Closed
Description
Hi, there is a integer overflow bug in _parse_special_tag function, sxmlc.c.
Lines 1203 to 1219 in 02f69e6
It passes ((len - tag->len_start - tag->len_end + 1)*sizeof(SXML_CHAR)) as a parameter to malloc function.
If (len - tag->len_start - tag->len_end) == -1, then (len - tag->len_start - tag->len_end + 1) == 0.
It is legal to use 0 as an argument to the malloc function, and it will return the address of a small heap successfully.
However, in line 1214, it passes (len - tag->len_start - tag->len_end) as a parameter to strncpy function.
-1 will be coerced to an unsigned integer: 0xffffffffffffffff. It is a huge size and will make the program crashed.
poc:
poc.zip
To reproduce:
$ wget https://github.com/kevinboone/epub2txt2/files/8482640/poc.zip
......
$ unzip poc.zip
Archive: poc.zip
inflating: poc
$ ls
epub2txt poc poc.zip
$ ./epub2txt --version
epub2txt version 2.04
Copyright (c)2013-2022 Kevin Boone and contributors
Distributed under the terms of the GNU Public Licence, v3.0
$ ./epub2txt poc
/tmp/epub2txt5552/OPS/epb.opf bad CRC cb87c959 (should be 0192f2f4)
Segmentation fault (core dumped)
The epub2txt is built with:
git clone https://github.com/kevinboone/epub2txt2 && cd epub2txt2
make && sudo make install
Tested on: Ubuntu 20.04
Metadata
Assignees
Labels
No labels