graph_remove_collapsed_columns heap-buffer-overflow

[comicfans]

line 405
for (i = row->size - 1; i > 0; i--) {
....

            if (strcmp(row->columns[i - 1].id, graph->prev_row.columns[i - 1].id) != 0 || graph->prev_row.columns[i - 1].symbol.shift_left)
                    row->columns[i] = row->columns[i + 1];   -----------------> i+1 may overflow row->size
            }

ASAN report this when tig running in linux kernel directory

==14616==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000736300 at pc 0x46c729 bp 0x7fffffffd810 sp 0x7fffffffd800
READ of size 48 at 0x621000736300 thread T0
#0 0x46c728 in graph_remove_collapsed_columns src/graph-v2.c:434
#1 0x46c9e0 in graph_generate_next_row src/graph-v2.c:457
#2 0x46ec2a in graph_render_parents src/graph-v2.c:719
#3 0x462fea in main_read src/main.c:437
#4 0x43a0a0 in update_view src/view.c:550
#5 0x4350f3 in get_input src/display.c:581
#6 0x42bf78 in prompt_input src/prompt.c:49
#7 0x42cabc in read_prompt_incremental src/prompt.c:178
#8 0x4068a1 in read_key_combo src/tig.c:644
#9 0x406dce in main src/tig.c:707
#10 0x7ffff66c659f in __libc_start_main (/lib64/libc.so.6+0x2059f)
#11 0x403978 in _start (/root/.local/bin/tig+0x403978)

0x621000736300 is located 0 bytes to the right of 4608-byte region [0x621000735100,0x621000736300)
allocated by thread T0 here:
#0 0x7ffff6f56ab6 in __interceptor_realloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x57ab6)
#1 0x40b8e9 in chunk_allocator src/util.c:370
#2 0x46a5db in realloc_graph_columns src/graph-v2.c:79
#3 0x46b372 in graph_insert_column src/graph-v2.c:274
#4 0x46b916 in graph_expand src/graph-v2.c:318
#5 0x46ec0d in graph_render_parents src/graph-v2.c:716
#6 0x462fea in main_read src/main.c:437
#7 0x43a0a0 in update_view src/view.c:550
#8 0x4350f3 in get_input src/display.c:581
#9 0x42bf78 in prompt_input src/prompt.c:49
#10 0x42cabc in read_prompt_incremental src/prompt.c:178
#11 0x4068a1 in read_key_combo src/tig.c:644
#12 0x406dce in main src/tig.c:707
#13 0x7ffff66c659f in __libc_start_main (/lib64/libc.so.6+0x2059f)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/graph-v2.c:434 graph_remove_collapsed_columns
Shadow bytes around the buggy address:
0x0c42800dec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800dec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800dec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800dec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800dec50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c42800dec60:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dec70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dec80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dec90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800deca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800decb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[jonas]

Awesome, thanks. I didn't manage to get the nice stack trace you have, and to reduce space I added a test based on the git repo which also caused errors.