Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL Pointer Dereference (SIGSEGV) #510

Closed
chameleon10712 opened this issue Sep 12, 2023 · 1 comment
Closed

NULL Pointer Dereference (SIGSEGV) #510

chameleon10712 opened this issue Sep 12, 2023 · 1 comment
Assignees
@michaelrsweet
Labels
bug Something isn't working priority-low
Milestone
Stable

Comments

@chameleon10712
Copy link

chameleon10712 commented Sep 12, 2023
edited

Description

Null pointer dereference in htmldoc

Proof of Concept

echo -ne "PEhUTUw+CjxIRUFEPgoJPFRJVExFPkF0dHJpYnV0ZXMgVGVzdHM8L1RJVExFPgo8L0hFQUQ+CjxCT0RZPgoKPEgxPkF0dHJpYnV0ZXMgVGVzdHM8L0gxPgoKPFA+PFNNQUxMPlNtYWxsPC9TTUFMTD4gTm9ybWFsIDxCSUc+QmlnPC9CSUc+CjxQPjxCPkJvbGQ8L0I+CjxQPjxJPkl0YWxpYzwvST4KPFA+PEI+PEk+Qm9sZC1JdGFsaWM8L0k+PC9CPgo8UD48VT5VbmRlcmxpbmU8L1U+CjxQPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPgo8SDE+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IMT4KPEgyPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDI+CjxIMz48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0gzPgo8SDQ+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IND4KPEg1PjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDU+CjxINj48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0g2PgoKPEgxPlNVQi9TVVAgVGVzdDwvSDE+Cgo8UD5Ob3JtYWw8U1VQPlN1cGVyc2NyaXB0PC9TVVA+CjxQPk5vcm1hbDxTVUI+U3Vic2NyaXB0PC9TVUI+Cgo8SDE+Tm9uLUJyZWFraW5nIFNwYWNlIFRlc3Q8L0gxPgoKPFA+VGhlIGludmVzdG1lbnQgb2JqZWN0aXZlcyB3aGljaCBiZXN0IGRlc2NyaWJlIHRoaXMKcG9ydGZvbGlvOiZuYnNwOyZuYnNwOzx1Pk1heGltdW0gR3Jvd3RoPC91PjogbWF4aW11bSBjYXBpdGFsCmFwcHJlY2lhdGlvbiB3aXRoIGhpZ2hlciByaXNrL3ZvbGF0aWxpdHkgYW5kIG5vIGluY29tZS4KCjwvQk9EWT4KPC9IVE1MPgo=" | base64 -d > poc

normal build

$ /home/oceane/fuzz_test/htmldoc/build_norm/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book  --format html  --no-localfiles --titleimage ./ducks.jpg ./poc
ERR005: Unable to find "./poc"...
ERR005: Unable to find image file "./ducks.jpg"!
fish: “/home/oceane/fuzz_test/htmldoc/…” terminated by signal SIGSEGV (Address boundary error)

build with ASAN

$ /home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book  --format html  --no-localfiles --titleimage ./ducks.jpg ./poc
ERR005: Unable to find "./poc"...
ERR005: Unable to find image file "./ducks.jpg"!
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2118150==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000404 (pc 0x5557dcbbcf60 bp 0x7ffd3d4117e0 sp 0x7ffd3d411770 T0)
==2118150==The signal is caused by a READ memory access.
==2118150==Hint: address points to the zero page.
    #0 0x5557dcbbcf5f  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0xa2f5f)
    #1 0x5557dcb62d36  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x48d36)
    #2 0x7fc8b2037082 in __libc_start_main ../csu/libc-start.c:308
    #3 0x5557dcb6c8ad  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x528ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0xa2f5f)
==2118150==ABORTING

git commit a4b0dfe5c
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.6 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Affected Version

  • git commit a4b0dfe
  • v1.9.16
  • v1.9.15

Impact

  • Denial of Service
  • NULL Pointer Dereference
michaelrsweet added a commit that referenced this issue Sep 13, 2023
@michaelrsweet
Fix a crash bug with a bad title image (Issue #510)
07c63af
@michaelrsweet michaelrsweet self-assigned this Sep 13, 2023
@michaelrsweet michaelrsweet added bug Something isn't working priority-low labels Sep 13, 2023
@michaelrsweet michaelrsweet added this to the Stable milestone Sep 13, 2023
@michaelrsweet
Copy link
Owner

[master 07c63af] Fix a crash bug with a bad title image (Issue #510)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
bug Something isn't working priority-low
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
2 participants
@michaelrsweet @chameleon10712