fls crashes with double free or corruption on corrupt image.

To reproduce:

    $ unzip doublefree.zip
    Archive:  doublefree.zip
      inflating: doublefree.img
    $ fls doublefree.img
    *** Error in `fls': double free or corruption (out): 0x00000000007c0c50 ***

This bug was found using [american fuzzy lop](http://lcamtuf.coredump.cx/afl/) and input files ultimately from [files.fuzzing-project.org](https://files.fuzzing-project.org/filesystems/).

Backtrace:

```
Program received signal SIGABRT, Aborted.
0x00007ffff70f6c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff70f6c37 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff70fa028 in __GI_abort () at abort.c:89
#2  0x00007ffff71332a4 in __libc_message (do_abort=do_abort@entry=1, 
    fmt=fmt@entry=0x7ffff7245310 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff713f82e in malloc_printerr (ptr=<optimized out>, 
    str=0x7ffff7245440 "double free or corruption (out)", action=1)
    at malloc.c:4998
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0)
    at malloc.c:3842
#5  0x000000000051b92b in ext2fs_dinode_copy (ext2fs=ext2fs@entry=0x7bccf0, 
    fs_meta=0x7bfda0, inum=inum@entry=2, dino_buf=dino_buf@entry=0x7bff20)
    at ext2fs.c:802
#6  0x000000000051ca1e in ext2fs_inode_lookup (fs=0x7bccf0, 
    a_fs_file=0x7bcc80, inum=2) at ext2fs.c:911
#7  0x000000000042547d in tsk_fs_file_open_meta (a_fs=a_fs@entry=0x7bccf0, 
    a_fs_file=a_fs_file@entry=0x0, a_addr=a_addr@entry=2) at fs_file.c:128
#8  0x0000000000529e55 in ext2fs_dir_open_meta (a_fs=0x7bccf0, 
    a_fs_dir=0x7fffffffc470, a_addr=2) at ext2fs_dent.c:310
#9  0x000000000041c9a0 in tsk_fs_dir_open_meta (a_fs=<optimized out>, 
    a_addr=<optimized out>) at fs_dir.c:290
#10 0x000000000041ce01 in tsk_fs_dir_walk_lcl (a_fs=a_fs@entry=0x7bccf0, 
    a_dinfo=a_dinfo@entry=0x7fffffffc550, a_addr=a_addr@entry=2, 
    a_flags=a_flags@entry=(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC), a_action=a_action@entry=0x416a50 <print_dent_act>, 
    a_ptr=a_ptr@entry=0x7fffffffd9c0) at fs_dir.c:556
#11 0x000000000041f7a9 in tsk_fs_dir_walk (a_fs=0x7bccf0, a_addr=2, 
    a_flags=<optimized out>, a_action=0x416a50 <print_dent_act>, 
    a_ptr=0x7fffffffd9c0) at fs_dir.c:817
#12 0x0000000000421889 in tsk_fs_dir_walk (a_fs=<optimized out>, 
    a_addr=<optimized out>, a_flags=<optimized out>, 
    a_action=a_action@entry=0x416a50 <print_dent_act>, 
    a_ptr=a_ptr@entry=0x7fffffffd9c0) at fs_dir.c:841
#13 0x000000000041883e in tsk_fs_fls (fs=<optimized out>, 
    lclflags=<optimized out>, inode=<optimized out>, flags=<optimized out>, 
    tpre=<optimized out>, skew=<optimized out>) at fls_lib.c:262
#14 0x00000000004096ff in main (argc=<optimized out>, argv1=<optimized out>)
    at fls.cpp:308
```

Input: [doublefree.zip](https://github.com/sleuthkit/sleuthkit/files/1249997/doublefree.zip)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fls crashes with double free or corruption on corrupt image. #905

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

fls crashes with double free or corruption on corrupt image. #905

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions