Segmentation Fault

[yngwei]

Description

The vulnerability is an incorrect-access-control. The variable “currentNode” at line 2215(in clean.c) is modified in the loop, but it does not check whether the new value is valid. When you enter the loop again, “currentNode-> next”is invalid. So it causes the segmentation fault .

Version

5.7.0
2017.11.25

Backtrace:

#0  prvTidyTidyMetaCharset (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2235
#1  0x00000000004193ed in tidyDocCleanAndRepair (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:2077
#2  0x0000000000418381 in tidyCleanAndRepair (tdoc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:1401
#3  0x000000000040e954 in main (argc=0x2, argv=0x7fffffffded8)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/console/tidy.c:2420
#4  0x00007ffff7a2d830 in __libc_start_main (main=0x40d8a3 <main>, argc=0x2, 
    argv=0x7fffffffded8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdec8)
    at ../csu/libc-start.c:291
#5  0x000000000040a759 in _start ()

GDB Information

Stopped reason: SIGSEGV
0x0000000000440564 in prvTidyTidyMetaCharset (doc=0x6d9010)
    at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2215
2215	    for (currentNode = head->content; currentNode; currentNode = currentNode->next)

PoC

Contact me if you need Poc file at yinjiawei@iie.ac.cn or yangmeifang@iie.ac.cn

[balthisar]

@yngwei, 谢谢, we'll have a look at it. Can you post your Poc file here? Add it as an attachment to a message.

[geoffmcl]

@yngwei thank you for the issue... and certainly agree with you, the loop logic is flawed... after modification in the loop currentNode->next could be invalid, and lead to a segfault...

As @balthisar points out we will look at it soonest... and fix it... maybe a simple currentNode = (currentNode ? currentNode->next : NULL), or if (!currentNode) break; before each continue;, or something like that...

That is with or without a sample PoC, but having one certainly aids quick testing, and provides a later regression test sample... thanks...

[geoffmcl]

@yngwei I have experimented with the following patch, and seems to work for me...

diff --git a/src/clean.c b/src/clean.c
index de4caf5..e96dd3f 100644
--- a/src/clean.c
+++ b/src/clean.c
@@ -2211,8 +2211,10 @@ Bool TY_(TidyMetaCharset)(TidyDocImpl* doc)
     tidyBufAppend(&charsetString, "charset=", 8);
     tidyBufAppend(&charsetString, (char*)enc, TY_(tmbstrlen)(enc));
     tidyBufAppend(&charsetString, "\0", 1); /* zero terminate the buffer */
-                                            /* process the children of the head */
-    for (currentNode = head->content; currentNode; currentNode = currentNode->next)
+    /* process the children of the head */
+    /* Issue #656 - guard against 'currentNode' being set NULL in loop */
+    for (currentNode = head->content; currentNode; 
+        currentNode = (currentNode ? currentNode->next : NULL))
     {
         if (!nodeIsMETA(currentNode))
             continue;   /* not a meta node */

Appreciated if you, or others, could give it a try... and/or comments... thanks...

And on a PoC sample html, I now too would certainly appreciate that...

I tried several ways to construct my own, but could not produce a simple sample where currentNode->prev was NULL, but still see it as a theoretic possibility, hence the suggested added loop guard...

As @balthisar asked, "Can you post your Poc file here? Add it as an attachment to a message."... thanks...

[yngwei]

@geoffmcl This is the poc file.
poc.zip

[geoffmcl]

@yngwei thank you for the PoC file... it is the bad line 10, <meta charset<"utf-8"> that causes the problem to show up...

From that I was able to construct a minimal test sample, which I would never have been able to guess, which exposes the problem -

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset<"utf-8">
    <title>Issue #656-1</title>
  </head>
  <body>
    <h1>Issue #656-1</h1>
  </body>
</html>

Certainly applying my patch fixes the problem.

Of course the tidy generated html, after finding that extra < is not very pretty, and including a <meta... with no value is not good, but will leave those as separate issues to maybe be raised. Seems the Segmentation Fault is fixed...

Hope you can get a chance to try it and confirm... thanks...

[carnil]

FTR, this issue has been assigned CVE-2017-17497.

[geoffmcl]

Create PR #661 for testing and review... thanks...