albin@KNYTT:openscad$ ./openscad.bin --export-format stl -o /dev/null pocs_manual/oobr_comment.scad
Could not initialize localization.
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==12619==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x00000d384000 (pc 0x00000064254d bp 0x7ffe70e82d60 sp 0x7ffe70e82bf0 T12619)
==12619==The signal is caused by a READ memory access.
#0 0x64254c in getComment(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/albin/fuzz/openscad/openscad/src/comment.cc:95:9
#1 0x6401b9 in CommentParser::collectParameters(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, SourceFile*) /home/albin/fuzz/openscad/openscad/src/comment.cc:284:25
#2 0x464526 in cmdline(CommandLine const&) /home/albin/fuzz/openscad/openscad/src/openscad.cc:411:2
#3 0x479f04 in main /home/albin/fuzz/openscad/openscad/src/openscad.cc:1230:12
#4 0x7f39dec7e0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x4390cd in _start (/home/albin/fuzz/openscad/openscad/build/openscad+0x4390cd)
UndefinedBehaviorSanitizer can not provide additional info.
==12619==ABORTING
Cause
The seek through the fulltext string at comment.cc:95 only searches for \n, but ignores the potential end of the text. As a result, a file which ends without a \n character will cause this loop to read out of bounds.
Impact
It appears that the out-of-bounds data can only be read, and not written. An out-of-bounds read does not expose a security vulnerability on its own, but can be used to bypass automatic security features such as stack canaries and pointer encryption.
Proposed mitigation
Also check against fulltext.size() in the loop, to ensure that end does not exceed the length of the file.
The text was updated successfully, but these errors were encountered:
Summary
A .scad file with no trailing newline may cause an out-of-bounds read during parsing of annotations.
Vulnerable versions
Steps to reproduce
openscad --export-format stl -o /dev/null oobr_comment.scadCause
The seek through the
fulltextstring at comment.cc:95 only searches for\n, but ignores the potential end of the text. As a result, a file which ends without a\ncharacter will cause this loop to read out of bounds.Impact
It appears that the out-of-bounds data can only be read, and not written. An out-of-bounds read does not expose a security vulnerability on its own, but can be used to bypass automatic security features such as stack canaries and pointer encryption.
Proposed mitigation
Also check against
fulltext.size()in the loop, to ensure thatenddoes not exceed the length of the file.The text was updated successfully, but these errors were encountered: