Closed
Description
Description
The vulnerability is an incorrect-access-control. The variable “currentNode” at line 2215(in clean.c) is modified in the loop, but it does not check whether the new value is valid. When you enter the loop again, “currentNode-> next”is invalid. So it causes the segmentation fault .
Version
5.7.0
2017.11.25
Backtrace:
#0 prvTidyTidyMetaCharset (doc=0x6d9010)
at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2235
#1 0x00000000004193ed in tidyDocCleanAndRepair (doc=0x6d9010)
at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:2077
#2 0x0000000000418381 in tidyCleanAndRepair (tdoc=0x6d9010)
at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/tidylib.c:1401
#3 0x000000000040e954 in main (argc=0x2, argv=0x7fffffffded8)
at /home/mayfeel/MyFuzzerTarget/tidy-html5/console/tidy.c:2420
#4 0x00007ffff7a2d830 in __libc_start_main (main=0x40d8a3 <main>, argc=0x2,
argv=0x7fffffffded8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdec8)
at ../csu/libc-start.c:291
#5 0x000000000040a759 in _start ()
GDB Information
Stopped reason: SIGSEGV
0x0000000000440564 in prvTidyTidyMetaCharset (doc=0x6d9010)
at /home/mayfeel/MyFuzzerTarget/tidy-html5/src/clean.c:2215
2215 for (currentNode = head->content; currentNode; currentNode = currentNode->next)
PoC
Contact me if you need Poc file at yinjiawei@iie.ac.cn or yangmeifang@iie.ac.cn