heap buffer overflow and bad pointer deref in conv_symbol() #38

Closed
kcwu opened this Issue Nov 13, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@kcwu
Contributor

kcwu commented Nov 13, 2016

input

00000000: 3c74 6162 6c65 3e1b 3c61 3e30 3c74 6578  <table>.<a>0<tex
00000010: 7461 7265 6100 636f 6c73 3d32 3030 3e3c  tarea.cols=200><
00000020: 713c 7461 626c 653e 303c 7020 3d3e 303c  q<table>0<p =>0<
00000030: 6852 3e30 3c70 203d 3e30 3c70 0d3e 303c  hR>0<p =>0<p.>0<
00000040: 703e 303c 6852 3e30 3c70 3e30 3c68 523e  p>0<hR>0<p>0<hR>
00000050: 303c 7464 3e30 3c68 5220 616c 6967 6e3d  0<td>0<hR align=
00000060: 6d69 6464 6c65 3e30 3030 3030 1e30 3030  middle>00000.000
00000070: 3030 e430 3030 30ff 3030 3030 30a5 3030  00.0000.00000.00
00000080: 3030 303c 303c 3030 3030 3d30 3030 3030  000<0<0000=00000
00000090: 2f30 3030 3030 ff30 3030 3030            /00000.00000

gdb --args w3m -T text/html -dump file

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x0000000000479ffe in Strcat_charp (x=0x7f29a0, y=0x500000004 <error: Cannot access memory at address 0x500000004>) at Str.c:217
#2  0x000000000042ea11 in conv_symbol (l=0x7d6c60) at file.c:7614
#3  0x000000000042eb4c in _saveBuffer (buf=0x7d4e00, l=0x7d6c60, f=0x7ffff6ffe400 <_IO_2_1_stdout_>, cont=0) at file.c:7647
#4  0x000000000042eca3 in saveBuffer (buf=0x7d4e00, f=0x7ffff6ffe400 <_IO_2_1_stdout_>, cont=0) at file.c:7668
#5  0x0000000000408002 in do_dump (buf=0x7d4e00) at main.c:1360
#6  0x0000000000407433 in main (argc=5, argv=0x7fffffffcde8, envp=0x7fffffffce18) at main.c:1066
(gdb) frame 2
#2  0x000000000042ea11 in conv_symbol (l=0x7d6c60) at file.c:7614
7614                Strcat_charp(tmp, symbol[(int)c]);
(gdb) p symbol
$1 = (char **) 0x7ccd80
(gdb) p c
$2 = 81 'Q'

symbol is allocated in update_utf8_symbol(). Its size is only 46. So symbol[c] is heap buffer overflow read.

This is found by afl-fuzz.

tats added a commit that referenced this issue Nov 14, 2016

@tats

This comment has been minimized.

Show comment
Hide comment
@tats

tats Nov 14, 2016

Owner

Fixed, thank you.

Owner

tats commented Nov 14, 2016

Fixed, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment