New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory allocation error #88

Closed
zhunki opened this Issue Jan 18, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@zhunki
Contributor

zhunki commented Jan 18, 2017

there is a extra large memery allocation error which can be detected by addresssanitizer.

==31613== ERROR: AddressSanitizer failed to allocate 0x80003000 (-2147471360) bytes of LargeMmapAllocator: Cannot allocate memory
#0 0xb61a74b2 (/usr/lib/i386-linux-gnu/libasan.so.0+0x124b2)
#1 0xb61b00dc (/usr/lib/i386-linux-gnu/libasan.so.0+0x1b0dc)
#2 0xb61b3093 (/usr/lib/i386-linux-gnu/libasan.so.0+0x1e093)
#3 0xb619d2ed (/usr/lib/i386-linux-gnu/libasan.so.0+0x82ed)
#4 0xb61ab88b (/usr/lib/i386-linux-gnu/libasan.so.0+0x1688b)
#5 0x806b036 in plist_from_bin /home/b/asan/libplist/src/bplist.c:762
#6 0x804a1c4 in main /home/b/asan/libplist/tools/plistutil.c:139
#7 0xb5fe3a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#8 0x804ad45 in _start (/home/b/asan/libplist/tools/plistutil+0x804ad45)

the source code around here are:
bplist.used_indexes = (uint32_t*)malloc(sizeof(uint32_t) * num_objects);
the num_objects equals to a very large number.

poc.txt

@nikias

This comment has been minimized.

Member

nikias commented Jan 18, 2017

This is a good one, it bypasses this check for the size of the offset table:

if (offset_table + num_objects * offset_size >= plist_bin + length)

because offset_size is 0. I will add a check for the sanity of the offset_size.
If you want your real name to appear in the log messages, you can specify it here, with your github email address, or submit a pull request.

@zhunki

This comment has been minimized.

Contributor

zhunki commented Jan 18, 2017

sure. my name is Wang Junjie.

@nikias

This comment has been minimized.

Member

nikias commented Jan 18, 2017

github email address?

@zhunki

This comment has been minimized.

Contributor

zhunki commented Jan 19, 2017

@nikias

This comment has been minimized.

Member

nikias commented Jan 19, 2017

Should be fixed with commit 26061aa

@nikias nikias closed this Jan 19, 2017

@nikias

This comment has been minimized.

Member

nikias commented Feb 2, 2017

This was assigned CVE-2017-5835.
http://seclists.org/oss-sec/2017/q1/279

@epozuelo

This comment has been minimized.

epozuelo commented Feb 4, 2017

Any plans for a new release? 1.12 is from 2014 and there have been many security fixes since then

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment