heap-use-after-free bug found in sdfdump #1764
Comments
|
Filed as internal issue #USD-7198 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Description of Issue
heap-use-after-free
Steps to Reproduce
./sdfdump [poc]
3580.usdz.zip
System Information (OS, Hardware)
ubuntu 18.04
The corresponding ASAN log information is as follows:
==7994==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000f150 at pc 0x7fa52fc63912 bp 0x7ffd831ddd10 sp 0x7ffd831ddd00
READ of size 1 at 0x61900000f150 thread T0
#0 0x7fa52fc63911 in pxrInternal_v0_21__pxrReserved__::SdfSchemaBase::GetSpecDefinition(pxrInternal_v0_21__pxrReserved__::SdfSpecType) const /home/hill/USD/USD-release/pxr/usd/sdf/schema.h:228
#1 0x7fa530199396 in pxrInternal_v0_21__pxrReserved__::SdfSchemaBase::CheckAndGetSpecDefinition(pxrInternal_v0_21__pxrReserved_::SdfSpecType) const /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:1104
#2 0x7fa530199848 in pxrInternal_v0_21__pxrReserved__::SdfSchemaBase::GetRequiredFields(pxrInternal_v0_21__pxrReserved__::SdfSpecType) const /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:1146
#3 0x7fa52ff640e0 in pxrInternal_v0_21__pxrReserved__::SdfLayer::ListFields(pxrInternal_v0_21__pxrReserved_::SdfSchemaBase const&, pxrInternal_v0_21__pxrReserved__::SdfAbstractData const&, pxrInternal_v0_21__pxrReserved__::SdfPath const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:3379
#4 0x7fa52ff63f6a in pxrInternal_v0_21__pxrReserved__::SdfLayer::ListFields(pxrInternal_v0_21__pxrReserved__::SdfPath const&) const /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:3359
#5 0x7fa52ff6bad0 in pxrInternal_v0_21__pxrReserved__::SdfLayer::Traverse(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4422
#6 0x7fa52ff82e8d in void pxrInternal_v0_21__pxrReserved__::SdfLayer::TraverseChildren<pxrInternal_v0_21__pxrReserved_::Sdf_PropertyChildPolicy>(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4415
#7 0x7fa52ff6bbbb in pxrInternal_v0_21__pxrReserved__::SdfLayer::Traverse(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4427
#8 0x7fa52ff829b3 in void pxrInternal_v0_21__pxrReserved__::SdfLayer::TraverseChildren<pxrInternal_v0_21__pxrReserved_::Sdf_PrimChildPolicy>(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4415
#9 0x7fa52ff6bb68 in pxrInternal_v0_21__pxrReserved__::SdfLayer::Traverse(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4425
#10 0x7fa52ff829b3 in void pxrInternal_v0_21__pxrReserved__::SdfLayer::TraverseChildren<pxrInternal_v0_21__pxrReserved_::Sdf_PrimChildPolicy>(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4415
#11 0x7fa52ff6bb68 in pxrInternal_v0_21__pxrReserved__::SdfLayer::Traverse(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4425
#12 0x7fa52ff829b3 in void pxrInternal_v0_21__pxrReserved__::SdfLayer::TraverseChildren<pxrInternal_v0_21__pxrReserved_::Sdf_PrimChildPolicy>(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4415
#13 0x7fa52ff6bb68 in pxrInternal_v0_21__pxrReserved__::SdfLayer::Traverse(pxrInternal_v0_21__pxrReserved__::SdfPath const&, std::function<void (pxrInternal_v0_21__pxrReserved__::SdfPath const&)> const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:4425
#14 0x55d54f81238f in CollectPaths /home/hill/USD/USD-release/pxr/usd/bin/sdfdump/sdfdump.cpp:183
#15 0x55d54f8147c4 in GetReportByPath /home/hill/USD/USD-release/pxr/usd/bin/sdfdump/sdfdump.cpp:284
#16 0x55d54f818649 in Report /home/hill/USD/USD-release/pxr/usd/bin/sdfdump/sdfdump.cpp:413
#17 0x55d54f81aeed in main /home/hill/USD/USD-release/pxr/usd/bin/sdfdump/sdfdump.cpp:527
#18 0x7fa52c9f3bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#19 0x55d54f80fd99 in _start (/home/hill/usd_asan_debug/bin/sdfdump+0x30d99)
0x61900000f150 is located 208 bytes inside of 1024-byte region [0x61900000f080,0x61900000f480)
freed by thread T0 here:
#0 0x7fa53099c2c0 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12c0)
#1 0x7fa52fe237cb in gnu_cxx::new_allocator<pxrInternal_v0_21__pxrReserved::SdfValueTypeName>::deallocate(pxrInternal_v0_21__pxrReserved__::SdfValueTypeName*, unsigned long) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xadd7cb)
#2 0x7fa52fe209e3 in std::allocator_traits<std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::deallocate(std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName>&, pxrInternal_v0_21__pxrReserved__::SdfValueTypeName*, unsigned long) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xada9e3)
#3 0x7fa52fe1e69b in std::Vector_base<pxrInternal_v0_21__pxrReserved_::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::M_deallocate(pxrInternal_v0_21__pxrReserved_::SdfValueTypeName*, unsigned long) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xad869b)
#4 0x7fa52fe1f4dd in void std::vector<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::M_realloc_insert<pxrInternal_v0_21__pxrReserved_::SdfValueTypeName>(gnu_cxx::normal_iterator<pxrInternal_v0_21__pxrReserved::SdfValueTypeName*, std::vector<pxrInternal_v0_21__pxrReserved::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> > >, pxrInternal_v0_21__pxrReserved__::SdfValueTypeName&&) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xad94dd)
#5 0x7fa52fe1cc32 in void std::vector<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::emplace_back<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName>(pxrInternal_v0_21__pxrReserved__::SdfValueTypeName&&) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xad6c32)
#6 0x7fa52fe1b637 in std::vector<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::push_back(pxrInternal_v0_21__pxrReserved__::SdfValueTypeName&&) /usr/include/c++/7/bits/stl_vector.h:954
#7 0x7fa52fe15b3b in AddType /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:383
#8 0x7fa52fe1462c in AddType /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:253
#9 0x7fa52fe189f3 in pxrInternal_v0_21__pxrReserved_::Sdf_ValueTypeRegistry::AddType(pxrInternal_v0_21__pxrReserved__::TfToken const&, pxrInternal_v0_21__pxrReserved__::VtValue const&, pxrInternal_v0_21__pxrReserved__::VtValue const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&, pxrInternal_v0_21__pxrReserved::TfEnum, pxrInternal_v0_21__pxrReserved::TfToken const&, pxrInternal_v0_21__pxrReserved__::SdfTupleDimensions const&) /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:604
#10 0x7fa52fe185e6 in pxrInternal_v0_21__pxrReserved__::Sdf_ValueTypeRegistry::AddType(pxrInternal_v0_21__pxrReserved__::Sdf_ValueTypeRegistry::Type const&) /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:579
#11 0x7fa5301903bf in AddLegacyTypesToRegistry /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:532
#12 0x7fa530192f77 in pxrInternal_v0_21__pxrReserved_::SdfSchemaBase::RegisterLegacyTypes() /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:679
#13 0x7fa530192b8c in pxrInternal_v0_21__pxrReserved_::SdfSchemaBase::SdfSchemaBase() /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:654
#14 0x7fa5301a0ad1 in pxrInternal_v0_21__pxrReserved__::SdfSchema::SdfSchema() /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:1781
#15 0x7fa5301abdfb in pxrInternal_v0_21__pxrReserved__::TfSingleton<pxrInternal_v0_21__pxrReserved__::SdfSchema>::CreateInstance() /home/hill/USD/USD-release/pxr/base/tf/instantiateSingleton.h:71
#16 0x7fa52fc649f4 in pxrInternal_v0_21__pxrReserved_::TfSingleton<pxrInternal_v0_21__pxrReserved__::SdfSchema>::GetInstance() /home/hill/USD/USD-release/pxr/base/tf/singleton.h:142
#17 0x7fa52fc63969 in pxrInternal_v0_21__pxrReserved__::SdfSchema::GetInstance() /home/hill/USD/USD-release/pxr/usd/sdf/schema.h:558
#18 0x7fa52ff364f5 in pxrInternal_v0_21__pxrReserved__::SdfFileFormat::SdfFileFormat(pxrInternal_v0_21__pxrReserved__::TfToken const&, pxrInternal_v0_21__pxrReserved__::TfToken const&, pxrInternal_v0_21__pxrReserved__::TfToken const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.cpp:72
#19 0x7fa524ee9545 in pxrInternal_v0_21__pxrReserved::UsdUsdzFileFormat::UsdUsdzFileFormat() /home/hill/USD/USD-release/pxr/usd/usd/usdzFileFormat.cpp:54
#20 0x7fa524eebddd in pxrInternal_v0_21__pxrReserved__::Sdf_FileFormatFactory<pxrInternal_v0_21__pxrReserved__::UsdUsdzFileFormat>::New() const /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.h:421
#21 0x7fa52fc2da48 in pxrInternal_v0_21__pxrReserved__::Sdf_FileFormatRegistry::Info::GetFileFormat() const /home/hill/USD/USD-release/pxr/usd/sdf/fileFormatRegistry.cpp:62
#22 0x7fa52fc32423 in pxrInternal_v0_21__pxrReserved_::Sdf_FileFormatRegistry::GetFileFormat(boost::shared_ptr<pxrInternal_v0_21__pxrReserved_::Sdf_FileFormatRegistry::Info> const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormatRegistry.cpp:437
#23 0x7fa52fc2e980 in pxrInternal_v0_21__pxrReserved_::Sdf_FileFormatRegistry::FindByExtension(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormatRegistry.cpp:139
#24 0x7fa52ff37be5 in pxrInternal_v0_21__pxrReserved::SdfFileFormat::FindByExtension(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.cpp:312
#25 0x7fa52ff38159 in pxrInternal_v0_21__pxrReserved::SdfFileFormat::FindByExtension(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, std::cxx11::basic_string<char, std::char_traits, std::allocator > > > > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.cpp:340
#26 0x7fa52ff4a0da in pxrInternal_v0_21__pxrReserved::SdfLayer::_ComputeInfoToFindOrOpenLayer(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::_cxx11::basic_string<char, std::char_traits, std::allocator > const, std::cxx11::basic_string<char, std::char_traits, std::allocator > > > > const&, pxrInternal_v0_21__pxrReserved::SdfLayer::FindOrOpenLayerInfo*, bool) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:742
#27 0x7fa52ff4a7b4 in pxrInternal_v0_21__pxrReserved::SdfLayer::FindOrOpen(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > > const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:824
#28 0x55d54f81ae36 in main /home/hill/USD/USD-release/pxr/usd/bin/sdfdump/sdfdump.cpp:522
#29 0x7fa52c9f3bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
previously allocated by thread T0 here:
#0 0x7fa53099b448 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0448)
#1 0x7fa52fe28c26 in gnu_cxx::new_allocator<pxrInternal_v0_21__pxrReserved::SdfValueTypeName>::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
#2 0x7fa52fe242fb in std::allocator_traits<std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::allocate(std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName>&, unsigned long) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xade2fb)
#3 0x7fa52fe21bff in std::Vector_base<pxrInternal_v0_21__pxrReserved_::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::M_allocate(unsigned long) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xadbbff)
#4 0x7fa52fe1f245 in void std::vector<pxrInternal_v0_21__pxrReserved_::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::M_realloc_insert<pxrInternal_v0_21__pxrReserved_::SdfValueTypeName>(gnu_cxx::normal_iterator<pxrInternal_v0_21__pxrReserved::SdfValueTypeName*, std::vector<pxrInternal_v0_21__pxrReserved::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> > >, pxrInternal_v0_21__pxrReserved__::SdfValueTypeName&&) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xad9245)
#5 0x7fa52fe1cc32 in void std::vector<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::emplace_back<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName>(pxrInternal_v0_21__pxrReserved__::SdfValueTypeName&&) (/home/hill/usd_asan_debug/lib/libusd_sdf.so+0xad6c32)
#6 0x7fa52fe1b637 in std::vector<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName, std::allocator<pxrInternal_v0_21__pxrReserved__::SdfValueTypeName> >::push_back(pxrInternal_v0_21__pxrReserved__::SdfValueTypeName&&) /usr/include/c++/7/bits/stl_vector.h:954
#7 0x7fa52fe15b3b in AddType /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:383
#8 0x7fa52fe1462c in AddType /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:253
#9 0x7fa52fe189f3 in pxrInternal_v0_21__pxrReserved_::Sdf_ValueTypeRegistry::AddType(pxrInternal_v0_21__pxrReserved__::TfToken const&, pxrInternal_v0_21__pxrReserved__::VtValue const&, pxrInternal_v0_21__pxrReserved__::VtValue const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&, pxrInternal_v0_21__pxrReserved::TfEnum, pxrInternal_v0_21__pxrReserved::TfToken const&, pxrInternal_v0_21__pxrReserved__::SdfTupleDimensions const&) /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:604
#10 0x7fa52fe185e6 in pxrInternal_v0_21__pxrReserved__::Sdf_ValueTypeRegistry::AddType(pxrInternal_v0_21__pxrReserved__::Sdf_ValueTypeRegistry::Type const&) /home/hill/USD/USD-release/pxr/usd/sdf/valueTypeRegistry.cpp:579
#11 0x7fa53018bd3a in AddStandardTypesToRegistry /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:480
#12 0x7fa530192f4d in pxrInternal_v0_21__pxrReserved_::SdfSchemaBase::RegisterStandardTypes() /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:673
#13 0x7fa530192b80 in pxrInternal_v0_21__pxrReserved_::SdfSchemaBase::SdfSchemaBase() /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:653
#14 0x7fa5301a0ad1 in pxrInternal_v0_21__pxrReserved__::SdfSchema::SdfSchema() /home/hill/USD/USD-release/pxr/usd/sdf/schema.cpp:1781
#15 0x7fa5301abdfb in pxrInternal_v0_21__pxrReserved__::TfSingleton<pxrInternal_v0_21__pxrReserved__::SdfSchema>::CreateInstance() /home/hill/USD/USD-release/pxr/base/tf/instantiateSingleton.h:71
#16 0x7fa52fc649f4 in pxrInternal_v0_21__pxrReserved_::TfSingleton<pxrInternal_v0_21__pxrReserved__::SdfSchema>::GetInstance() /home/hill/USD/USD-release/pxr/base/tf/singleton.h:142
#17 0x7fa52fc63969 in pxrInternal_v0_21__pxrReserved__::SdfSchema::GetInstance() /home/hill/USD/USD-release/pxr/usd/sdf/schema.h:558
#18 0x7fa52ff364f5 in pxrInternal_v0_21__pxrReserved__::SdfFileFormat::SdfFileFormat(pxrInternal_v0_21__pxrReserved__::TfToken const&, pxrInternal_v0_21__pxrReserved__::TfToken const&, pxrInternal_v0_21__pxrReserved__::TfToken const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.cpp:72
#19 0x7fa524ee9545 in pxrInternal_v0_21__pxrReserved::UsdUsdzFileFormat::UsdUsdzFileFormat() /home/hill/USD/USD-release/pxr/usd/usd/usdzFileFormat.cpp:54
#20 0x7fa524eebddd in pxrInternal_v0_21__pxrReserved__::Sdf_FileFormatFactory<pxrInternal_v0_21__pxrReserved__::UsdUsdzFileFormat>::New() const /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.h:421
#21 0x7fa52fc2da48 in pxrInternal_v0_21__pxrReserved__::Sdf_FileFormatRegistry::Info::GetFileFormat() const /home/hill/USD/USD-release/pxr/usd/sdf/fileFormatRegistry.cpp:62
#22 0x7fa52fc32423 in pxrInternal_v0_21__pxrReserved_::Sdf_FileFormatRegistry::GetFileFormat(boost::shared_ptr<pxrInternal_v0_21__pxrReserved_::Sdf_FileFormatRegistry::Info> const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormatRegistry.cpp:437
#23 0x7fa52fc2e980 in pxrInternal_v0_21__pxrReserved_::Sdf_FileFormatRegistry::FindByExtension(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormatRegistry.cpp:139
#24 0x7fa52ff37be5 in pxrInternal_v0_21__pxrReserved::SdfFileFormat::FindByExtension(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.cpp:312
#25 0x7fa52ff38159 in pxrInternal_v0_21__pxrReserved::SdfFileFormat::FindByExtension(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, std::cxx11::basic_string<char, std::char_traits, std::allocator > > > > const&) /home/hill/USD/USD-release/pxr/usd/sdf/fileFormat.cpp:340
#26 0x7fa52ff4a0da in pxrInternal_v0_21__pxrReserved::SdfLayer::_ComputeInfoToFindOrOpenLayer(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::_cxx11::basic_string<char, std::char_traits, std::allocator > const, std::cxx11::basic_string<char, std::char_traits, std::allocator > > > > const&, pxrInternal_v0_21__pxrReserved::SdfLayer::FindOrOpenLayerInfo*, bool) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:742
#27 0x7fa52ff4a7b4 in pxrInternal_v0_21__pxrReserved::SdfLayer::FindOrOpen(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::map<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::less<std::__cxx11::basic_string<char, std::char_traits, std::allocator > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits, std::allocator > const, std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > > const&) /home/hill/USD/USD-release/pxr/usd/sdf/layer.cpp:824
#28 0x55d54f81ae36 in main /home/hill/USD/USD-release/pxr/usd/bin/sdfdump/sdfdump.cpp:522
#29 0x7fa52c9f3bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-use-after-free /home/hill/USD/USD-release/pxr/usd/sdf/schema.h:228 in pxrInternal_v0_21__pxrReserved__::SdfSchemaBase::GetSpecDefinition(pxrInternal_v0_21__pxrReserved__::SdfSpecType) const
Shadow bytes around the buggy address:
0x0c327fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9de0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c327fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff9e20: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c327fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7994==ABORTING
Package Versions
21.11
This bug is found by fuzzer ATTuzz
The text was updated successfully, but these errors were encountered: