Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[crash] When using -T and provide a lot of '#', a heap-buffer-overflow is occured #277

Closed
Ruanxingzhi opened this issue Dec 11, 2023 · 2 comments
Closed

[crash] When using -T and provide a lot of '#', a heap-buffer-overflow is occured #277

Ruanxingzhi opened this issue Dec 11, 2023 · 2 comments

Comments

@Ruanxingzhi
Copy link

When using -T and provide a lot of '#', a heap-buffer-overflow is occured.

This bug affects versions 3.0.0a only.

Reproduce

Run:

./markdown -T -s '#######################################################################################################################################################################################################################################################################################################################################################################################################'

Result:

root@worklab ~/f/d/src (main)# ./markdown -T -s '#########################################################################################################
##########################################################################################################################################################
####################################################################################################################################'
=================================================================
==17576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000046d at pc 0x5607fa139cd9 bp 0x7ffc3e4567f0 sp 0x7ffc3e455fb0
WRITE of size 386 at 0x61200000046d thread T0
    #0 0x5607fa139cd8 in strcpy (/root/fuzz/discount/src/markdown+0xaccd8) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)
    #1 0x5607fa1c0b6e in uniquename /root/fuzz/discount/src/toc.c:163:5
    #2 0x5607fa1c04a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:192:23
    #3 0x5607fa1c03a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:190:6
    #4 0x5607fa199c34 in compile_document /root/fuzz/discount/src/markdown.c:1287:2
    #5 0x5607fa198c5a in mkd3_compile /root/fuzz/discount/src/markdown.c:1494:17
    #6 0x5607fa18d84d in main /root/fuzz/discount/src/main.c:369:6
    #7 0x7f6cc94c76c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x7f6cc94c7784 in __libc_start_main csu/../csu/libc-start.c:360:3
    #9 0x5607fa0b53f0 in _start (/root/fuzz/discount/src/markdown+0x283f0) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)

0x61200000046d is located 0 bytes after 301-byte region [0x612000000340,0x61200000046d)
allocated by thread T0 here:
    #0 0x5607fa150042 in __interceptor_malloc (/root/fuzz/discount/src/markdown+0xc3042) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)
    #1 0x5607fa1c0abc in uniquename /root/fuzz/discount/src/toc.c:162:5
    #2 0x5607fa1c04a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:192:23
    #3 0x5607fa1c03a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:190:6
    #4 0x5607fa199c34 in compile_document /root/fuzz/discount/src/markdown.c:1287:2
    #5 0x5607fa198c5a in mkd3_compile /root/fuzz/discount/src/markdown.c:1494:17
    #6 0x5607fa18d84d in main /root/fuzz/discount/src/main.c:369:6
    #7 0x7f6cc94c76c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/fuzz/discount/src/markdown+0xaccd8) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9) in strcpy
Shadow bytes around the buggy address:
  0x612000000180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x612000000200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x612000000280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x612000000300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x612000000380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x612000000400: 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa fa
  0x612000000480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x612000000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x612000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x612000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x612000000680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17576==ABORTING

Reason

In function uniquename(), the label buffer overflows when calling strcpy().

image

Possible fix

Malloc sufficient memory for label.
@Orc
Copy link
Owner

Orc commented Dec 12, 2023

That's a good catch, thank you. You found both a bug and a place where I diverged from the (gruber) standard. A patch has been made and mirrored to github if you want to verify it here.

@Ruanxingzhi
Copy link
Author

Verified. Thank you for the fix!

@Ruanxingzhi Ruanxingzhi mentioned this issue Dec 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Orc @Ruanxingzhi