You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
root@worklab ~/f/d/src (main)# ./markdown -T -s '#########################################################################################################
##########################################################################################################################################################
####################################################################################################################################'
=================================================================
==17576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000046d at pc 0x5607fa139cd9 bp 0x7ffc3e4567f0 sp 0x7ffc3e455fb0
WRITE of size 386 at 0x61200000046d thread T0
#0 0x5607fa139cd8 in strcpy (/root/fuzz/discount/src/markdown+0xaccd8) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)
#1 0x5607fa1c0b6e in uniquename /root/fuzz/discount/src/toc.c:163:5
#2 0x5607fa1c04a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:192:23
#3 0x5607fa1c03a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:190:6
#4 0x5607fa199c34 in compile_document /root/fuzz/discount/src/markdown.c:1287:2
#5 0x5607fa198c5a in mkd3_compile /root/fuzz/discount/src/markdown.c:1494:17
#6 0x5607fa18d84d in main /root/fuzz/discount/src/main.c:369:6
#7 0x7f6cc94c76c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x7f6cc94c7784 in __libc_start_main csu/../csu/libc-start.c:360:3
#9 0x5607fa0b53f0 in _start (/root/fuzz/discount/src/markdown+0x283f0) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)
0x61200000046d is located 0 bytes after 301-byte region [0x612000000340,0x61200000046d)
allocated by thread T0 here:
#0 0x5607fa150042 in __interceptor_malloc (/root/fuzz/discount/src/markdown+0xc3042) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)
#1 0x5607fa1c0abc in uniquename /root/fuzz/discount/src/toc.c:162:5
#2 0x5607fa1c04a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:192:23
#3 0x5607fa1c03a6 in ___mkd_uniquify /root/fuzz/discount/src/toc.c:190:6
#4 0x5607fa199c34 in compile_document /root/fuzz/discount/src/markdown.c:1287:2
#5 0x5607fa198c5a in mkd3_compile /root/fuzz/discount/src/markdown.c:1494:17
#6 0x5607fa18d84d in main /root/fuzz/discount/src/main.c:369:6
#7 0x7f6cc94c76c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/fuzz/discount/src/markdown+0xaccd8) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9) in strcpy
Shadow bytes around the buggy address:
0x612000000180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x612000000200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x612000000280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x612000000300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x612000000380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x612000000400: 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa fa
0x612000000480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x612000000500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x612000000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x612000000600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x612000000680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17576==ABORTING
Reason
In function uniquename(), the label buffer overflows when calling strcpy().
Possible fix
Malloc sufficient memory for label.
The text was updated successfully, but these errors were encountered:
That's a good catch, thank you. You found both a bug and a place where I diverged from the (gruber) standard. A patch has been made and mirrored to github if you want to verify it here.
When using -T and provide a lot of '#', a heap-buffer-overflow is occured.
This bug affects versions 3.0.0a only.
Reproduce
Run:
Result:
Reason
In function
uniquename()
, thelabel
buffer overflows when callingstrcpy()
.Possible fix
Malloc sufficient memory for
label
.The text was updated successfully, but these errors were encountered: