New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation Fault #656
Comments
@yngwei, 谢谢, we'll have a look at it. Can you post your Poc file here? Add it as an attachment to a message. |
@yngwei thank you for the issue... and certainly agree with you, the loop logic is flawed... after modification in the loop As @balthisar points out we will look at it soonest... and fix it... maybe a simple That is with or without a sample PoC, but having one certainly aids quick testing, and provides a later regression test sample... thanks... |
@yngwei I have experimented with the following diff --git a/src/clean.c b/src/clean.c
index de4caf5..e96dd3f 100644
--- a/src/clean.c
+++ b/src/clean.c
@@ -2211,8 +2211,10 @@ Bool TY_(TidyMetaCharset)(TidyDocImpl* doc)
tidyBufAppend(&charsetString, "charset=", 8);
tidyBufAppend(&charsetString, (char*)enc, TY_(tmbstrlen)(enc));
tidyBufAppend(&charsetString, "\0", 1); /* zero terminate the buffer */
- /* process the children of the head */
- for (currentNode = head->content; currentNode; currentNode = currentNode->next)
+ /* process the children of the head */
+ /* Issue #656 - guard against 'currentNode' being set NULL in loop */
+ for (currentNode = head->content; currentNode;
+ currentNode = (currentNode ? currentNode->next : NULL))
{
if (!nodeIsMETA(currentNode))
continue; /* not a meta node */ Appreciated if you, or others, could give it a try... and/or comments... thanks... And on a PoC sample html, I now too would certainly appreciate that... I tried several ways to construct my own, but could not produce a simple sample where As @balthisar asked, "Can you post your Poc file here? Add it as an attachment to a message."... thanks... |
@yngwei thank you for the PoC file... it is the bad line 10, From that I was able to construct a minimal test sample, which I would never have been able to guess, which exposes the problem - <!DOCTYPE html>
<html lang="en">
<head>
<meta charset<"utf-8">
<title>Issue #656-1</title>
</head>
<body>
<h1>Issue #656-1</h1>
</body>
</html> Certainly applying my patch fixes the problem. Of course the tidy generated html, after finding that extra Hope you can get a chance to try it and confirm... thanks... |
FTR, this issue has been assigned CVE-2017-17497. |
Create PR #661 for testing and review... thanks... |
Description
The vulnerability is an incorrect-access-control. The variable “currentNode” at line 2215(in clean.c) is modified in the loop, but it does not check whether the new value is valid. When you enter the loop again, “currentNode-> next”is invalid. So it causes the segmentation fault .
Version
Backtrace:
GDB Information
PoC
Contact me if you need Poc file at yinjiawei@iie.ac.cn or yangmeifang@iie.ac.cn
The text was updated successfully, but these errors were encountered: