Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow in pspdf_prepare_outpages() in ps-pdf.cxx:1338:15 #413

Closed
chibataiki opened this issue Jan 26, 2021 · 3 comments
Assignees
Labels
bug Something isn't working priority-high
Milestone

Comments

@chibataiki
Copy link

chibataiki commented Jan 26, 2021

Hello, While fuzzing htmldoc , I found a heap-buffer-overflow in the pspdf_prepare_outpages() ,in ps-pdf.cxx:1338:15

test platform
htmldoc Version 1.9.12 git [master 6898d0a]
OS :Ubuntu 20.04.1 LTS x86_64
kernel: 5.4.0-53-generic
compiler: clang version 10.0.0-4ubuntu1
reproduced:

htmldoc -f demo.pdf   poc2.html

poc(zipped for update):
poc2.zip

=================================================================
==38089==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150003b19f8 at pc 0x000000555985 bp 0x7ffca8f71990 sp 0x7ffca8f71988
WRITE of size 4 at 0x6150003b19f8 thread T0
    #0 0x555984 in pspdf_prepare_outpages() /home//htmldoc_sani/htmldoc/ps-pdf.cxx:1338:15
    #1 0x555984 in pspdf_export /home//htmldoc_sani/htmldoc/ps-pdf.cxx:901
    #2 0x53c845 in main /home//htmldoc_sani/htmldoc/htmldoc.cxx:1291:3
    #3 0x7f44ac7c40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41f8bd in _start (/home//htmldoc_sani/htmldoc/htmldoc+0x41f8bd)

0x6150003b19f8 is located 0 bytes to the right of 504-byte region [0x6150003b1800,0x6150003b19f8)
allocated by thread T0 here:
    #0 0x4ee5df in __interceptor_malloc /home/goushi/work/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x5500bf in pspdf_prepare_outpages() /home//htmldoc_sani/htmldoc/ps-pdf.cxx:1258:27
    #2 0x5500bf in pspdf_export /home//htmldoc_sani/htmldoc/ps-pdf.cxx:901
    #3 0x53c845 in main /home//htmldoc_sani/htmldoc/htmldoc.cxx:1291:3
    #4 0x7f44ac7c40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home//htmldoc_sani/htmldoc/ps-pdf.cxx:1338:15 in pspdf_prepare_outpages()
Shadow bytes around the buggy address:
  0x0c2a8006e2e0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c2a8006e2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8006e300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8006e310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8006e320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a8006e330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c2a8006e340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8006e350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8006e360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8006e370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8006e380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==38089==ABORTING

reporter: chiba of topsec alphalab

@michaelrsweet michaelrsweet self-assigned this Jan 26, 2021
@michaelrsweet michaelrsweet added bug Something isn't working priority-high labels Jan 26, 2021
@michaelrsweet michaelrsweet added this to the Stable milestone Jan 26, 2021
@michaelrsweet
Copy link
Owner

Confirmed, investigating...

@michaelrsweet
Copy link
Owner

[master 6e8a955] Fix a number-up crash bug (Issue #413)

@chibataiki
Copy link
Author

CVE-2021-23165 assigned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working priority-high
Projects
None yet
Development

No branches or pull requests

2 participants