Re: [dev] [sbase] ed: global-buffer-overflow from Carlos Torres on 2025-11-02 (dev mail list archive)

From: Carlos Torres <vlaadbrain_AT_gmail.com>
Date: Sat, 1 Nov 2025 23:10:15 -0400

On Sun, Oct 26, 2025 at 5:47 AM Hiltjo Posthuma <hiltjo_AT_codemadness.org> wrote:
>
> Can you provide a backtrace also or even a patch to address the issues? It
> would help a lot.
>

Hi Hiltjo, here is a bit of output from asan.

=================================================================
==1363848==ERROR: AddressSanitizer: global-buffer-overflow on address
0x561009b35344 at pc 0x561009b2dfe5 bp 0x7ffdbd5fce80 sp
0x7ffdbd5fce70
WRITE of size 4 at 0x561009b35344 thread T0
    #0 0x561009b2dfe4 in docmd /home/cjt/src/sbase/ed.c:1402
    #1 0x561009b2e699 in edit /home/cjt/src/sbase/ed.c:1597
    #2 0x561009b2f196 in main /home/cjt/src/sbase/ed.c:1646
    #3 0x7f6e2a227674 (/usr/lib/libc.so.6+0x27674) (BuildId:
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #4 0x7f6e2a227728 in __libc_start_main
(/usr/lib/libc.so.6+0x27728) (BuildId:
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
    #5 0x561009b29484 in _start (/home/cjt/src/sbase/ed+0x5484)
(BuildId: 21b24860663d02dc86b8e303d561539b5e1c9b5d)

0x561009b35344 is located 0 bytes after global variable 'marks'
defined in 'ed.c:52:12' (0x561009b352e0) of size 100
0x561009b35344 is located 60 bytes before global variable 'nlines'
defined in 'ed.c:53:12' (0x561009b35380) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/cjt/src/sbase/ed.c:1402 in docmd
Shadow bytes around the buggy address:
  0x561009b35080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x561009b35100: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x561009b35180: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9
  0x561009b35200: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x561009b35280: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x561009b35300: 00 00 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9
  0x561009b35380: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x561009b35400: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x561009b35480: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x561009b35500: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x561009b35580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==1363848==ABORTING

--Carlos
Received on Sun Nov 02 2025 - 04:10:15 CET

This archive was generated by hypermail 2.3.0 : Sun Nov 02 2025 - 11:48:09 CET