ASAn stack-based buffer overflow in compileTranslationTable.c line 1157 in parseChars

[fgeek]

14d235cfe68b9d1ed541da77a891465941afeb1c.ctb.zip
Tested commit: b381efd
Credit: Henri Salo
Tools: american fuzzy lop 2.52b, afl-utils
Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

./lou_checktable 14d235cfe68b9d1ed541da77a891465941afeb1c.ctb
<snip>
================================================================
==20178==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcbb036f2 at pc 0x7fd352949811 bp 0x7ffdcbafaa30 sp 0x7ffdcbafaa28
WRITE of size 2 at 0x7ffdcbb036f2 thread T0
    #0 0x7fd352949810 in parseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157
    #1 0x7fd35299b069 in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3195
    #2 0x7fd3529a14ca in compileFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4522
    #3 0x7fd3529a2707 in compileTranslationTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4627
    #4 0x7fd3529a2707 in lou_getTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4712
    #5 0x55df04479f33 in main /home/hsalo/src/liblouis/tools/lou_checktable.c:112
    #6 0x7fd3525b82e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x55df0447a199 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_checktable+0x2199)

Address 0x7ffdcbb036f2 is located in stack of thread T0 at offset 35778 in frame
    #0 0x7fd352982b9f in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3156

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis'
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars'
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots' <== Memory access at offset 35778 overflows this variable
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157 in parseChars
Shadow bytes around the buggy address:
  0x100039758680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000397586a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000397586b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000397586c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000397586d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]f4
  0x1000397586e0: f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x1000397586f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039758720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20178==ABORTING

[fgeek]

I can reproduce this issue (with bit different backtrace) using lou_translate binary. Not sure if this helps, but file and backtrace attached.
0714bc6a34727bab0cf86766c2c9919ca05ae5d7.zip

=================================================================
==3012==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff0ff5442 at pc 0x7f865289b811 bp 0x7ffff0ff3360 sp 0x7ffff0ff3358
WRITE of size 2 at 0x7ffff0ff5442 thread T0
    #0 0x7f865289b810 in parseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157
    #1 0x7f86528d16ec in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1176
    #2 0x562b5b326f19 in translate_input /home/hsalo/src/liblouis/tools/lou_translate.c:73
    #3 0x562b5b32655d in main /home/hsalo/src/liblouis/tools/lou_translate.c:201
    #4 0x7f865250a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x562b5b3267d9 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_translate+0x27d9)

Address 0x7ffff0ff5442 is located in stack of thread T0 at offset 8290 in frame
    #0 0x7f86528d123f in _lou_extParseChars /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1168

  This frame has 2 object(s):
    [32, 4130) 'wideIn'
    [4192, 8290) 'result' <== Memory access at offset 8290 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:1157 in parseChars
Shadow bytes around the buggy address:
  0x10007e1f6a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e1f6a80: 00 00 00 00 00 00 00 00[02]f4 f4 f4 f3 f3 f3 f3
  0x10007e1f6a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e1f6ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3012==ABORTING

[egli]

I believe that both problems are fixed now.

[abergmann]

CVE-2018-11683 was assigned to this issue.