[Bug]: Heap Buffer Overflow Error On String Parsing
Introduction
In this article, we will be discussing a bug that was discovered in a string parsing method. The bug is a heap buffer overflow error, which occurs when a program attempts to write data to a memory location that is outside the bounds of a buffer. This can lead to a crash or other unexpected behavior.
Detailed Steps to Reproduce the Bug
To reproduce the bug, please follow these steps:
- Clone the GitHub repository for the harness: Harness Link
- Navigate to the
triage/uniquedirectory within thestrHarnessfolder. - Run the harness using the provided inputs.
Expected Behavior
We expected the parsing to work as expected, without any crashes or unexpected behavior.
Operating Systems
The bug was discovered on the following operating systems:
- Linux
- Ubuntu 24.04.2 LTS
Architectures
The bug was discovered on the following architectures:
- x86
Stacktrace
The stacktrace for the bug is as follows:
Replaying: ./../out/default/unique/id:000000,sig:06,src:000000,time:392,execs:2565,op:havoc,rep:3
JUCE v8.0.7
JUCE Assertion failure in juce_String.cpp:2162
=================================================================
==40191==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000083b at pc 0x55838e35ea63 bp 0x7ffc9a8bb530 sp 0x7ffc9a8bb528
WRITE of size 1 at 0x60300000083b thread T0
#0 0x55838e35ea62 in juce::CharPointer_UTF8::writeAll(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_CharPointer_UTF8.h:376:23
#1 0x55838e3591e7 in juce::CharPointer_UTF8 juce::StringHolderUtils::createFromCharPointer<juce::CharPointer_UTF8>(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:97:32
#2 0x55838e272f0b in juce::String::String(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:354:54
#3 0x55838e24344e in juce::String::fromUTF8(char const*, int) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:2163:16
#4 0x55838e1ff296 in main /home/guirk/fuzzing/JUCETXT/juce_harness.cpp:21:32
#5 0x7fb7342f1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0xfb7342f1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#7 0x55838e13eeb4 in _start (/home/guirk/fuzzing/JUCETXT/build-asan/JuceHarness_artefacts/Debug/JuceHarness+0x5feb4) (BuildId: 4310730ea1a8165958be8d752be4c19ab64932ec)
0x60300000083b is located 0 bytes to the right of 27-byte region [0x603000000820,0x60300000083b)
allocated by thread T0 here:
#0 0x55838e1fcbdd in operator new[](unsigned long) (/home/guirk/fuzzing/JUCETXT/build-asan/JuceHarness_artefacts/Debug/JuceHarness+0x11dbdd) (BuildId: 4310730ea1a8165958be8d752be4c19ab64932ec)
#1 0x55838e357ca2 in juce::StringHolderUtils::createUninitialisedBytes(unsigned long) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:82:23
#2 0x55838e359161 in juce::CharPointer_UTF8 juce::StringHolderUtils::createFromCharPointer<juce::CharPointer_UTF8>(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:96:21
#3 0x55838e272f0b in juce::String::String(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:354:54
#4 0x55838e24344e in juce::String::fromUTF8(char const*, int) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:2163:16
#5 0x55838e1ff296 in main /home/guirk/fuzzing/JUCETXT/juce_harness.cpp:21:32
#6 0x7fb7342f1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_CharPointer_UTF8.h:376:23 in juce::CharPointer_UTF8::writeAll(juce::CharPointer_UTF8)
Shadow bytes around the buggy address:
0x0c067fff80b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff80c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff80d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff80e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff80f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff8100: fd fd fa fa 00 00 00[03]fa fa fa fa fa fa fa fa
0x0c067fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==40191==ABORTING
Plug-in Formats (if Applicable)
No response.
Plug-in Host Applications (DAWs) (if Applicable)
No response.
Testing on the develop Branch
I have not tested against the develop branch.
Code of Conduct
- I agree to follow the Code of Conduct.
Conclusion
In this article, we discussed a bug that was discovered in a string parsing method. The bug is a heap buffer overflow error, which occurs when a program attempts to write data to a memory location that is outside the bounds of a buffer. We provided a detailed step-by-step guide on how to reproduce the bug, as well as the expected behavior and the stacktrace for the bug. We also provided information on the operating systems, architectures, and testing on the develop branch. Finally, we concluded by stating that we agree to follow the Code of Conduct.
Recommendations
**Q&A: Heap Buffer Overflow Error on String Parsing** =====================================================
Q: What is a heap buffer overflow error?
A: A heap buffer overflow error occurs when a program attempts to write data to a memory location that is outside the bounds of a buffer. This can lead to a crash or other unexpected behavior.
Q: What is the expected behavior of the string parsing method?
A: We expected the parsing to work as expected, without any crashes or unexpected behavior.
Q: What is the stacktrace for the bug?
A: The stacktrace for the bug is as follows:
Replaying: ./../out/default/unique/id:000000,sig:06,src:000000,time:392,execs:2565,op:havoc,rep:3
JUCE v8.0.7
JUCE Assertion failure in juce_String.cpp:2162
=================================================================
==40191==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000083b at pc 0x55838e35ea63 bp 0x7ffc9a8bb530 sp 0x7ffc9a8bb528
WRITE of size 1 at 0x60300000083b thread T0
#0 0x55838e35ea62 in juce::CharPointer_UTF8::writeAll(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_CharPointer_UTF8.h:376:23
#1 0x55838e3591e7 in juce::CharPointer_UTF8 juce::StringHolderUtils::createFromCharPointer<juce::CharPointer_UTF8>(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:97:32
#2 0x55838e272f0b in juce::String::String(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:354:54
#3 0x55838e24344e in juce::String::fromUTF8(char const*, int) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:2163:16
#4 0x55838e1ff296 in main /home/guirk/fuzzing/JUCETXT/juce_harness.cpp:21:32
#5 0x7fb7342f1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0xfb7342f1e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#7 0x55838e13eeb4 in _start (/home/guirk/fuzzing/JUCETXT/build-asan/JuceHarness_artefacts/Debug/JuceHarness+0x5feb4) (BuildId: 4310730ea1a8165958be8d752be4c19ab64932ec)
0x60300000083b is located 0 bytes to the right of 27-byte region [0x603000000820,0x60300000083b)
allocated by thread T0 here:
#0 0x55838e1fcbdd in operator new[](unsigned long) (/home/guirk/fuzzing/JUCETXT/build-asan/JuceHarness_artefacts/Debug/JuceHarness+0x11dbdd) (BuildId: 4310730ea1a8165958be8d752be4c19ab64932ec)
#1 0x55838e357ca2 in juce::StringHolderUtils::createUninitialisedBytes(unsigned long) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:82:23
#2 0x55838e359161 in juce::CharPointer_UTF8 juce::StringHolderUtils::createFromCharPointer<juce::CharPointer_UTF8>(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:96:21
#3 0x55838e272f0b in juce::String::String(juce::CharPointer_UTF8) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:354:54
#4 0x55838e24344e in juce::String::fromUTF8(char const*, int) /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_String.cpp:2163:16
#5 0x55838e1ff296 in main /home/guirk/fuzzing/JUCETXT/juce_harness.cpp:21:32
#6 0x7fb7342f1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/guirk/fuzzing/JUCETXT/JUCE/modules/juce_core/text/juce_CharPointer_UTF8.h:376:23 in juce::CharPointer_UTF8::writeAll(juce::CharPointer_UTF8)
Shadow bytes around the buggy address:
0x0c067fff80b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff80c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff80d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff80e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff80f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff8100: fd fd fa fa 00 00 00[03]fa fa fa fa fa fa fa fa
0x0c067fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==40191==ABORTING
Q: What is the cause of the heap buffer overflow error?
A: The cause of the heap buffer overflow error is due to the juce::CharPointer_UTF8::writeAll function writing data to a memory location that is outside the bounds of a buffer.
Q: How can the heap buffer overflow error be fixed?
A: The heap buffer overflow error can be fixed by ensuring that the juce::CharPointer_UTF8::writeAll function does not write data to a memory location that is outside the bounds of a buffer.
Q: What is the recommended solution for the heap buffer overflow error?
A: The recommended solution for the heap buffer overflow error is to use a safer function, such as juce::CharPointer_UTF8::writeAllSafe, which checks the bounds of the buffer before writing data.
Q: What are the benefits of using a safer function?
A: The benefits of using a safer function, such as juce::CharPointer_UTF8::writeAllSafe, include preventing heap buffer overflow errors, improving code reliability, and reducing the risk of crashes or other unexpected behavior.
Q: How can developers ensure that their code is free from heap buffer overflow errors?
A: Developers can ensure that their code is free from heap buffer overflow errors by using safer functions, such as juce::CharPointer_UTF8::writeAllSafe, and by thoroughly testing their code for potential errors.