You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@arrow.apache.org by "Antoine Pitrou (Jira)" <ji...@apache.org> on 2020/02/04 14:44:00 UTC

[jira] [Closed] (ARROW-7672) [C++] NULL pointer dereference bug

     [ https://issues.apache.org/jira/browse/ARROW-7672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antoine Pitrou closed ARROW-7672.
---------------------------------
    Fix Version/s: 1.0.0
       Resolution: Fixed

Fixed by ARROW-7691. Thanks for reporting.

> [C++] NULL pointer dereference bug
> ----------------------------------
>
>                 Key: ARROW-7672
>                 URL: https://issues.apache.org/jira/browse/ARROW-7672
>             Project: Apache Arrow
>          Issue Type: Bug
>          Components: C++
>         Environment: Ubuntu 16.04 x86_64
>            Reporter: daehee jang
>            Priority: Minor
>             Fix For: 1.0.0
>
>         Attachments: 219d5b796fff328f1bc096e3421f33f7d2091204
>
>
> I was fuzzing arrow and libfuzzer (clang-11) found a bug in `arrow-ipc-file-fuzz` (from ossfuzz)
>  
> =================================================================
> *==116241==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000ed5de9 bp 0x7fff640648b0 sp 0x7fff64064680 T0)*
> ==116241==The signal is caused by a READ memory access.
> ==116241==Hint: address points to the zero page.
>     #0 0xed5de9 in ReadScalar<int> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/base.h:356:23
>     #1 0xed5de9 in GetVTable /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2252:20
>     #2 0xed5de9 in GetOptionalFieldOffset /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2259:19
>     #3 0xed5de9 in GetPointer<const flatbuffers::Vector<flatbuffers::Offset<org::apache::arrow::flatbuf::Field> > *> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2273:25
>     #4 0xed5de9 in GetPointer<const flatbuffers::Vector<flatbuffers::Offset<org::apache::arrow::flatbuf::Field> > *> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2279:39
>     #5 0xed5de9 in fields /src/arrow/cpp/src/generated/Schema_generated.h:1880:12
>     #6 0xed5de9 in arrow::ipc::internal::GetSchema(void const*, arrow::ipc::DictionaryMemo*, std::__1::shared_ptr<arrow::Schema>*) /src/arrow/cpp/src/arrow/ipc/metadata_internal.cc:1186:15
>     #7 0x643b01 in ReadSchema /src/arrow/cpp/src/arrow/ipc/reader.cc:729:12
>     #8 0x643b01 in arrow::ipc::RecordBatchFileReader::RecordBatchFileReaderImpl::Open(arrow::io::RandomAccessFile*, long) /src/arrow/cpp/src/arrow/ipc/reader.cc:741:12
>     #9 0x6435ce in arrow::ipc::RecordBatchFileReader::Open(arrow::io::RandomAccessFile*, long, std::__1::shared_ptr<arrow::ipc::RecordBatchFileReader>*) /src/arrow/cpp/src/arrow/ipc/reader.cc:781:28
>     #10 0x64182c in arrow::ipc::RecordBatchFileReader::Open(arrow::io::RandomAccessFile*, std::__1::shared_ptr<arrow::ipc::RecordBatchFileReader>*) /src/arrow/cpp/src/arrow/ipc/reader.cc:775:10
>     #11 0x67f3a5 in arrow::ipc::internal::FuzzIpcFile(unsigned char const*, long) /src/arrow/cpp/src/arrow/ipc/reader.cc:1196:3
>     #12 0x633a8d in LLVMFuzzerTestOneInput /src/arrow/cpp/src/arrow/ipc/file_fuzz.cc:25:17
>     #13 0x53ba84 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:563:15
>     #14 0x526ff2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:293:6
>     #15 0x52c966 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:779:9
>     #16 0x555e72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
>     #17 0x7f98aac6ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
>     #18 0x501828 in _start (/home/daehee/fuzzcoin/master/aiohttp-libfuzzer/oss-fuzz/build/out/arrow/arrow-ipc-file-fuzz+0x501828)
>  
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/base.h:356:23 in ReadScalar<int>
> ==116241==ABORTING



--
This message was sent by Atlassian Jira
(v8.3.4#803005)