Buffer overflow in the TexOpen() function

[fcambus]

Hi,

While fuzzing OpenDetex with Honggfuzz, I found a buffer overflow in the TexOpen() function, in detex.l.

Attaching a reproducer (gzipped so GitHub accepts it): test01.gz

Issue can be reproduced by running:

detex test01

=================================================================
==2795==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000db1540 at pc 0x00000043a607 bp 0x7ffdb2beab20 sp 0x7ffdb2bea2b8
WRITE of size 6062 at 0x000000db1540 thread T0
    #0 0x43a606 in vsprintf (/home/fcambus/opendetex-2.8.5/detex+0x43a606)
    #1 0x43b593 in sprintf (/home/fcambus/opendetex-2.8.5/detex+0x43b593)
    #2 0x4cbbb5 in TexOpen /home/fcambus/opendetex-2.8.5/detex.l:904:9
    #3 0x4c6cbd in IncludeFile /home/fcambus/opendetex-2.8.5/detex.l:756:14
    #4 0x4c4382 in yylex /home/fcambus/opendetex-2.8.5/detex.l
    #5 0x4cb20e in main /home/fcambus/opendetex-2.8.5/detex.l:602:12
    #6 0x7fd1c14491e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #7 0x41b34d in _start (/home/fcambus/opendetex-2.8.5/detex+0x41b34d)

0x000000db1540 is located 0 bytes to the right of global variable 'sbFullPath' defined in 'detex.l:893:14' (0xdb0540) of size 4096
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/fcambus/opendetex-2.8.5/detex+0x43a606) in vsprintf
Shadow bytes around the buggy address:
  0x0000801ae250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801ae290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801ae2a0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801ae2f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2795==ABORTING

[fcambus]

This issue has been assigned CVE-2019-19601.

[norbusan]

A few comments: first of all, this bug happens in the code path where kpathsea is not used (#ifndef KPATHSEA), thus, when compiled with kpathsea which is probably mostly used there is no problem. For example, those using detex from the TeX Live sources and build in the usual way, that is with kpathsea, will not be affected.

For a fix, Akira Kakuto from the TeX Live team suggested:

--- detex.l.orig    Sun Feb 03 19:49:09 2019
+++ detex.l    Thu Jan 23 11:23:50 2020
@@ -898,10 +898,10 @@
#else
        if (*sbFile == '/') {    /* absolute path */
#endif
-        (void)sprintf(sbFullPath, "%s", sbFile);
+        (void)snprintf(sbFullPath, PATH_MAX-1, "%s", sbFile);
        iPath = csbInputPaths;    /* only check once */
        } else
-        (void)sprintf(sbFullPath, "%s/%s", rgsbInputPaths[iPath], sbFile);
+        (void)snprintf(sbFullPath, PATH_MAX-1, "%s/%s", rgsbInputPaths[iPath], sbFile);
#ifdef OS2
        pch = sbFullPath;
        while (pch = strchr(pch, '\\'))

but this is unchecked.

Hope that helps.