 00 00 00 fa 0x0c087fffab10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c087fffab20: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffab30: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffab40: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fffab50: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team