Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack-based buffer overflow in the hd_strlcpy() function #370

Closed
fcambus opened this issue Dec 6, 2019 · 4 comments
Closed

Stack-based buffer overflow in the hd_strlcpy() function #370

fcambus opened this issue Dec 6, 2019 · 4 comments
Assignees
Milestone

Comments

@fcambus
Copy link

@fcambus fcambus commented Dec 6, 2019

Hi,

While fuzzing htmldoc with Honggfuzz, I found a stack-based buffer overflow in the hd_strlcpy() function, in string.c.

Attaching a reproducer (gzipped so GitHub accepts it): test01.html.gz

Issue can be reproduced by running:

htmldoc test01.html -f test01.ps
=================================================================
==27915==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffefa66f0df at pc 0x000000494c40 bp 0x7ffefa66f070 sp 0x7ffefa66e838
WRITE of size 3 at 0x7ffefa66f0df thread T0
    #0 0x494c3f in __asan_memcpy (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f)
    #1 0x556aa5 in hd_strlcpy /home/fcambus/htmldoc-1.9.7/htmldoc/string.c:191:3
    #2 0x509ee3 in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3765:5
    #3 0x4f3cfb in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3853:13
    #4 0x4f3f6c in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx
    #5 0x4e4fce in pspdf_export /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:860:5
    #6 0x4d17bb in main /home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc.cxx:1276:3
    #7 0x7f68626141e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #8 0x41d84d in _start (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x41d84d)

Address 0x7ffefa66f0df is located in stack of thread T0 at offset 63 in frame
    #0 0x5084be in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3563

  This frame has 2 object(s):
    [32, 44) 'rgb' (line 3564)
    [64, 1088) 'number' (line 3570) <== Memory access at offset 63 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f) in __asan_memcpy
Shadow bytes around the buggy address:
  0x10005f4c5dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005f4c5e10: 00 00 00 00 f1 f1 f1 f1 00 04 f2[f2]00 00 00 00
  0x10005f4c5e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005f4c5e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27915==ABORTING
@carnil

This comment has been minimized.

Copy link

@carnil carnil commented Dec 8, 2019

This issue got assigned CVE-2019-19630 according to the MITRE information.

@michaelrsweet

This comment has been minimized.

Copy link
Owner

@michaelrsweet michaelrsweet commented Dec 8, 2019

Unable to reproduce on macOS with address sanitizer enabled. Trying Ubuntu...

@michaelrsweet

This comment has been minimized.

Copy link
Owner

@michaelrsweet michaelrsweet commented Dec 8, 2019

Does show up on Ubuntu 18.04, so might be a GCC bug...

@michaelrsweet

This comment has been minimized.

Copy link
Owner

@michaelrsweet michaelrsweet commented Dec 8, 2019

It is a one-byte underflow caused by a floating point math difference between GCC and Clang...

Adding a guard prevents the buffer underflow, although there could still be a formatting issue thanks to the math difference...

[master 8a129c5] Fix a buffer underflow issue with GCC on Linux (Issue #360)

@michaelrsweet michaelrsweet added this to the Stable milestone Dec 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.