[C++] NULL pointer dereference bug #23917
Description
I was fuzzing arrow and libfuzzer (clang-11) found a bug in arrow-ipc-file-fuzz (from ossfuzz)
=================================================================
==116241==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000ed5de9 bp 0x7fff640648b0 sp 0x7fff64064680 T0)
==116241==The signal is caused by a READ memory access.
==116241==Hint: address points to the zero page.
#0 0xed5de9 in ReadScalar /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/base.h:356:23
#1 0xed5de9 in GetVTable /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2252:20
#2 0xed5de9 in GetOptionalFieldOffset /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2259:19
#3 0xed5de9 in GetPointer<const flatbuffers::Vector<flatbuffers::Offsetorg::apache::arrow::flatbuf::Field > *> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2273:25
#4 0xed5de9 in GetPointer<const flatbuffers::Vector<flatbuffers::Offsetorg::apache::arrow::flatbuf::Field > *> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2279:39
#5 0xed5de9 in fields /src/arrow/cpp/src/generated/Schema_generated.h:1880:12
#6 0xed5de9 in arrow::ipc::internal::GetSchema(void const*, arrow::ipc::DictionaryMemo*, std::__1::shared_ptrarrow::Schema*) /src/arrow/cpp/src/arrow/ipc/metadata_internal.cc:1186:15
#7 0x643b01 in ReadSchema /src/arrow/cpp/src/arrow/ipc/reader.cc:729:12
#8 0x643b01 in arrow::ipc::RecordBatchFileReader::RecordBatchFileReaderImpl::Open(arrow::io::RandomAccessFile*, long) /src/arrow/cpp/src/arrow/ipc/reader.cc:741:12
#9 0x6435ce in arrow::ipc::RecordBatchFileReader::Open(arrow::io::RandomAccessFile*, long, std::__1::shared_ptrarrow::ipc::RecordBatchFileReader*) /src/arrow/cpp/src/arrow/ipc/reader.cc:781:28
#10 0x64182c in arrow::ipc::RecordBatchFileReader::Open(arrow::io::RandomAccessFile*, std::__1::shared_ptrarrow::ipc::RecordBatchFileReader*) /src/arrow/cpp/src/arrow/ipc/reader.cc:775:10
#11 0x67f3a5 in arrow::ipc::internal::FuzzIpcFile(unsigned char const*, long) /src/arrow/cpp/src/arrow/ipc/reader.cc:1196:3
#12 0x633a8d in LLVMFuzzerTestOneInput /src/arrow/cpp/src/arrow/ipc/file_fuzz.cc:25:17
#13 0x53ba84 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:563:15
#14 0x526ff2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:293:6
#15 0x52c966 in fuzzer::FuzzerDriver(int*, char**, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:779:9
#16 0x555e72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#17 0x7f98aac6ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#18 0x501828 in _start (/home/daehee/fuzzcoin/master/aiohttp-libfuzzer/oss-fuzz/build/out/arrow/arrow-ipc-file-fuzz+0x501828)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/base.h:356:23 in ReadScalar
==116241==ABORTING
Environment: Ubuntu 16.04 x86_64
Reporter: daehee jang
Related issues:
- [C++] Verify missing fields when walking Flatbuffers data (is part of)
- [C++] Verify missing fields when walking Flatbuffers data (is superceded by)
Original Issue Attachments:
Note: This issue was originally created as ARROW-7672. Please see the migration documentation for further details.