Skip to content

Segmentation Fault #656

Closed
Closed
@yngwei

Description

@yngwei

Description

The vulnerability is an incorrect-access-control. The variable “currentNode” at line 2215(in clean.c) is modified in the loop, but it does not check whether the new value is valid. When you enter the loop again, “currentNode-> next”is invalid. So it causes the segmentation fault .

Version

5.7.0
2017.11.25

Backtrace:

#0  prvTidyTidyMetaCharset (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2235
#1  0x00000000004193ed in tidyDocCleanAndRepair (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:2077
#2  0x0000000000418381 in tidyCleanAndRepair (tdoc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:1401
#3  0x000000000040e954 in main (argc=0x2, argv=0x7fffffffded8)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/console/tidy.c:2420
#4  0x00007ffff7a2d830 in __libc_start_main (main=0x40d8a3 <main>, argc=0x2, 
    argv=0x7fffffffded8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdec8)
    at ../csu/libc-start.c:291
#5  0x000000000040a759 in _start ()

GDB Information

Stopped reason: SIGSEGV
0x0000000000440564 in prvTidyTidyMetaCharset (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2215
2215	    for (currentNode = head->content; currentNode; currentNode = currentNode->next)

PoC

Contact me if you need Poc file at yinjiawei@iie.ac.cn or yangmeifang@iie.ac.cn

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions