Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow in function parse_table at ps-pdf.cxx:7198 #483

Closed
hdthky opened this issue Mar 25, 2022 · 1 comment
Assignees
Labels
bug Something isn't working priority-low

Comments

@hdthky
Copy link

hdthky commented Mar 25, 2022

Description

Whilst experimenting with htmldoc, built from commit 0bef12c, we are able to induce a vulnerability at htmldoc/htmldoc/ps-pdf.cxx:7198 in function parse_table , using a harness compiled from htmldoc/htmldoc.cxx.

Because there is no bounds checking, a heap-based out-of-bound read will be triggered when the software encounters a malformed file, result in information disclosure or denial of service.

Environment

Ubuntu 20.04

gcc 10.3.0 with ASAN

Proof of Concept

The POC is: poc_heap_overflow6

The command is: ./htmldoc --webpage -t pdf -f /dev/null poc_heap_overflow6

The ASAN report is:

=================================================================
==105819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000003910 at pc 0x5555555eec34 bp 0x7fffffff3a60 sp 0x7fffffff3a50
READ of size 8 at 0x621000003910 thread T0
    #0 0x5555555eec33 in parse_table /work/htmldoc/htmldoc/ps-pdf.cxx:7198
    #1 0x5555555f066a in parse_doc /work/htmldoc/htmldoc/ps-pdf.cxx:4191
    #2 0x5555555f63f3 in render_table_row /work/htmldoc/htmldoc/ps-pdf.cxx:5860
    #3 0x5555555ee769 in parse_table /work/htmldoc/htmldoc/ps-pdf.cxx:7146
    #4 0x5555555f066a in parse_doc /work/htmldoc/htmldoc/ps-pdf.cxx:4191
    #5 0x5555555f4f23 in parse_doc /work/htmldoc/htmldoc/ps-pdf.cxx:4537
    #6 0x555555604d71 in pspdf_export /work/htmldoc/htmldoc/ps-pdf.cxx:803
    #7 0x55555559f764 in main /work/htmldoc/htmldoc/htmldoc.cxx:1291
    #8 0x7ffff6b620b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x55555559fbcd in _start (/work/htmldoc/htmldoc/htmldoc+0x4bbcd)

0x621000003910 is located 32 bytes to the right of 4080-byte region [0x621000002900,0x6210000038f0)
allocated by thread T0 here:
    #0 0x7ffff769bc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5555555cf500 in check_pages /work/htmldoc/htmldoc/ps-pdf.cxx:8867

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/htmldoc/htmldoc/ps-pdf.cxx:7198 in parse_table
Shadow bytes around the buggy address:
  0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
=>0x0c427fff8720: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==105819==ABORTING

Impact

This vulnerability is capable of inducing information disclosure or denial of service.

@michaelrsweet
Copy link
Owner

[master 3b44975] Fix another potential use of pages array without checking (Issue #483)

@michaelrsweet michaelrsweet self-assigned this Mar 28, 2022
@michaelrsweet michaelrsweet added bug Something isn't working priority-low labels Mar 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working priority-low
Projects
None yet
Development

No branches or pull requests

2 participants