Crash Report: SEGV in `ReadAttributes` during DWARF Inline Processing

**Platform**: Ubuntu 22.04 
**Tested Commit**: [3f36edb](https://github.com/google/bloaty/commit/3f36edba803388e98de51647ca0a23e174dc316f)
**Target**: `fuzz_target` 
**POC Handling**: This POC was decoded from base64 format before running.  
**Summary**:  
AddressSanitizer reports a `SEGV` (READ memory access) at `bloaty::dwarf::DIEReader::ReadAttributes`.

**Relevant Stacktrace**:
```bash
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2538585==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x55ca2e7977c1 bp 0x7f706c6fc490 sp 0x7f706c6fc340 T5)
==2538585==The signal is caused by a READ memory access.
==2538585==Hint: address points to the zero page.
    #0 0x55ca2e7977c1 in void bloaty::dwarf::DIEReader::ReadAttributes<bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&)::$_0>(bloaty::dwarf::CU const&, bloaty::dwarf::AbbrevTable::Abbrev const*, bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&)::$_0&&) /bloaty/src/dwarf/debug_info.h
    #1 0x55ca2e7977c1 in bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&) /bloaty/src/dwarf/debug_info.cc:202:14
    #2 0x55ca2e796d6d in bloaty::dwarf::CU::ReadHeader(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, bloaty::dwarf::InfoReader::Section, bloaty::dwarf::InfoReader&) /bloaty/src/dwarf/debug_info.cc:185:3
    #3 0x55ca2e7960d7 in bloaty::dwarf::CUIter::NextCU(bloaty::dwarf::InfoReader&, bloaty::dwarf::CU*) /bloaty/src/dwarf/debug_info.cc:121:7
    #4 0x55ca2e787d1e in bloaty::ReadDWARFInlines(bloaty::dwarf::File const&, bloaty::RangeSink*, bool) /bloaty/src/dwarf.cc:730:13
    #5 0x55ca2e6bf977 in bloaty::(anonymous namespace)::ElfObjectFile::ProcessFile(std::vector<bloaty::RangeSink*, std::allocator<bloaty::RangeSink*>> const&) const /bloaty/src/elf.cc:1341:11
    #6 0x55ca2e65e3e0 in bloaty::Bloaty::ScanAndRollupFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bloaty::Rollup*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*) const /bloaty/src/bloaty.cc:1799:9
    #7 0x55ca2e694df5 in bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4::operator()(bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*) const /bloaty/src/bloaty.cc:1864:15
    #8 0x55ca2e694df5 in void std::__invoke_impl<void, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>(std::__invoke_other, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4&&, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
    #9 0x55ca2e694df5 in std::__invoke_result<bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>::type std::__invoke<bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>(bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4&&, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
    #10 0x55ca2e694df5 in void std::thread::_Invoker<std::tuple<bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>>::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_thread.h:259:13
    #11 0x55ca2e694df5 in std::thread::_Invoker<std::tuple<bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>>::operator()() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_thread.h:266:11
    #12 0x55ca2e694df5 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::$_4, bloaty::Bloaty::ScanAndRollupFiles(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>>>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_thread.h:211:13
    #13 0x7f706fb23252  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #14 0x7f706f795ac2 in start_thread nptl/pthread_create.c:442:8
    #15 0x7f706f82784f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /bloaty/src/dwarf/debug_info.h in void bloaty::dwarf::DIEReader::ReadAttributes<bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&)::$_0>(bloaty::dwarf::CU const&, bloaty::dwarf::AbbrevTable::Abbrev const*, bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&)::$_0&&)
Thread T5 created by T0 here:
    #0 0x55ca2e5da0ac in __interceptor_pthread_create (/bloaty/build-afl-asan/bloaty_fuzz_target+0x2270ac) (BuildId: 29bf71d7572876a43545bc310335f176655d625d)
    #1 0x7f706fb23328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x55ca2e6645f2 in bloaty::Bloaty::ScanAndRollup(bloaty::Options const&, bloaty::RollupOutput*) /bloaty/src/bloaty.cc:1907:3
    #3 0x55ca2e671376 in bloaty::BloatyDoMain(bloaty::Options const&, bloaty::InputFileFactory const&, bloaty::RollupOutput*) /bloaty/src/bloaty.cc:2323:12
    #4 0x55ca2e67208e in bloaty::BloatyMain(bloaty::Options const&, bloaty::InputFileFactory const&, bloaty::RollupOutput*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>*) /bloaty/src/bloaty.cc:2332:5
    #5 0x55ca2e62f8a8 in LLVMFuzzerTestOneInput /bloaty/tests/fuzz_target.cc:71:3
    #6 0x55ca2ef2791d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
  

==2538572==ABORTING
```


**Reproduction Steps**:
1. Decode the attached POC with:
    ```bash
    base64 -d crash_3.txt > crash_3
    ```
2. Run:
    ```bash
    ./fuzz_target crash_3

[crash_3.txt](https://github.com/user-attachments/files/19935795/crash_3.txt)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Crash Report: SEGV in `ReadAttributes` during DWARF Inline Processing #403

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Crash Report: SEGV in ReadAttributes during DWARF Inline Processing #403

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Crash Report: SEGV in `ReadAttributes` during DWARF Inline Processing #403