Bad call to set_expr causes SEGV - 3ad4c45f

[jodiecunningham]

Hi hoterran,

Through some fuzzing I found a bad set statement that can cause a segfault in the application.

Source query (written out to file 3ad4c45f):

set a>= 1, b=2;

To reproduce:

format 3ad4c45f

Output:

1: error: Segmentation fault (core dumped)

_Backtrace from GDB_:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007ffff7a5f8f3 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1661
#0  0x00007ffff7a5f8f3 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1661
#1  0x00007ffff7a62e21 in buffered_vfprintf (s=s@entry=0x7ffff7dd41c0 <_IO_2_1_stderr_>, format=format@entry=0x45662a "bad set to @%s", args=args@entry=0x7fffffffd6d8) at vfprintf.c:2356
#2  0x00007ffff7a5dd9e in _IO_vfprintf_internal (s=s@entry=0x7ffff7dd41c0 <_IO_2_1_stderr_>, format=format@entry=0x45662a "bad set to @%s", ap=0x7fffffffd6d8) at vfprintf.c:1313
#3  0x00007ffff7b1e2dd in ___vfprintf_chk (fp=0x7ffff7dd41c0 <_IO_2_1_stderr_>, flag=flag@entry=1, format=format@entry=0x45662a "bad set to @%s", ap=ap@entry=0x7fffffffd6d8) at vfprintf_chk.c:33
#4  0x0000000000413f59 in vfprintf (__ap=0x7fffffffd6d8, __fmt=0x45662a "bad set to @%s", __stream=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:127
#5  yyerror (s=s@entry=0x45662a "bad set to @%s") at sql.y:2958
#6  0x000000000041f4ec in yyparse () at sql.y:1990
#7  0x0000000000401480 in main (ac=<optimized out>, av=<optimized out>) at format.c:899
#8  0x00007ffff7a35ec5 in __libc_start_main (main=0x4012c0 <main>, argc=2, argv=0x7fffffffe118, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe108) at libc-start.c:287
#9  0x000000000040439c in _start ()

System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Found with the fuzzer American Fuzzy Lop ( http://lcamtuf.coredump.cx/afl/ )