Segmentation fault with R in graph view

[tonybounty]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu x86 64
File format of the file you reverse (mandatory)	any
Architecture/bits of the file (mandatory)	any
r2 -v full output, not truncated (mandatory)	radare2 3.5.0-git 21446 @ linux-x86-64 git.3.4.1-26-g0096dbfdb commit: 0096dbf build: 2019-04-06__16:17:44

Actual behavior

segmentation fault

Steps to reproduce the behavior

$ r2 yourbinary
> aaa
> s main
> VV

then in graph view, press and maintain for a while : SHIFT+R to randomize color.

[radare]

Cant reproduce. Can you provide a backtrace?

…

On 8 Apr 2019, at 00:02, tonybounty ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu x86 64 File format of the file you reverse (mandatory) any Architecture/bits of the file (mandatory) any r2 -v full output, not truncated (mandatory) radare2 3.5.0-git 21446 @ linux-x86-64 git.3.4.1-26-g0096dbfdb commit: 0096dbf build: 2019-04-06__16:17:44 Actual behavior segmentation fault Steps to reproduce the behavior $ r2 yourbinary > aaa > s main > VV then in graph view, press and maintain for a while : SHIFT+R to randomize color. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[radare]

do u have r2 from git and r2 from ubuntu installed at the same time? maybe passte the output of r2 -V ? or a backtrace or build it with asan and paste the crashlog?

[tonybounty]

Cant reproduce. Can you provide a backtrace?
…
On 8 Apr 2019, at 00:02, tonybounty @.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu x86 64 File format of the file you reverse (mandatory) any Architecture/bits of the file (mandatory) any r2 -v full output, not truncated (mandatory) radare2 3.5.0-git 21446 @ linux-x86-64 git.3.4.1-26-g0096dbfdb commit: 0096dbf build: 2019-04-06__16:17:44 Actual behavior segmentation fault Steps to reproduce the behavior $ r2 yourbinary > aaa > s main > VV then in graph view, press and maintain for a while : SHIFT+R to randomize color. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

I can't reproduce this crash on my second machine. I try with xterm, gnome-terminal, Tilix + combination of bash and fish shell. Same result, it crash with segfault.

Program received signal SIGSEGV, Segmentation fault.
tcache_get (tc_idx=1) at malloc.c:2927
2927	malloc.c: No such file or directory.
(gdb) backtrace
#0  tcache_get (tc_idx=1) at malloc.c:2927
#1  __GI___libc_malloc (bytes=40) at malloc.c:3034
#2  0x00007fc1a504ca3c in reserve_kv (ht=0x55c615985ca0, key=0x55c61597bac0, key_len=10, update=false) at ht_inc.c:204
#3  0x00007fc1a504cad8 in ht_pp_insert_kv (ht=0x55c615985ca0, kv=0x55c6159e6e70, update=false) at ht_inc.c:216
#4  0x00007fc1a504c782 in internal_ht_grow (ht=0x55c615b446f0) at ht_inc.c:171
#5  0x00007fc1a504c93c in check_growing (ht=0x55c615b446f0) at ht_inc.c:185
#6  0x00007fc1a504cb11 in ht_pp_insert_kv (ht=0x55c615b446f0, kv=0x55c615936af0, update=true) at ht_inc.c:222
#7  0x00007fc1a504d525 in sdb_ht_insert_kvp (ht=0x55c615b446f0, kvp=0x55c615936af0, update=true) at sdbht.c:46
#8  0x00007fc1a5056df2 in sdb_set_internal (s=0x55c615b86120, key=0x7fc1a50b64a0 <Key.4429+768> "rgb:8787ff", val=0x7fc1a51578ff "1", owned=0, cas=0) at sdb.c:623
#9  0x00007fc1a5056ea3 in sdb_set (s=0x55c615b86120, key=0x7fc1a50b64a0 <Key.4429+768> "rgb:8787ff", val=0x7fc1a51578ff "1", cas=0) at sdb.c:637
#10 0x00007fc1a515126f in cons_pal_update_event (ctx=0x7fc1a515d040 <r_cons_context_default>) at pal.c:600
#11 0x00007fc1a515137e in r_cons_pal_update_event () at pal.c:616
#12 0x00007fc1a4387930 in cmd_eval (data=0x7fc1a53a2080 <r>, input=0x55c615b6e641 "c ai.exec rgb:6d6") at cmd_eval.c:492
#13 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c615b6e640 "ec ai.exec rgb:6d6") at cmd_api.c:246
#14 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c615b6e640 "ec ai.exec rgb:6d6", colon=0x0, tmpseek=0x7ffd65f93012) at cmd.c:3040
#15 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c615b6e640 "ec ai.exec rgb:6d6") at cmd.c:2026
#16 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x55c615bcea70 "ec ai.exec rgb:6d6", log=0) at cmd.c:3774
#17 0x00007fc1a43f4d98 in r_core_cmd_lines (core=0x7fc1a53a2080 <r>, 
    lines=0x55c615ba3e60 "ec ai.exec rgb:6d6\nec ai.read rgb:66d\nec ai.write rgb:d66\nec args rgb:2bc\nec b0x00 rgb:878585", ' ' <repeats 13 times>, "# 00 bytes\nec b0x7f rgb:fff\nec b0xff rgb:abb0b6", ' ' <repeats 13 times>, "# ff bytes\nec bin rgb:4F1900 0 bol"...) at cmd.c:3827
#18 0x00007fc1a43f4ef7 in r_core_cmd_file (core=0x7fc1a53a2080 <r>, file=0x55c615905630 "/home/tony/bin/prefix/radare2/share/radare2/3.5.0-git/cons/white2") at cmd.c:3864
#19 0x00007fc1a4386307 in load_theme (core=0x7fc1a53a2080 <r>, path=0x55c615905630 "/home/tony/bin/prefix/radare2/share/radare2/3.5.0-git/cons/white2") at cmd_eval.c:78
#20 0x00007fc1a4386561 in cmd_load_theme (core=0x7fc1a53a2080 <r>, _arg=0x55c615b5cc64 "white2") at cmd_eval.c:134
#21 0x00007fc1a4387108 in cmd_eval (data=0x7fc1a53a2080 <r>, input=0x55c615b5cc61 "co white2") at cmd_eval.c:363
#22 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c615b5cc60 "eco white2") at cmd_api.c:246
#23 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c615b5cc60 "eco white2", colon=0x0, tmpseek=0x7ffd65f93772) at cmd.c:3040
#24 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c615b5cc60 "eco white2") at cmd.c:2026
#25 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x7ffd65f93880 "eco white2", log=0) at cmd.c:3774
#26 0x00007fc1a43f527b in r_core_cmdf (core=0x7fc1a53a2080 <r>, fmt=0x7fc1a44b4d46 "eco %s") at cmd.c:3933
#27 0x00007fc1a4386bca in nextpal (core=0x7fc1a53a2080 <r>, mode=110) at cmd_eval.c:273
#28 0x00007fc1a4387403 in cmd_eval (data=0x7fc1a53a2080 <r>, input=0x55c61596acd1 "cn") at cmd_eval.c:416
#29 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c61596acd0 "ecn") at cmd_api.c:246
#30 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c61596acd0 "ecn", colon=0x0, tmpseek=0x7ffd65f94f42) at cmd.c:3040
#31 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c61596acd0 "ecn") at cmd.c:2026
#32 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x7fc1a44dfc81 "ecn", log=0) at cmd.c:3774
#33 0x00007fc1a43f52c8 in r_core_cmd0 (core=0x7fc1a53a2080 <r>, cmd=0x7fc1a44dfc81 "ecn") at cmd.c:3939
#34 0x00007fc1a44280d9 in r_core_visual_graph (core=0x7fc1a53a2080 <r>, g=0x55c61598f860, _fcn=0x0, is_interactive=1) at graph.c:4397
#35 0x00007fc1a4411535 in r_core_visual_cmd (core=0x7fc1a53a2080 <r>, arg=0x55c6159dbd71 "V") at visual.c:2703
#36 0x00007fc1a4415807 in r_core_visual (core=0x7fc1a53a2080 <r>, input=0x55c6159dbd71 "V") at visual.c:3891
#37 0x00007fc1a43ed359 in cmd_visual (data=0x7fc1a53a2080 <r>, input=0x55c6159dbd71 "V") at cmd.c:1397
#38 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c6159dbd70 "VV") at cmd_api.c:246
#39 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c6159dbd70 "VV", colon=0x0, tmpseek=0x7ffd65f96a02) at cmd.c:3040
#40 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c6159dbd70 "VV") at cmd.c:2026
#41 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x55c61592b640 "VV", log=1) at cmd.c:3774
#42 0x00007fc1a434ec6e in r_core_prompt_exec (r=0x7fc1a53a2080 <r>) at core.c:3001
#43 0x00007fc1a5392875 in r_main_radare2 (argc=2, argv=0x7ffd65f96eb8) at radare2.c:1443
#44 0x000055c613bec155 in main (argc=2, argv=0x7ffd65f96eb8) at radare2.c:48

[radare]

So in theory just doing “eco white2” should be enough to reproduce the crash. Build it with asan and paste the crashlog. That should be enough to make me understand the reason for the crash

…

On 8 Apr 2019, at 19:43, tonybounty ***@***.***> wrote: Cant reproduce. Can you provide a backtrace? … On 8 Apr 2019, at 00:02, tonybounty ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu x86 64 File format of the file you reverse (mandatory) any Architecture/bits of the file (mandatory) any r2 -v full output, not truncated (mandatory) radare2 3.5.0-git 21446 @ linux-x86-64 git.3.4.1-26-g0096dbfdb commit: 0096dbf build: 2019-04-06__16:17:44 Actual behavior segmentation fault Steps to reproduce the behavior $ r2 yourbinary > aaa > s main > VV then in graph view, press and maintain for a while : SHIFT+R to randomize color. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread. I can't reproduce this crash on my second machine. I try with xterm, gnome-terminal, Tilix + combination of bash and fish shell. Same result, it crash with segfault. Program received signal SIGSEGV, Segmentation fault. tcache_get (tc_idx=1) at malloc.c:2927 2927 malloc.c: No such file or directory. (gdb) backtrace #0 tcache_get (tc_idx=1) at malloc.c:2927 #1 __GI___libc_malloc (bytes=40) at malloc.c:3034 #2 0x00007fc1a504ca3c in reserve_kv (ht=0x55c615985ca0, key=0x55c61597bac0, key_len=10, update=false) at ht_inc.c:204 #3 0x00007fc1a504cad8 in ht_pp_insert_kv (ht=0x55c615985ca0, kv=0x55c6159e6e70, update=false) at ht_inc.c:216 #4 0x00007fc1a504c782 in internal_ht_grow (ht=0x55c615b446f0) at ht_inc.c:171 #5 0x00007fc1a504c93c in check_growing (ht=0x55c615b446f0) at ht_inc.c:185 #6 0x00007fc1a504cb11 in ht_pp_insert_kv (ht=0x55c615b446f0, kv=0x55c615936af0, update=true) at ht_inc.c:222 #7 0x00007fc1a504d525 in sdb_ht_insert_kvp (ht=0x55c615b446f0, kvp=0x55c615936af0, update=true) at sdbht.c:46 #8 0x00007fc1a5056df2 in sdb_set_internal (s=0x55c615b86120, key=0x7fc1a50b64a0 <Key.4429+768> "rgb:8787ff", val=0x7fc1a51578ff "1", owned=0, cas=0) at sdb.c:623 #9 0x00007fc1a5056ea3 in sdb_set (s=0x55c615b86120, key=0x7fc1a50b64a0 <Key.4429+768> "rgb:8787ff", val=0x7fc1a51578ff "1", cas=0) at sdb.c:637 #10 0x00007fc1a515126f in cons_pal_update_event (ctx=0x7fc1a515d040 <r_cons_context_default>) at pal.c:600 #11 0x00007fc1a515137e in r_cons_pal_update_event () at pal.c:616 #12 0x00007fc1a4387930 in cmd_eval (data=0x7fc1a53a2080 <r>, input=0x55c615b6e641 "c ai.exec rgb:6d6") at cmd_eval.c:492 #13 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c615b6e640 "ec ai.exec rgb:6d6") at cmd_api.c:246 #14 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c615b6e640 "ec ai.exec rgb:6d6", colon=0x0, tmpseek=0x7ffd65f93012) at cmd.c:3040 #15 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c615b6e640 "ec ai.exec rgb:6d6") at cmd.c:2026 #16 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x55c615bcea70 "ec ai.exec rgb:6d6", log=0) at cmd.c:3774 #17 0x00007fc1a43f4d98 in r_core_cmd_lines (core=0x7fc1a53a2080 <r>, lines=0x55c615ba3e60 "ec ai.exec rgb:6d6\nec ai.read rgb:66d\nec ai.write rgb:d66\nec args rgb:2bc\nec b0x00 rgb:878585", ' ' <repeats 13 times>, "# 00 bytes\nec b0x7f rgb:fff\nec b0xff rgb:abb0b6", ' ' <repeats 13 times>, "# ff bytes\nec bin rgb:4F1900 0 bol"...) at cmd.c:3827 #18 0x00007fc1a43f4ef7 in r_core_cmd_file (core=0x7fc1a53a2080 <r>, file=0x55c615905630 "/home/tony/bin/prefix/radare2/share/radare2/3.5.0-git/cons/white2") at cmd.c:3864 #19 0x00007fc1a4386307 in load_theme (core=0x7fc1a53a2080 <r>, path=0x55c615905630 "/home/tony/bin/prefix/radare2/share/radare2/3.5.0-git/cons/white2") at cmd_eval.c:78 #20 0x00007fc1a4386561 in cmd_load_theme (core=0x7fc1a53a2080 <r>, _arg=0x55c615b5cc64 "white2") at cmd_eval.c:134 #21 0x00007fc1a4387108 in cmd_eval (data=0x7fc1a53a2080 <r>, input=0x55c615b5cc61 "co white2") at cmd_eval.c:363 #22 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c615b5cc60 "eco white2") at cmd_api.c:246 #23 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c615b5cc60 "eco white2", colon=0x0, tmpseek=0x7ffd65f93772) at cmd.c:3040 #24 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c615b5cc60 "eco white2") at cmd.c:2026 #25 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x7ffd65f93880 "eco white2", log=0) at cmd.c:3774 #26 0x00007fc1a43f527b in r_core_cmdf (core=0x7fc1a53a2080 <r>, fmt=0x7fc1a44b4d46 "eco %s") at cmd.c:3933 #27 0x00007fc1a4386bca in nextpal (core=0x7fc1a53a2080 <r>, mode=110) at cmd_eval.c:273 #28 0x00007fc1a4387403 in cmd_eval (data=0x7fc1a53a2080 <r>, input=0x55c61596acd1 "cn") at cmd_eval.c:416 #29 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c61596acd0 "ecn") at cmd_api.c:246 #30 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c61596acd0 "ecn", colon=0x0, tmpseek=0x7ffd65f94f42) at cmd.c:3040 #31 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c61596acd0 "ecn") at cmd.c:2026 #32 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x7fc1a44dfc81 "ecn", log=0) at cmd.c:3774 #33 0x00007fc1a43f52c8 in r_core_cmd0 (core=0x7fc1a53a2080 <r>, cmd=0x7fc1a44dfc81 "ecn") at cmd.c:3939 #34 0x00007fc1a44280d9 in r_core_visual_graph (core=0x7fc1a53a2080 <r>, g=0x55c61598f860, _fcn=0x0, is_interactive=1) at graph.c:4397 #35 0x00007fc1a4411535 in r_core_visual_cmd (core=0x7fc1a53a2080 <r>, arg=0x55c6159dbd71 "V") at visual.c:2703 #36 0x00007fc1a4415807 in r_core_visual (core=0x7fc1a53a2080 <r>, input=0x55c6159dbd71 "V") at visual.c:3891 #37 0x00007fc1a43ed359 in cmd_visual (data=0x7fc1a53a2080 <r>, input=0x55c6159dbd71 "V") at cmd.c:1397 #38 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c6159dbd70 "VV") at cmd_api.c:246 #39 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 <r>, cmd=0x55c6159dbd70 "VV", colon=0x0, tmpseek=0x7ffd65f96a02) at cmd.c:3040 #40 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 <r>, cmd=0x55c6159dbd70 "VV") at cmd.c:2026 #41 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 <r>, cstr=0x55c61592b640 "VV", log=1) at cmd.c:3774 #42 0x00007fc1a434ec6e in r_core_prompt_exec (r=0x7fc1a53a2080 <r>) at core.c:3001 #43 0x00007fc1a5392875 in r_main_radare2 (argc=2, argv=0x7ffd65f96eb8) at radare2.c:1443 #44 0x000055c613bec155 in main (argc=2, argv=0x7ffd65f96eb8) at radare2.c:48 — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[tonybounty]

do u have r2 from git and r2 from ubuntu installed at the same time? maybe passte the output of r2 -V ? or a backtrace or build it with asan and paste the crashlog?

I use only the git version, Ubuntu version was never installed. If BT is insufficient, I will compile with Asan

radare2 3.5.0-git 21446 @ linux-x86-64 git.3.4.1-26-g0096dbfdb commit: 0096dbf build: 2019-04-06__16:17:44

$ r2 -V
3.4.1-26-g0096dbfdb  r2
3.4.1-26-g0096dbfdb  r_anal
3.4.1-26-g0096dbfdb  r_lib
3.4.1-26-g0096dbfdb  r_egg
3.4.1-26-g0096dbfdb  r_asm
3.4.1-26-g0096dbfdb  r_bin
3.4.1-26-g0096dbfdb  r_cons
3.4.1-26-g0096dbfdb  r_flag
3.4.1-26-g0096dbfdb  r_core
3.4.1-26-g0096dbfdb  r_crypto
3.4.1-26-g0096dbfdb  r_bp
3.4.1-26-g0096dbfdb  r_debug
3.4.1-26-g0096dbfdb  r_hash
3.4.1-26-g0096dbfdb  r_fs
3.4.1-26-g0096dbfdb  r_io
3.4.1-26-g0096dbfdb  r_magic
3.4.1-26-g0096dbfdb  r_parse
3.4.1-26-g0096dbfdb  r_reg
3.4.1-26-g0096dbfdb  r_sign
3.4.1-26-g0096dbfdb  r_search
3.4.1-26-g0096dbfdb  r_syscall
3.4.1-26-g0096dbfdb  r_util

[tonybounty]

So in theory just doing “eco white2” should be enough to reproduce the crash. Build it with asan and paste the crashlog. That should be enough to make me understand the reason for the crash
…
On 8 Apr 2019, at 19:43, tonybounty @.> wrote: Cant reproduce. Can you provide a backtrace? … On 8 Apr 2019, at 00:02, tonybounty @.> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu x86 64 File format of the file you reverse (mandatory) any Architecture/bits of the file (mandatory) any r2 -v full output, not truncated (mandatory) radare2 3.5.0-git 21446 @ linux-x86-64 git.3.4.1-26-g0096dbfdb commit: 0096dbf build: 2019-04-06__16:17:44 Actual behavior segmentation fault Steps to reproduce the behavior $ r2 yourbinary > aaa > s main > VV then in graph view, press and maintain for a while : SHIFT+R to randomize color. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread. I can't reproduce this crash on my second machine. I try with xterm, gnome-terminal, Tilix + combination of bash and fish shell. Same result, it crash with segfault. Program received signal SIGSEGV, Segmentation fault. tcache_get (tc_idx=1) at malloc.c:2927 2927 malloc.c: No such file or directory. (gdb) backtrace #0 tcache_get (tc_idx=1) at malloc.c:2927 #1 __GI___libc_malloc (bytes=40) at malloc.c:3034 #2 0x00007fc1a504ca3c in reserve_kv (ht=0x55c615985ca0, key=0x55c61597bac0, key_len=10, update=false) at ht_inc.c:204 #3 0x00007fc1a504cad8 in ht_pp_insert_kv (ht=0x55c615985ca0, kv=0x55c6159e6e70, update=false) at ht_inc.c:216 #4 0x00007fc1a504c782 in internal_ht_grow (ht=0x55c615b446f0) at ht_inc.c:171 #5 0x00007fc1a504c93c in check_growing (ht=0x55c615b446f0) at ht_inc.c:185 #6 0x00007fc1a504cb11 in ht_pp_insert_kv (ht=0x55c615b446f0, kv=0x55c615936af0, update=true) at ht_inc.c:222 #7 0x00007fc1a504d525 in sdb_ht_insert_kvp (ht=0x55c615b446f0, kvp=0x55c615936af0, update=true) at sdbht.c:46 #8 0x00007fc1a5056df2 in sdb_set_internal (s=0x55c615b86120, key=0x7fc1a50b64a0 <Key.4429+768> "rgb:8787ff", val=0x7fc1a51578ff "1", owned=0, cas=0) at sdb.c:623 #9 0x00007fc1a5056ea3 in sdb_set (s=0x55c615b86120, key=0x7fc1a50b64a0 <Key.4429+768> "rgb:8787ff", val=0x7fc1a51578ff "1", cas=0) at sdb.c:637 #10 0x00007fc1a515126f in cons_pal_update_event (ctx=0x7fc1a515d040 <r_cons_context_default>) at pal.c:600 #11 0x00007fc1a515137e in r_cons_pal_update_event () at pal.c:616 #12 0x00007fc1a4387930 in cmd_eval (data=0x7fc1a53a2080 , input=0x55c615b6e641 "c ai.exec rgb:6d6") at cmd_eval.c:492 #13 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c615b6e640 "ec ai.exec rgb:6d6") at cmd_api.c:246 #14 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 , cmd=0x55c615b6e640 "ec ai.exec rgb:6d6", colon=0x0, tmpseek=0x7ffd65f93012) at cmd.c:3040 #15 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 , cmd=0x55c615b6e640 "ec ai.exec rgb:6d6") at cmd.c:2026 #16 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 , cstr=0x55c615bcea70 "ec ai.exec rgb:6d6", log=0) at cmd.c:3774 #17 0x00007fc1a43f4d98 in r_core_cmd_lines (core=0x7fc1a53a2080 , lines=0x55c615ba3e60 "ec ai.exec rgb:6d6\nec ai.read rgb:66d\nec ai.write rgb:d66\nec args rgb:2bc\nec b0x00 rgb:878585", ' ' <repeats 13 times>, "# 00 bytes\nec b0x7f rgb:fff\nec b0xff rgb:abb0b6", ' ' <repeats 13 times>, "# ff bytes\nec bin rgb:4F1900 0 bol"...) at cmd.c:3827 #18 0x00007fc1a43f4ef7 in r_core_cmd_file (core=0x7fc1a53a2080 , file=0x55c615905630 "/home/tony/bin/prefix/radare2/share/radare2/3.5.0-git/cons/white2") at cmd.c:3864 #19 0x00007fc1a4386307 in load_theme (core=0x7fc1a53a2080 , path=0x55c615905630 "/home/tony/bin/prefix/radare2/share/radare2/3.5.0-git/cons/white2") at cmd_eval.c:78 #20 0x00007fc1a4386561 in cmd_load_theme (core=0x7fc1a53a2080 , _arg=0x55c615b5cc64 "white2") at cmd_eval.c:134 #21 0x00007fc1a4387108 in cmd_eval (data=0x7fc1a53a2080 , input=0x55c615b5cc61 "co white2") at cmd_eval.c:363 #22 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c615b5cc60 "eco white2") at cmd_api.c:246 #23 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 , cmd=0x55c615b5cc60 "eco white2", colon=0x0, tmpseek=0x7ffd65f93772) at cmd.c:3040 #24 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 , cmd=0x55c615b5cc60 "eco white2") at cmd.c:2026 #25 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 , cstr=0x7ffd65f93880 "eco white2", log=0) at cmd.c:3774 #26 0x00007fc1a43f527b in r_core_cmdf (core=0x7fc1a53a2080 , fmt=0x7fc1a44b4d46 "eco %s") at cmd.c:3933 #27 0x00007fc1a4386bca in nextpal (core=0x7fc1a53a2080 , mode=110) at cmd_eval.c:273 #28 0x00007fc1a4387403 in cmd_eval (data=0x7fc1a53a2080 , input=0x55c61596acd1 "cn") at cmd_eval.c:416 #29 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c61596acd0 "ecn") at cmd_api.c:246 #30 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 , cmd=0x55c61596acd0 "ecn", colon=0x0, tmpseek=0x7ffd65f94f42) at cmd.c:3040 #31 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 , cmd=0x55c61596acd0 "ecn") at cmd.c:2026 #32 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 , cstr=0x7fc1a44dfc81 "ecn", log=0) at cmd.c:3774 #33 0x00007fc1a43f52c8 in r_core_cmd0 (core=0x7fc1a53a2080 , cmd=0x7fc1a44dfc81 "ecn") at cmd.c:3939 #34 0x00007fc1a44280d9 in r_core_visual_graph (core=0x7fc1a53a2080 , g=0x55c61598f860, _fcn=0x0, is_interactive=1) at graph.c:4397 #35 0x00007fc1a4411535 in r_core_visual_cmd (core=0x7fc1a53a2080 , arg=0x55c6159dbd71 "V") at visual.c:2703 #36 0x00007fc1a4415807 in r_core_visual (core=0x7fc1a53a2080 , input=0x55c6159dbd71 "V") at visual.c:3891 #37 0x00007fc1a43ed359 in cmd_visual (data=0x7fc1a53a2080 , input=0x55c6159dbd71 "V") at cmd.c:1397 #38 0x00007fc1a444311b in r_cmd_call (cmd=0x55c6155f4760, input=0x55c6159dbd70 "VV") at cmd_api.c:246 #39 0x00007fc1a43f2454 in r_core_cmd_subst_i (core=0x7fc1a53a2080 , cmd=0x55c6159dbd70 "VV", colon=0x0, tmpseek=0x7ffd65f96a02) at cmd.c:3040 #40 0x00007fc1a43eecd8 in r_core_cmd_subst (core=0x7fc1a53a2080 , cmd=0x55c6159dbd70 "VV") at cmd.c:2026 #41 0x00007fc1a43f4b73 in r_core_cmd (core=0x7fc1a53a2080 , cstr=0x55c61592b640 "VV", log=1) at cmd.c:3774 #42 0x00007fc1a434ec6e in r_core_prompt_exec (r=0x7fc1a53a2080 ) at core.c:3001 #43 0x00007fc1a5392875 in r_main_radare2 (argc=2, argv=0x7ffd65f96eb8) at radare2.c:1443 #44 0x000055c613bec155 in main (argc=2, argv=0x7ffd65f96eb8) at radare2.c:48 — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

"eco white2" work without crash

[ ] �[33mAnalyze all flags starting with sym. and entry0 (aa)
[�[0m
�[32m[x]�[0m Analyze all flags starting with sym. and entry0 (aa)
�[2K
[ ] �[33mAnalyze function calls (aac)
[�[0m
�[32m[x]�[0m Analyze function calls (aac)
[ ] �[33mAnalyze len bytes of instructions for references (aar)
[�[0m
�[32m[x]�[0m Analyze len bytes of instructions for references (aar)
[ ] �[33mCheck for objc references
[�[0m
�[32m[x]�[0m Check for objc references
[ ] �[33mCheck for vtables
[�[0m
�[32m[x]�[0m Check for vtables
[ ] �[33mType matching analysis for all functions (aaft)
[�[0m
�[32m[x]�[0m Type matching analysis for all functions (aaft)
[ ] �[33mUse -AA or aaaa to perform additional experimental analysis.
[�[0m
�[32m[x]�[0m Use -AA or aaaa to perform additional experimental analysis.

Rendering graph...�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h�[?1001s�[?1000h=================================================================
==31358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000b3c660 at pc 0x7f41fdde050c bp 0x7ffcd5cd2a60 sp 0x7ffcd5cd2a50
WRITE of size 1 at 0x607000b3c660 thread T0
    #0 0x7f41fdde050b in printCol /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:2283
    #1 0x7f41fdde14bb in ds_print_lines_left /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:2327
    #2 0x7f41fddce7cb in ds_pre_xrefs /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:1449
    #3 0x7f41fddd7b9e in ds_show_comments_right /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:1883
    #4 0x7f41fde0fadf in r_core_print_disasm /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:4832
    #5 0x7f41fdb728c1 in cmd_print /home/tony/Downloads/git/radare2-asan/libr/core/cmd_print.c:5149
    #6 0x7f41fdd44c87 in r_cmd_call /home/tony/Downloads/git/radare2-asan/libr/core/cmd_api.c:246
    #7 0x7f41fdbecd96 in r_core_cmd_subst_i /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:2999
    #8 0x7f41fdbe0205 in r_core_cmd_subst /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:2026
    #9 0x7f41fdbf7d87 in r_core_cmd /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:3774
    #10 0x7f41fdbf9c00 in r_core_cmd_str /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:4024
    #11 0x7f41fdbf9b4d in r_core_cmd_strf /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:4014
    #12 0x7f41fdcb9095 in get_body /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:2078
    #13 0x7f41fdcb9be1 in get_bb_body /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:2106
    #14 0x7f41fdcbb2d7 in get_bbupdate /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:2165
    #15 0x7f41fdce4eed in r_core_visual_graph /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:4403
    #16 0x7f41fdc6d794 in r_core_visual_cmd /home/tony/Downloads/git/radare2-asan/libr/core/visual.c:2703
    #17 0x7f41fdc820b9 in r_core_visual /home/tony/Downloads/git/radare2-asan/libr/core/visual.c:3891
    #18 0x7f41fdbda35f in cmd_visual /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:1397
    #19 0x7f41fdd44c87 in r_cmd_call /home/tony/Downloads/git/radare2-asan/libr/core/cmd_api.c:246
    #20 0x7f41fdbedc46 in r_core_cmd_subst_i /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:3040
    #21 0x7f41fdbe0205 in r_core_cmd_subst /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:2026
    #22 0x7f41fdbf7d87 in r_core_cmd /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:3774
    #23 0x7f41fd96de1a in r_core_prompt_exec /home/tony/Downloads/git/radare2-asan/libr/core/core.c:3001
    #24 0x7f420555593f in r_main_radare2 /home/tony/Downloads/git/radare2-asan/libr/main/radare2.c:1444
    #25 0x5644d5a38174 in main /home/tony/Downloads/git/radare2-asan/binr/radare2/radare2.c:48
    #26 0x7f42047e009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #27 0x5644d5a38099 in _start (/home/tony/Downloads/git/radare2-asan/binr/radare2/radare2+0x1099)

0x607000b3c660 is located 8 bytes to the right of 72-byte region [0x607000b3c610,0x607000b3c658)
allocated by thread T0 here:
    #0 0x7f4205729f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
    #1 0x7f41fdddff0a in printCol /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:2260
    #2 0x7f41fdde14bb in ds_print_lines_left /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:2327
    #3 0x7f41fddce7cb in ds_pre_xrefs /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:1449
    #4 0x7f41fddd7b9e in ds_show_comments_right /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:1883
    #5 0x7f41fde0fadf in r_core_print_disasm /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:4832
    #6 0x7f41fdb728c1 in cmd_print /home/tony/Downloads/git/radare2-asan/libr/core/cmd_print.c:5149
    #7 0x7f41fdd44c87 in r_cmd_call /home/tony/Downloads/git/radare2-asan/libr/core/cmd_api.c:246
    #8 0x7f41fdbecd96 in r_core_cmd_subst_i /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:2999
    #9 0x7f41fdbe0205 in r_core_cmd_subst /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:2026
    #10 0x7f41fdbf7d87 in r_core_cmd /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:3774
    #11 0x7f41fdbf9c00 in r_core_cmd_str /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:4024
    #12 0x7f41fdbf9b4d in r_core_cmd_strf /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:4014
    #13 0x7f41fdcb9095 in get_body /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:2078
    #14 0x7f41fdcb9be1 in get_bb_body /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:2106
    #15 0x7f41fdcbb2d7 in get_bbupdate /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:2165
    #16 0x7f41fdce4eed in r_core_visual_graph /home/tony/Downloads/git/radare2-asan/libr/core/graph.c:4403
    #17 0x7f41fdc6d794 in r_core_visual_cmd /home/tony/Downloads/git/radare2-asan/libr/core/visual.c:2703
    #18 0x7f41fdc820b9 in r_core_visual /home/tony/Downloads/git/radare2-asan/libr/core/visual.c:3891
    #19 0x7f41fdbda35f in cmd_visual /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:1397
    #20 0x7f41fdd44c87 in r_cmd_call /home/tony/Downloads/git/radare2-asan/libr/core/cmd_api.c:246
    #21 0x7f41fdbedc46 in r_core_cmd_subst_i /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:3040
    #22 0x7f41fdbe0205 in r_core_cmd_subst /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:2026
    #23 0x7f41fdbf7d87 in r_core_cmd /home/tony/Downloads/git/radare2-asan/libr/core/cmd.c:3774
    #24 0x7f41fd96de1a in r_core_prompt_exec /home/tony/Downloads/git/radare2-asan/libr/core/core.c:3001
    #25 0x7f420555593f in r_main_radare2 /home/tony/Downloads/git/radare2-asan/libr/main/radare2.c:1444
    #26 0x5644d5a38174 in main /home/tony/Downloads/git/radare2-asan/binr/radare2/radare2.c:48
    #27 0x7f42047e009a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tony/Downloads/git/radare2-asan/libr/core/disasm.c:2283 in printCol
Shadow bytes around the buggy address:
  0x0c0e8015f870: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0e8015f880: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e8015f890: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e8015f8a0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e8015f8b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
=>0x0c0e8015f8c0: fa fa 00 00 00 00 00 00 00 00 00 fa[fa]fa fa fa
  0x0c0e8015f8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e8015f8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e8015f8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e8015f900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e8015f910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31358==ABORTING

[radare]

can you try if this patch fixes the issue?

[tonybounty]

can you try if this patch fixes the issue?

It's seems like it work ! 👍

[radare]

Can you try this patch?

$ git diff
diff --git a/libr/core/disasm.c b/libr/core/disasm.c
index 5d19a1379..3316720be 100644
--- a/libr/core/disasm.c
+++ b/libr/core/disasm.c
@@ -2262,6 +2262,7 @@ static void printCol(RDisasmState *ds, char *sect, int cols, const char *color)
                return;
        }
        memset (out, ' ', outsz);
+       out[outsz-1] = 0;
        int sect_len = strlen (sect);

        if (sect_len > cols) {
@@ -2276,11 +2277,10 @@ static void printCol(RDisasmState *ds, char *sect, int cols, const char *color)
                strcat (out, Color_RESET);
                out[outsz-1] = 0;
        } else {
-               strcpy (out + 1, sect);
+               r_str_ncpy (out + 1, sect, outsz - 2);
                post = 0;
        }
-       out[strlen (out)] = ' ';
-       out[cols + post] = 0;
+       strcat (out, " ");
        r_cons_strcat (out);
        free (out);
 }

[radare]

please confirm thhe fix with this patch

[tonybounty]

sorry I didn't see that you respond.

With patch, I can't reproduce the segfault.

[radare]

So the second patch is also correct? I will commit it then

…

On 9 Apr 2019, at 19:43, tonybounty ***@***.***> wrote: sorry I didn't see that you respond. With patch, I can't reproduce the segfault. — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or mute the thread.

[tonybounty]

yep 👍 with the last patch I pressed >1min SHIFT+R in graph view without crash.