Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12085] Buildbot crash output: fuzz-2016-02-05-26837.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 12085] Buildbot crash output: fuzz-2016-02-05-26837.pcap
Date: Fri, 05 Feb 2016 18:41:13 +0000
Comment # 2 on bug 12085 from Stig Bjørlykke
=================================================================
==37749==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000105c3490b at pc 0x0001033eda32 bp 0x7fff5fbf4800 sp 0x7fff5fbf47f8
READ of size 1 at 0x000105c3490b thread T0
    #0 0x1033eda31 in dissect_wlan_radio packet-ieee80211-radio.c:776
    #1 0x104cb26f3 in call_dissector_through_handle packet.c:626
    #2 0x104ca9552 in call_dissector_work packet.c:701
    #3 0x104cafe7a in call_dissector_only packet.c:2674
    #4 0x104ca5f74 in call_dissector_with_data packet.c:2687
    #5 0x1033fbe1b in dissect_radiotap packet-ieee80211-radiotap.c:1804
    #6 0x104cb26f3 in call_dissector_through_handle packet.c:626
    #7 0x104ca9552 in call_dissector_work packet.c:701
    #8 0x104ca8f08 in dissector_try_uint_new packet.c:1160
    #9 0x1030da6b4 in dissect_frame packet-frame.c:493
    #10 0x104cb26f3 in call_dissector_through_handle packet.c:626
    #11 0x104ca9552 in call_dissector_work packet.c:701
    #12 0x104cafe7a in call_dissector_only packet.c:2674
    #13 0x104ca5f74 in call_dissector_with_data packet.c:2687
    #14 0x104ca58fa in dissect_record packet.c:509
    #15 0x104c29a68 in epan_dissect_run_with_taps epan.c:376
    #16 0x10004720e in add_packet_to_packet_list file.c:1110
    #17 0x10002a8f0 in read_packet file.c:1212
    #18 0x10002919c in cf_read file.c:638
    #19 0x10055fa48 in MainWindow::openCaptureFile(QString, QString, unsigned
int) main_window_slots.cpp:245
    #20 0x100595a0f in MainWindow::openCaptureFile(QString, QString)
main_window.h:239
    #21 0x10057a0b9 in MainWindow::on_actionFileOpen_triggered()
main_window_slots.cpp:1641
    #22 0x100098017 in MainWindow::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**) moc_main_window.cpp:1423
    #23 0x10009c63d in MainWindow::qt_metacall(QMetaObject::Call, int, void**)
moc_main_window.cpp:1752
    #24 0x112ccc9ae in QMetaObject::activate(QObject*, int, int, void**)
(/opt/local/libexec/qt5/lib/QtCore.framework/Versions/5/QtCore+0x2149ae)
    #25 0x111fca2df in QAction::activate(QAction::ActionEvent)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x282df)
    #26 0x1120b89ab in QAbstractButtonPrivate::click()
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x1169ab)
    #27 0x1120b9a8d in QAbstractButton::mouseReleaseEvent(QMouseEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x117a8d)
    #28 0x112183cbe in QToolButton::mouseReleaseEvent(QMouseEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x1e1cbe)
    #29 0x1120112de in QWidget::event(QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x6f2de)
    #30 0x1120b97de in QAbstractButton::event(QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x1177de)
    #31 0x112184272 in QToolButton::event(QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x1e2272)
    #32 0x111fd31fa in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x311fa)
    #33 0x111fd6892 in QApplication::notify(QObject*, QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x34892)
    #34 0x112c9c7b2 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(/opt/local/libexec/qt5/lib/QtCore.framework/Versions/5/QtCore+0x1e47b2)
    #35 0x111fd3b8a in QApplicationPrivate::sendMouseEvent(QWidget*,
QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x31b8a)
    #36 0x112031758 in QWidgetWindow::handleMouseEvent(QMouseEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x8f758)
    #37 0x11203096e in QWidgetWindow::event(QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x8e96e)
    #38 0x111fd31fa in QApplicationPrivate::notify_helper(QObject*, QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x311fa)
    #39 0x111fd5b5d in QApplication::notify(QObject*, QEvent*)
(/opt/local/libexec/qt5/lib/QtWidgets.framework/Versions/5/QtWidgets+0x33b5d)
    #40 0x112c9c7b2 in QCoreApplication::notifyInternal(QObject*, QEvent*)
(/opt/local/libexec/qt5/lib/QtCore.framework/Versions/5/QtCore+0x1e47b2)
    #41 0x112600d11 in
QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*)
(/opt/local/libexec/qt5/lib/QtGui.framework/Versions/5/QtGui+0x23d11)
    #42 0x1125ed061 in
QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/opt/local/libexec/qt5/lib/QtGui.framework/Versions/5/QtGui+0x10061)
    #43 0x11af30660 in
QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*)
(/opt/local/libexec/qt5/plugins/platforms/libqcocoa.dylib+0x24660)
    #44 0x7fff8abbe5c0 in
__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
(/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x7e5c0)
    #45 0x7fff8abb041b in __CFRunLoopDoSources0
(/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x7041b)
    #46 0x7fff8abaf93e in __CFRunLoopRun
(/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x6f93e)
    #47 0x7fff8abaf337 in CFRunLoopRunSpecific
(/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x6f337)
    #48 0x7fff92f4c934 in RunCurrentEventLoopInMode
(/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #49 0x7fff92f4c676 in ReceiveNextEventCommon
(/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30676)
    #50 0x7fff92f4c5ae in _BlockUntilNextEventMatchingListInModeWithFilter
(/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #51 0x7fff833690ed in _DPSNextEvent
(/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x8a0ed)
    #52 0x7fff83735942 in -[NSApplication
_nextEventMatchingEventMask:untilDate:inMode:dequeue:]
(/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x456942)
    #53 0x7fff8335efc7 in -[NSApplication run]
(/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7ffc7)
    #54 0x11af2f5ae in
QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/opt/local/libexec/qt5/plugins/platforms/libqcocoa.dylib+0x235ae)
    #55 0x112c99eab in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(/opt/local/libexec/qt5/lib/QtCore.framework/Versions/5/QtCore+0x1e1eab)
    #56 0x112c9cd54 in QCoreApplication::exec()
(/opt/local/libexec/qt5/lib/QtCore.framework/Versions/5/QtCore+0x1e4d54)
    #57 0x1000571c2 in main wireshark-qt.cpp:1444
    #58 0x7fff890685ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #59 0x0 in 0x0
(/Users/stig/Development/wireshark-xcode/run/Debug/Wireshark.app/Contents/MacOS/Wireshark+0x0)

0x000105c3490b is located 21 bytes to the left of global variable '<string
literal>' defined in
'/Users/stig/Development/wireshark/epan/dissectors/packet-ieee80211-radio.c:243:5'
(0x105c34920) of size 5
  '<string literal>' is ascii string 'BPSK'
0x000105c3490b is located 37 bytes to the right of global variable '<string
literal>' defined in
'/Users/stig/Development/wireshark/epan/dissectors/packet-ieee80211-radio.c:821:17'
(0x105c348e0) of size 6
  '<string literal>' is ascii string '%d us'
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 
Shadow bytes around the buggy address:
  0x100020b868d0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x100020b868e0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x100020b868f0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x100020b86900: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x100020b86910: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
=>0x100020b86920: f9[f9]f9 f9 05 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x100020b86930: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x100020b86940: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x100020b86950: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x100020b86960: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x100020b86970: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37749==ABORTING
You are receiving this mail because:
You are watching all bug changes.
References:
- [Wireshark-bugs] [Bug 12085] New: Buildbot crash output: fuzz-2016-02-05-26837.pcap
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 11938] Buildbot crash output: fuzz-2015-12-29-313.pcap
Next by Date: [Wireshark-bugs] [Bug 11602] NBAP dissector crashes
Previous by thread: [Wireshark-bugs] [Bug 12085] Buildbot crash output: fuzz-2016-02-05-26837.pcap
Next by thread: [Wireshark-bugs] [Bug 12085] Buildbot crash output: fuzz-2016-02-05-26837.pcap
Index(es):
- Date
- Thread