Segfault when --field-separator-char=c

[loverszhaokai]

This bug is found by fuzzing the options of John
#1. Prepare

1.1 content of 7z_fmt

$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112$5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac692c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a31646ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f9184adafd6b5333fb1

1.2 compile

$ ./configure && make -sj8
#2. Reproduce
#2.1 Run

$ ./john 7z_fmt --field-separator-char=c

using field sep char 'c' (0x63)
Error, invalid test line (wrong generic type): Test=$dynamic_1001$57200e13b490d4ae47d5e19be026b057:test1
Error parsing section [List.Generic:dynamic_1001]
Error in line 63 file is ../dynamic.conf
Error, invalid test line (wrong generic type): Test=$dynamic_1001$c6cc44f9e7fb7efcde62ba2e627a49c6:thatsworking
Error parsing section [List.Generic:dynamic_1001]
Error in line 64 file is ../dynamic.conf
Error, invalid test line (wrong generic type): Test=$dynamic_1001$0ae9549604e539a249c1fa9f5e5fb73b:test3
Error parsing section [List.Generic:dynamic_1001]
Error in line 65 file is ../dynamic.conf
Error, invalid test line (wrong generic type): TestM=$dynamic_1001$94c59ab02fcd39f3ff9a4e553a4afcb6:1234567890123456789012345678901234567890123456789012345
Error parsing section [List.Generic:dynamic_1001]
Error in line 68 file is ../dynamic.conf
Segmentation fault (core dumped)
#2.2 GDB debug
#0 LoadOneFormat (idx=, pFmt=0x275d420) at dynamic_fmt.c:7470

7470 cp[1] = 0;
(gdb) bt
#0 LoadOneFormat (idx=, pFmt=0x275d420) at dynamic_fmt.c:7470
#1 0x000000000045df4e in dynamic_Register_formats (ptr=0x7ffe9234bc08) at dynamic_fmt.c:7560
#2 0x00000000005ea3a9 in john_register_all () at john.c:273
#3 0x00000000005ec738 in john_init (name=0x7ffe9234dc8f "john", argc=3, argv=0x7ffe9234bd68) at john.c:1237
#4 0x00000000005ed4df in main (argc=3, argv=0x7ffe9234bd68) at john.c:1674
#3. Debug
#3.1 Patch src/dynamic_fmt.c

static int LoadOneFormat(int idx, struct fmt_main *pFmt)
 {
        extern struct options_main options;
-       char label[16], label_id[16], *cp;
+       char label[16] = { 0 }, label_id[16] = { 0 }, *cp = NULL;
        memcpy(pFmt, &fmt_Dynamic, sizeof(struct fmt_main));
        dynamic_RESET(pFmt);

@@ -7467,10 +7467,10 @@ static int LoadOneFormat(int idx, struct fmt_main *pFmt)
        /* number.  So we simply grab the label from the test cyphertext string */
        strncpy(label, pFmt->params.tests[0].ciphertext, 15);
        cp = strchr(&label[1], '$');
-       cp[1] = 0;
+       if (NULL != cp) cp[1] = 0;
        strcpy(label_id, &label[1]);
        cp = strchr(label_id, '$');
-       *cp = 0;
+       if (NULL != cp) *cp = 0;

#3.2 Run again

There are a lot of Error messages. Is this OK?

using field sep char 'c' (0x63)
Error, invalid test line (wrong generic type): Test=$dynamic_1001$57200e13b490d4ae47d5e19be026b057:test1
Error parsing section [List.Generic:dynamic_1001]
Error in line 63 file is ../dynamic.conf
Error, invalid test line (wrong generic type): Test=$dynamic_1001$c6cc44f9e7fb7efcde62ba2e627a49c6:thatsworking
Error parsing section [List.Generic:dynamic_1001]
Error in line 64 file is ../dynamic.conf
Error, invalid test line (wrong generic type): Test=$dynamic_1001$0ae9549604e539a249c1fa9f5e5fb73b:test3
Error parsing section [List.Generic:dynamic_1001]
Error in line 65 file is ../dynamic.conf
Error, invalid test line (wrong generic type): TestM=$dynamic_1001$94c59ab02fcd39f3ff9a4e553a4afcb6:1234567890123456789012345678901234567890123456789012345
Error parsing section [List.Generic:dynamic_1001]
.......
.......
.......
.......

[magnumripper]

There are a lot of Error messages. Is this OK?

I think it is. If you say field separator is the letter 'c', you are really asking for it :-)

Normal use of --field-separator is setting it to TAB or some other very uncommon character.

[loverszhaokai]

@magnumripper Thanks, I will fix this bug! I just found another bug! It's very exciting! :-)

[magnumripper]

👍