-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in shiftAnchorPosition #200
Comments
this heap-buffer-overflow (wild pointer) is also in shiftAnchorPosition, probably related? input (
|
On Wed, Oct 13, 2021 at 08:28:56PM -0700, Kuang-che Wu wrote:
input (`xxd cases/tats-w3m-200`)
```
00000000: 3c74 6162 6c65 3e30 3c62 7220 3c3e 303c <table>0<br <>0<
00000010: 786d 703e c8ab 3c64 6976 3e3c 696e 7465 xmp>..<div><inte
00000020: 526e 616c 3e3c 696e 7075 745f 616c 7420 Rnal><input_alt
00000030: 6669 643d 303e 3c64 6c3e 303c 646c 3e30 fid=0><dl>0<dl>0
00000040: 3c62 7574 746f 6e20 7661 6c75 653d 2722 <button value='"
00000050: 3e30 3030 3030 3030 3030 3030 3030 3030 >000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000070: 3030 3030 3030 3030 30ff 3030 3027 3e3c 000000000.000'><
00000080: 4120 6873 6571 3d2d 3930 2068 7265 663d A hseq=-90 href=
00000090: 3e30 3c68 5220 616c 6967 6e3d 6d69 6464 >0<hR align=midd
000000a0: 6c65 3e le>
```
[...]
=================================================================
==91135==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000007ec at pc 0x0000006b8747 bp 0x7ffc85f91ca0 sp 0x7ffc85f91c98
READ of size 4 at 0x6130000007ec thread T0
#0 0x6b8746 in shiftAnchorPosition /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/anchor.c:555:38
#1 0x611e91 in formUpdateBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/form.c:502:3
#2 0x6130d5 in formResetBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/form.c:271:2
#3 0x5302d9 in loadHTMLBuffer /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:6928:2
#4 0x533654 in loadSomething /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:229:16
#5 0x524fb6 in loadGeneralFile /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/file.c:2286:6
#6 0x4cf6d6 in main /btrfs2/z840-home-kcwu/fuzz/fuzzing-w3m/targets/w3m-tats/main.c:1048:12
#7 0x7f0d02f94d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#8 0x420a89 in _start (/w3m-tats.asan+0x420a89)
This is misleading. This is not a use-after-free but a out-of-bounds
read.
The 'hseq=-90' from the input ends as the value (89 actually) of
'a->hseq' in 'anchor.c:555'. Then 'hl->marks[a->hseq]' is out of bounds
as there are only 30 entries in this list.
Changing the input to something like 'hseq=-20' does not give any
errors.
|
Fixed by #217 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
input (
xxd cases/tats-w3m-200
)how to reproduce:
stderr:
This is detected with help of dummy libgc wrapper. See https://github.com/kcwu/fuzzing-w3m/tree/master/notgc for detail.
More detail to reproduce please see https://github.com/kcwu/fuzzing-w3m
For your convenience,
gdbline:
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-200
found by afl++
The text was updated successfully, but these errors were encountered: