[dev] [sbase] ed: global-buffer-overflow

[Frank Busse]

Hi,

another issue found by KLEE:

---
$ printf ",kz\n,,,," | ./ed
ERROR: AddressSanitizer: global-buffer-overflow
---


Best,

Frank

[Hiltjo Posthuma]

Hi Frank,

First of all thanks for the reports and the commands to reproduce them.

Can you provide a backtrace also or even a patch to address the issues? It
would help a lot.

Thanks,

--
Kind regards,
Hiltjo

[Carlos Torres]

On Sun, Oct 26, 2025 at 5:47 AM Hiltjo Posthuma <hiltjo@codemadnessorg> wrote:
>
> Can you provide a backtrace also or even a patch to address the issues? It
> would help a lot.
>

Hi Hiltjo, here is a bit of output from asan.


=================================================================
==1363848==ERROR: AddressSanitizer: global-buffer-overflow on address
0x561009b35344 at pc 0x561009b2dfe5 bp 0x7ffdbd5fce80 sp
0x7ffdbd5fce70
WRITE of size 4 at 0x561009b35344 thread T0
#0 0x561009b2dfe4 in docmd /home/cjt/src/sbase/ed.c:1402
#1 0x561009b2e699 in edit /home/cjt/src/sbase/ed.c:1597
#2 0x561009b2f196 in main /home/cjt/src/sbase/ed.c:1646
#3 0x7f6e2a227674 (/usr/lib/libc.so.6+0x27674) (BuildId:
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
#4 0x7f6e2a227728 in __libc_start_main
(/usr/lib/libc.so.6+0x27728) (BuildId:
4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
#5 0x561009b29484 in _start (/home/cjt/src/sbase/ed+0x5484)
(BuildId: 21b24860663d02dc86b8e303d561539b5e1c9b5d)

0x561009b35344 is located 0 bytes after global variable 'marks'
defined in 'ed.c:52:12' (0x561009b352e0) of size 100
0x561009b35344 is located 60 bytes before global variable 'nlines'
defined in 'ed.c:53:12' (0x561009b35380) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/cjt/src/sbase/ed.c:1402 in docmd
Shadow bytes around the buggy address:
0x561009b35080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x561009b35100: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x561009b35180: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9
0x561009b35200: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x561009b35280: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x561009b35300: 00 00 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9
0x561009b35380: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x561009b35400: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x561009b35480: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x561009b35500: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x561009b35580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1363848==ABORTING

--Carlos

[Roberto E. Vargas Caballero]

Hi,

On Sat, Nov 01, 2025 at 11:10:15PM -0400, Carlos Torres wrote:
> On Sun, Oct 26, 2025 at 5:47 AM Hiltjo Posthuma <hiltjo@codemadnessorg> wrote:
> >
> > Can you provide a backtrace also or even a patch to address the issues? It
> > would help a lot.
> >
>
> Hi Hiltjo, here is a bit of output from asan.

Thank you for the bug report! I think the last changes pushed to master
already fix this problem. Can you validate?

Regards,

[Carlos Torres]

On Mon, Nov 3, 2025 at 7:11 AM Roberto E. Vargas Caballero
<k0...@shike2.net> wrote:
>
> Thank you for the bug report! I think the last changes pushed to master
> already fix this problem. Can you validate?
>

fix confirmed :)