Bad call to set_expr causes SEGV - 3ad4c45f #4
Description
Hi hoterran,
Through some fuzzing I found a bad set statement that can cause a segfault in the application.
Source query (written out to file 3ad4c45f):
set a>= 1, b=2;
To reproduce:
format 3ad4c45f
Output:
1: error: Segmentation fault (core dumped)
_Backtrace from GDB_:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007ffff7a5f8f3 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1661
#0 0x00007ffff7a5f8f3 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1661
#1 0x00007ffff7a62e21 in buffered_vfprintf (s=s@entry=0x7ffff7dd41c0 <_IO_2_1_stderr_>, format=format@entry=0x45662a "bad set to @%s", args=args@entry=0x7fffffffd6d8) at vfprintf.c:2356
#2 0x00007ffff7a5dd9e in _IO_vfprintf_internal (s=s@entry=0x7ffff7dd41c0 <_IO_2_1_stderr_>, format=format@entry=0x45662a "bad set to @%s", ap=0x7fffffffd6d8) at vfprintf.c:1313
#3 0x00007ffff7b1e2dd in ___vfprintf_chk (fp=0x7ffff7dd41c0 <_IO_2_1_stderr_>, flag=flag@entry=1, format=format@entry=0x45662a "bad set to @%s", ap=ap@entry=0x7fffffffd6d8) at vfprintf_chk.c:33
#4 0x0000000000413f59 in vfprintf (__ap=0x7fffffffd6d8, __fmt=0x45662a "bad set to @%s", __stream=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:127
#5 yyerror (s=s@entry=0x45662a "bad set to @%s") at sql.y:2958
#6 0x000000000041f4ec in yyparse () at sql.y:1990
#7 0x0000000000401480 in main (ac=<optimized out>, av=<optimized out>) at format.c:899
#8 0x00007ffff7a35ec5 in __libc_start_main (main=0x4012c0 <main>, argc=2, argv=0x7fffffffe118, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe108) at libc-start.c:287
#9 0x000000000040439c in _start ()
System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
Found with the fuzzer American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )