Created attachment 12555 [details] crash test case Hello, I'm currently developing a new fuzzing feature, and I found a crash in size. I downloaded from git master, and I built it with Ubuntu 16.04 with gcc 5.4.0 with ASAN, and the following command to build size from the source: CFLAGS="-O1 -fsanitize=address -U_FORTIFY_SOURCE" ./configure; make clean all; You can reproduce the crash with the following command: ./size <attached file> The AddressSanitizer message of the crash is: ==10177==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000015bdc at pc 0x000000463778 bp 0x7ffc3541fd90 sp 0x7ffc3541fd80 WRITE of size 4 at 0x621000015bdc thread T0 #0 0x463777 in bfd_section_from_shdr (/home/cheong/results/crashes/size_crash/size.master_asan+0x463777) #1 0x4f8310 in bfd_elf32_object_p (/home/cheong/results/crashes/size_crash/size.master_asan+0x4f8310) #2 0x418a29 in bfd_check_format_matches (/home/cheong/results/crashes/size_crash/size.master_asan+0x418a29) #3 0x403989 in display_bfd (/home/cheong/results/crashes/size_crash/size.master_asan+0x403989) #4 0x403c11 in display_file (/home/cheong/results/crashes/size_crash/size.master_asan+0x403c11) #5 0x4040ed in main (/home/cheong/results/crashes/size_crash/size.master_asan+0x4040ed) #6 0x7f6a32ff982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x402bc8 in _start (/home/cheong/results/crashes/size_crash/size.master_asan+0x402bc8) 0x621000015bdc is located 1756 bytes inside of 4064-byte region [0x621000015500,0x6210000164e0) freed by thread T0 here: #0 0x7f6a3363f2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x5ae662 in objalloc_free_block (/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae662) previously allocated by thread T0 here: #0 0x7f6a3363f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x5ae3d8 in _objalloc_alloc (/home/cheong/results/crashes/size_crash/size.master_asan+0x5ae3d8) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 bfd_section_from_shdr Shadow bytes around the buggy address: 0x0c427fffab20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffab30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffab40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffab50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffab60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c427fffab70: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd 0x0c427fffab80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffab90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffaba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffabb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c427fffabc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==10177==ABORTING
Hi Ahcheong, Thanks for reporting this bug. As it happens this is another duplicate of PR 26005, so no further fixes are needed. Cheers Nick *** This bug has been marked as a duplicate of bug 26005 ***