Heap buffer overflow in sequence_index
There's a very mysterious heap overflow bug detected by AddressSanitizer that needs to be investigated.
#0 0x7fc2364a14ae in sequence_index ../src/mirbooking-sequence.c:398
#1 0x7fc2364a164d in mirbooking_sequence_get_subsequence_index ../src/mirbooking-sequence.c:442
#2 0x7fc23649c87a in _get_subsequence_score ../src/mirbooking-default-score-table.c:196
#3 0x7fc23649d7b2 in compute_score ../src/mirbooking-default-score-table.c:356
#4 0x7fc23649fa80 in mirbooking_score_table_compute_score ../src/mirbooking-score-table.c:118
#5 0x7fc23649e2ea in compute_positions ../src/mirbooking-default-score-table.c:463
#6 0x7fc23649f91b in mirbooking_score_table_compute_positions ../src/mirbooking-score-table.c:79
#7 0x403786 in test_score_table_compute_seed_scores ../tests/score-table-test.c:99
#8 0x7fc2363cc0ed (/lib64/libglib-2.0.so.0+0x7b0ed)
#9 0x7fc2363cbeea (/lib64/libglib-2.0.so.0+0x7aeea)
#10 0x7fc2363cc5d9 in g_test_run_suite (/lib64/libglib-2.0.so.0+0x7b5d9)
#11 0x7fc2363cc5f4 in g_test_run (/lib64/libglib-2.0.so.0+0x7b5f4)
#12 0x40b52c in main ../tests/score-table-test.c:574
#13 0x7fc23600e041 in __libc_start_main (/lib64/libc.so.6+0x27041)
#14 0x40229d in _start (/home/guillaume/Projets/mirbooking/build/tests/score-table-test+0x40229d)
0x60600000085f is located 1 bytes to the left of 60-byte region [0x606000000860,0x60600000089c)
allocated by thread T0 here:
#0 0x7fc23656b6b7 in __interceptor_malloc (/lib64/libasan.so.6+0xb06b7)
#1 0x7fc2363a9898 in g_malloc (/lib64/libglib-2.0.so.0+0x58898)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/mirbooking-sequence.c:398 in sequence_index
Shadow bytes around the buggy address:
0x0c0c7fff80b0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff80c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff80d0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff80e0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 04
0x0c0c7fff80f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff8100: 00 00 00 00 00 00 00 00 fa fa fa[fa]00 00 00 00
0x0c0c7fff8110: 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Edited by Guillaume Poirier-Morency