htmldoc Version v1.9.11 git [master 0f9d20]
tested on:
OS :Ubuntu 20.04.1 LTS
kernel: 5.4.0-53-generic
compiler: clang version 10.0.0-4ubuntu1
Target: x86_64-pc-linux-gnu
OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)
Install from snap or download mac dmg don't crash for this testcase.
addresssanitizer
==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
==3252595==The signal is caused by a READ memory access.
==3252595==Hint: address points to the zero page.
#0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
#1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
#2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
#3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
#4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
#5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
#6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
==3252595==ABORTING
While fuzzing htmldoc I found a segmentation fault in the copy_image() function, in epub.cxx:1221
testcase:(zipped so GitHub accepts it)
crash01.html.zip
reproduced by running:
htmldoc Version v1.9.11 git [master 0f9d20]
tested on:
OS :Ubuntu 20.04.1 LTS
kernel: 5.4.0-53-generic
compiler: clang version 10.0.0-4ubuntu1
Target: x86_64-pc-linux-gnu
OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)
Install from snap or download mac dmg don't crash for this testcase.
The bug locate in epub.cxx:1221 compare_images. The arguments of compare_images didn't checked so strcmp() lead a segfault due to to null pointer.
Reporter: chiba of topsec alphalab
The text was updated successfully, but these errors were encountered: