crash report: illegal memory access when parsing invalid xterm color sequence

Kuang-che Wu kcwu at csie.org
Tue Sep 8 13:43:18 CEST 2015


$ rxvt -e sh -c "echo -e '\e]4;;[0\x9c'"
ASAN:SIGSEGV
=================================================================
==18168==ERROR: AddressSanitizer: SEGV on unknown address 0x601ffd07da10 (pc 0x7f7de1a8aaea bp 0x7ffffd0771b0 sp 0x7ffffd076948 T0)
    #0 0x7f7de1a8aae9  (/lib/x86_64-linux-gnu/libc.so.6+0x88ae9)
... (skip)


rxvt_color::set (rxvt_screen *screen, const char *name)
{
  rgba c;
  char eos;
  int skip;

  c.a = rgba::MAX_CC;

  // parse the nonstandard "[alphapercent]" prefix
  if (1 <= sscanf (name, "[%hd]%n", &c.a, &skip))
    {
      c.a = lerp<int, int, int> (0, rgba::MAX_CC, c.a);
      name += skip;
    }

The problem is, name="[0". sscanf() parsed |c.a| and return 1, but didn't fill |skip|.
And |skip| is not initialized. Depends on its value, rxvt may crash later.

This is found by afl-fuzz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.schmorp.de/pipermail/rxvt-unicode/attachments/20150908/2c4494d1/attachment.sig>


More information about the rxvt-unicode mailing list