After pulling the most recent version of md2roff (Version 1.9 at the time of writing), I ran my fuzz tests again and discovered a buffer overflow in the 'void md2roff' function inside md2roff.c:
This is similar to #4, just in a different place. I believe the same patch you used for #4 could also be applied here. I've attached a file for replicating the issue.
Replication
Run the file with the buffer overrun and verify the stack was smashed:
Calculate the return address overwrite location:
Use some technique such as ret2libc to escalate privileges if md2roff is compiled with elevated privileges.
Hello @nereusx
I hope all is well on your end!
After pulling the most recent version of md2roff (Version 1.9 at the time of writing), I ran my fuzz tests again and discovered a buffer overflow in the 'void md2roff' function inside md2roff.c:
md2roff/md2roff.c
Line 655 in 9241b8c
This is similar to #4, just in a different place. I believe the same patch you used for #4 could also be applied here. I've attached a file for replicating the issue.
Replication
fuzz.zip
The text was updated successfully, but these errors were encountered: