-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AddressSanitizer: heap-buffer-overflow in function pdf_write_names #480
Comments
OK, so I am unable to reproduce when "leak_check_at_exit=false" is set. When not set I get completely different results. |
It is a littile weird. Even if I turn off leak_check_at_exit, I can still reproduce it. |
The causes of buffer overflow and memory leak are totally different. In theory, turning leak_check_at_exit off or not doesn't affect the result. |
@hdthky I am well aware of the differences. Theory doesn't matter, actual run evidence shows a difference on three difference systems at my immediate disposal (iMac Pro running current macOS, Ubuntu VM on that system, and Ubuntu VM on an M1 MacBook Pro). No errors on macOS, different results on both Ubuntu VMs. |
Yes, it has been fixed now. |
The vulnerability was found by Xingyuan Mo, Hui Lu, Zhihong Tian from Guangzhou University. |
Description
Whilst experimenting with
htmldoc
, built from commit 31f7804, we are able to induce a vulnerability in functionpdf_write_names
, using a harness compiled fromhtmldoc/htmldoc.cxx
.Because there is no bounds checking, a heap-based out-of-bound read will be triggered when the software encounters a malformed file, result in information disclosure or denial of service.
Proof of Concept
The POC is: poc_heap_overflow1
The command is: `./htmldoc --webpage -t pdf -f /dev/null poc_heap_overflow1
The ASAN report is:
Impact
This vulnerability is capable of inducing information disclosure or denial of service.
The text was updated successfully, but these errors were encountered: