digitalmars.D.bugs - [Issue 22838] New: std.bitmanip.BitArray.count() reads beyond data
- d-bugmail puremagic.com (129/129) Mar 02 2022 https://issues.dlang.org/show_bug.cgi?id=22838
d-bugmail puremagic.com https://issues.dlang.org/show_bug.cgi?id=22838 Issue ID: 22838 Summary: std.bitmanip.BitArray.count() reads beyond data when data size is integer size_t multiple Product: D Version: D2 Hardware: All OS: All Status: NEW Severity: critical Priority: P1 Component: phobos Assignee: nobody puremagic.com Reporter: johanengelen weka.io Bug was found with AddressSanitizer. Report at the end. The unittest that triggers the bug: ``` system nogc unittest { size_t[2] buffer; BitArray b = BitArray(buffer[], buffer.sizeof * 8); b[] = true; b[0 .. 1] = true; b.flip(); b.flip(1); cast(void) b.count(); } ``` The bug happens on this line: ``` size_t count() const nogc pure nothrow { if (_ptr) { size_t bitCount; foreach (i; 0 .. fullWords) bitCount += countBitsSet(_ptr[i]); bitCount += countBitsSet(_ptr[fullWords] & endMask); // <---- BUG! return bitCount; } else { return 0; } } ``` ``` ==60514==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016d251750 at pc 0x00010402fce0 bp 0x00016d251680 sp 0x00016d251678 READ of size 8 at 0x00016d251750 thread T0 bitmanip.d:2762 _D11test_runner7testAllFZ14__foreachbody2MFPS6object10ModuleInfoZi test_runner.d:65 _D6object10ModuleInfo7opApplyFMDFPSQBhQBdZiZ9__lambda2MFyPSQCfQCbZi object.d:2476 _D2rt5minfo17moduleinfos_applyFMDFyPS6object10ModuleInfoZiZ14__foreachbody2MFKSQCz19sections_elf_shared3DSOZi minfo.d:777 sections_elf_shared.d:112 _D2rt5minfo17moduleinfos_applyFMDFyPS6object10ModuleInfoZiZi minfo.d:770 object.d:2475 test_runner.d:63 test_runner.d:33 dmain2.d:487 dmain2.d:461 Address 0x00016d251750 is located in stack of thread T0 at offset 48 in frame bitmanip.d:2753 This frame has 2 object(s): [32, 48) '' <== Memory access at offset 48 overflows this variable [64, 80) '' HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow bitmanip.d:1450 in _D3std8bitmanip8BitArray5countMxFNaNbNiZm Shadow bytes around the buggy address: 0x00702da6a290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x00702da6a2e0: 00 00 00 00 f1 f1 f1 f1 00 00[f2]f2 00 00 f3 f3 0x00702da6a2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00702da6a330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==60514==ABORTING ``` --
Mar 02 2022