Sending a _very_ specific string to bc results in a heap overflow:
$ printf 'con\x00ti\x00n\x00ue' | busybox-1.36.1/bin/busybox bc
=441==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000cb8 at pc 0x558e97256997 bp 0x7ffde2d76a10 sp 0x7ffde2d76a00
READ of size 8 at 0x611000000cb8 thread T0
#0 0x558e97256996 in zbc_parse_break_or_continue miscutils/bc.c:4428
#1 0x558e97256996 in zbc_parse_stmt_possibly_auto miscutils/bc.c:4717
0x611000000cb8 is located 8 bytes to the left of 256-byte region [0x611000000cc0,0x611000000dc0)
allocated by thread T0 here:
#0 0x7f6629884867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x558e9731ec5d in xmalloc libbb/xfuncs_printf.c:50
SUMMARY: AddressSanitizer: heap-buffer-overflow miscutils/bc.c:4428 in zbc_parse_break_or_continue
Shadow bytes around the buggy address:
0x0c227fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8160: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8190: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00
0x0c227fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff81b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c227fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
(found by KLEE)
Sending a _very_ specific string to bc results in a heap overflow: $ printf 'con\x00ti\x00n\x00ue' | busybox-1.36.1/bin/busybox bc =441==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000cb8 at pc 0x558e97256997 bp 0x7ffde2d76a10 sp 0x7ffde2d76a00 READ of size 8 at 0x611000000cb8 thread T0 #0 0x558e97256996 in zbc_parse_break_or_continue miscutils/bc.c:4428 #1 0x558e97256996 in zbc_parse_stmt_possibly_auto miscutils/bc.c:4717 0x611000000cb8 is located 8 bytes to the left of 256-byte region [0x611000000cc0,0x611000000dc0) allocated by thread T0 here: #0 0x7f6629884867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x558e9731ec5d in xmalloc libbb/xfuncs_printf.c:50 SUMMARY: AddressSanitizer: heap-buffer-overflow miscutils/bc.c:4428 in zbc_parse_break_or_continue Shadow bytes around the buggy address: 0x0c227fff8140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8160: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c227fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff8190: fa fa fa fa fa fa fa[fa]00 00 00 00 00 00 00 00 0x0c227fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff81b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c227fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa (found by KLEE)