Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in function TextPage::dump #29

Closed
grandnew opened this issue Sep 21, 2018 · 5 comments
Closed

Heap buffer overflow in function TextPage::dump #29

grandnew opened this issue Sep 21, 2018 · 5 comments
Labels
bug Something isn't working

Comments

@grandnew
Copy link

I used Clang 6.0 and AddressSanitizer to build pdfalto, this file can cause heap buffer overflow in function TextPage::dump when executing this command:

./pdfalto heap-buffer-overflow_dump 1.xml

This is the ASAN information:

=================================================================
==1865==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200047ff5a at pc 0x00000049397b bp 0x7ffd280d7300 sp 0x7ffd280d6ab0
WRITE of size 13 at 0x60200047ff5a thread T0
    #0 0x49397a in vsprintf /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1572
    #1 0x493ad2 in __interceptor_sprintf /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1615
    #2 0x587186 in TextPage::dump(int, int) /home/fouzhe/my_fuzz/pdfalto/src/XmlAltoOutputDev.cc:5307:13
    #3 0x5a9de7 in XmlAltoOutputDev::endPage() /home/fouzhe/my_fuzz/pdfalto/src/XmlAltoOutputDev.cc:7216:19
    #4 0x9a06eb in Gfx::~Gfx() /home/fouzhe/my_fuzz/pdfalto/xpdf-4.00/xpdf/Gfx.cc:590:10
    #5 0x77cd47 in Page::displaySlice(OutputDev*, double, double, int, int, int, int, int, int, int, int, int (*)(void*), void*) /home/fouzhe/my_fuzz/pdfalto/xpdf-4.00/xpdf/Page.cc:406:3
    #6 0x77babc in Page::display(OutputDev*, double, double, int, int, int, int, int (*)(void*), void*) /home/fouzhe/my_fuzz/pdfalto/xpdf-4.00/xpdf/Page.cc:321:3
    #7 0x78268e in PDFDoc::displayPage(OutputDev*, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fouzhe/my_fuzz/pdfalto/xpdf-4.00/xpdf/PDFDoc.cc:386:27
    #8 0x78268e in PDFDoc::displayPages(OutputDev*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fouzhe/my_fuzz/pdfalto/xpdf-4.00/xpdf/PDFDoc.cc:399
    #9 0x526f9d in PDFDocXrce::displayPages(OutputDev*, _xmlNode*, int, int, double, double, int, int, int, int, int (*)(void*), void*) /home/fouzhe/my_fuzz/pdfalto/src/PDFDocXrce.cc:22:10
    #10 0x529565 in main /home/fouzhe/my_fuzz/pdfalto/src/pdfalto.cc:415:18
    #11 0x7f4ca2c9982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x41c678 in _start (/home/fouzhe/my_fuzz/pdfalto/pdfalto+0x41c678)

0x60200047ff5a is located 0 bytes to the right of 10-byte region [0x60200047ff50,0x60200047ff5a)
allocated by thread T0 here:
    #0 0x4e08a8 in __interceptor_malloc /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
    #1 0x5821d5 in TextPage::dump(int, int) /home/fouzhe/my_fuzz/pdfalto/src/XmlAltoOutputDev.cc:4706:20
    #2 0x5a9de7 in XmlAltoOutputDev::endPage() /home/fouzhe/my_fuzz/pdfalto/src/XmlAltoOutputDev.cc:7216:19

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fouzhe/llvm/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1572 in vsprintf
Shadow bytes around the buggy address:
  0x0c0480087f90: fa fa fd fa fa fa fd fd fa fa fd fa fa fa 05 fa
  0x0c0480087fa0: fa fa 06 fa fa fa 05 fa fa fa 07 fa fa fa 05 fa
  0x0c0480087fb0: fa fa 06 fa fa fa 06 fa fa fa 07 fa fa fa 07 fa
  0x0c0480087fc0: fa fa 07 fa fa fa 00 02 fa fa 06 fa fa fa 03 fa
  0x0c0480087fd0: fa fa 06 fa fa fa 00 fa fa fa 05 fa fa fa 07 fa
=>0x0c0480087fe0: fa fa 05 fa fa fa 00 fa fa fa 00[02]fa fa 07 fa
  0x0c0480087ff0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480088000: fa fa fd fd fa fa 04 fa fa fa 00 01 fa fa fd fd
  0x0c0480088010: fa fa fd fa fa fa fd fd fa fa 03 fa fa fa 00 fa
  0x0c0480088020: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa 00 fa
  0x0c0480088030: fa fa fd fa fa fa 00 fa fa fa 02 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1865==ABORTING
@abergmann
Copy link

CVE-2018-17338 was assigned to this issue.

@Aazhar
Copy link
Collaborator

Aazhar commented Oct 9, 2018

Hello
Thanks for reporting the issue.
Could you describe the way the file heap-buffer-overflow_dump was produced ?

@Aazhar
Copy link
Collaborator

Aazhar commented Oct 10, 2018

Using the last pdfalto, this issue can't be reproduced.

@Aazhar Aazhar added the bug Something isn't working label Oct 10, 2018
Aazhar pushed a commit that referenced this issue Oct 16, 2018
@kermitt2
Copy link
Owner

kermitt2 commented Apr 7, 2021

From what I see, this has been fixed with 23d01be using snprintf.
Closing the issue !

@kermitt2 kermitt2 closed this as completed Apr 7, 2021
@kermitt2
Copy link
Owner

kermitt2 commented Apr 7, 2021

Doing some archeology on the code, this was fixed using safer snprintf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants