Re: Found heap-buffer-overflow with grammar-based fuzzer

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Found heap-buffer-overflow with grammar-based fuzzer
From: Roberto Ierusalimschy <roberto@...>
Date: Wed, 15 Mar 2023 17:10:58 -0300

> > I am researcher in software testing from the University of Stuttgart, Germany. We are testing grammar-based fuzzers and have chosen Lua as one of our fuzz targets for our experiments. We found 2 issues in Lua, but one of those seems to be already fixed in recent versions. Thus, here is the remaining issue we found, which still results in a crash in the current Lua version.
> 
> Thanks for the report.
> 
> I've been unable to reproduce this bug. Did you use any special value
> for the variable ASAN_OPTIONS? What compiler/version are you using?

Could you do the following change to lundump.c and run the example again?

@@ -248,6 +248,7 @@ static void loadDebug (LoadState *S, Proto *f) {
     f->locvars[i].endpc = loadInt(S);
   }
   n = loadInt(S);
+printf("%d %d\n", n, f->sizeupvalues);
   for (i = 0; i < n; i++)
     f->upvalues[i].name = loadStringN(S, f);
 }

(The two printed numbers should be equal...)

Many thanks,

-- Roberto

Follow-Ups:
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy
- RE: Found heap-buffer-overflow with grammar-based fuzzer, Betka, Maik

References:
- Found heap-buffer-overflow with grammar-based fuzzer, Betka, Maik
- Re: Found heap-buffer-overflow with grammar-based fuzzer, Roberto Ierusalimschy

Prev by Date: Re: Found heap-buffer-overflow with grammar-based fuzzer
Next by Date: Re: Entropy in the implementation of Lua
Previous by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Next by thread: Re: Found heap-buffer-overflow with grammar-based fuzzer
Index(es):
- Date
- Thread