Skip to content

CVE-2018-11440: ASAn stack-based buffer overflow in compileTranslationTable.c parseChars #575

Closed
@fgeek

Description

@fgeek

5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb.zip
Tested version 3.5.0 and commit ed6b00a
Might be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1582024
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

./lou_checktable 5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:1: error: opcode '000' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:3: error: opcode '0' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:5: error: invalid dot number '0'.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:6: error: opcode '0000000000000' not defined.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:7: error: Exactly two Unicode characters and at least one cell are required.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
5ce93fef85b68c5ecb4561bf1aedb52d1b1f368e.ctb:8: warning: invalid UTF-8. Assuming Latin-1.
=================================================================
==31674==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc64214142 at pc 0x7fa79f9917b9 bp 0x7ffc6420d470 sp 0x7ffc6420d468
WRITE of size 2 at 0x7ffc64214142 thread T0
    #0 0x7fa79f9917b8 in parseChars /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1146
    #1 0x7fa79f994170 in getRuleCharsText /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1314
    #2 0x7fa79f9d2a45 in compileUplow /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:2779
    #3 0x7fa79f9d2a45 in compileRule /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4166
    #4 0x7fa79f9e88a2 in compileFile /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4501
    #5 0x7fa79f9e97c7 in compileTranslationTable /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4606
    #6 0x7fa79f9e97c7 in lou_getTable /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:4691
    #7 0x5593eb49cf13 in main /home/hsalo/src/liblouis-3.5.0/tools/lou_checktable.c:112
    #8 0x7fa79f6002e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #9 0x5593eb49d179 in _start (/home/hsalo/builds/liblouis/3.5.0/bin/lou_checktable+0x2179)

Address 0x7ffc64214142 is located in stack of thread T0 at offset 23298 in frame
    #0 0x7fa79f9caaff in compileRule /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:3138

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis'
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars' <== Memory access at offset 23298 overflows this variable
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots'
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis-3.5.0/liblouis/compileTranslationTable.c:1146 in parseChars
Shadow bytes around the buggy address:
  0x10000c83a7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000c83a820: 00 00 00 00 00 00 00 00[02]f4 f4 f4 f2 f2 f2 f2
  0x10000c83a830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000c83a870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31674==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugBug in the code (not in a table)

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions