Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow in function render_table_row at ps-pdf.cxx:6142:65 #478

Closed
hdthky opened this issue Mar 24, 2022 · 2 comments
Assignees
Labels
bug Something isn't working priority-medium
Milestone

Comments

@hdthky
Copy link

hdthky commented Mar 24, 2022

Description

Whilst experimenting with htmldoc, built from commit 31f7804, we are able to induce a vulnerability at htmldoc/htmldoc/ps-pdf.cxx:6142:65 in function render_table_row , using a harness compiled from htmldoc/htmldoc.cxx.

Because there is no bounds checking, a heap-based out-of-bound read will be triggered when the software encounters a malformed file, result in information disclosure or denial of service.

Proof of Concept

The POC is: poc_heap_overflow3

The command is: `./htmldoc --webpage -t pdf -f /dev/null poc_heap_overflow3

The ASAN report is:

=================================================================
==50577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c0000071b0 at pc 0x0000004447db bp 0x7fffffff5890 sp 0x7fffffff5888
READ of size 8 at 0x62c0000071b0 thread T0
    #0 0x4447da in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:6142:65
    #1 0x430b16 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:7136:5
    #2 0x3d48ff in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:4185:11
    #3 0x3d6652 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:4531:13
    #4 0x3c2857 in pspdf_export /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:803:3
    #5 0x39a254 in main /work/libraries/htmldoc/htmldoc/htmldoc.cxx:1291:3
    #6 0x7ffff75070b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #7 0x2a051d in _start (/work/libraries/htmldoc/htmldoc/htmldoc+0x2a051d)

0x62c0000071b0 is located 32 bytes to the right of 28560-byte region [0x62c000000200,0x62c000007190)
allocated by thread T0 here:
    #0 0x31b6f9 in realloc (/work/libraries/htmldoc/htmldoc/htmldoc+0x31b6f9)
    #1 0x3ddaf8 in check_pages(int) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:8859:24

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:6142:65 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*)
Shadow bytes around the buggy address:
  0x0c587fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c587fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c587fff8e30: 00 00 fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
  0x0c587fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff8e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==50577==ABORTING

Impact

This vulnerability is capable of inducing information disclosure or denial of service.

@michaelrsweet michaelrsweet self-assigned this Mar 24, 2022
@michaelrsweet michaelrsweet added the bug Something isn't working label Mar 24, 2022
@michaelrsweet michaelrsweet added this to the Stable milestone Mar 24, 2022
@michaelrsweet
Copy link
Owner

@hdthky Reproduced, investigating.

@michaelrsweet
Copy link
Owner

[master 15a1bc8] Make sure to call check_pages for all table row pages (Issue #478)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working priority-medium
Projects
None yet
Development

No branches or pull requests

2 participants