Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global-buffer-overflow in parseURL() #41

Closed
kcwu opened this issue Nov 17, 2016 · 6 comments
Closed

global-buffer-overflow in parseURL() #41

kcwu opened this issue Nov 17, 2016 · 6 comments

Comments

@kcwu
Copy link
Contributor

@kcwu kcwu commented Nov 17, 2016

input

00000000: 3c41 2068 7265 663d 2f2f 3e30 3030 3030  <A href=//>00000
00000010: 3030 3c62 6173 6520 6872 6566 3d3a 3e30  00<base href=:>0
00000020: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030                      00000000

build with Address sanitizer. the run result:

==1331653==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007903fc at pc 0x0000006a2b14 bp 0x7ffda749a3b0 sp 0x7ffda749a3a8
READ of size 4 at 0x0000007903fc thread T0
    #0 0x6a2b13 in parseURL /home/kcwu/w3m/url.c:844:16
    #1 0x6a43db in parseURL2 /home/kcwu/w3m/url.c:999:5
    #2 0x6b0ec0 in url_to_charset /home/kcwu/w3m/url.c:2278:2
    #3 0x6b0ec0 in url_encode /home/kcwu/w3m/url.c:2293
    #4 0x5a83e3 in HTMLlineproc2body /home/kcwu/w3m/file.c:5684:8
    #5 0x5afe54 in HTMLlineproc2 /home/kcwu/w3m/file.c:6198:5
    #6 0x5afe54 in loadHTMLstream /home/kcwu/w3m/file.c:7289
    #7 0x56b9ec in loadHTMLBuffer /home/kcwu/w3m/file.c:6781:5
    #8 0x560a80 in loadSomething /home/kcwu/w3m/file.c:224:16
    #9 0x560a80 in loadGeneralFile /home/kcwu/w3m/file.c:2241
    #10 0x4f901a in main /home/kcwu/w3m/main.c:1020:12
    #11 0x7f3210f82f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #12 0x41c095 in _start (/home/kcwu/w3m/w3m+0x41c095)

0x0000007903fc is located 36 bytes to the left of global variable '<string literal>' defined in 'url.c:1747:10' (0x790420) of size 6
  '<string literal>' is ascii string 'url.c'
0x0000007903fc is located 5 bytes to the right of global variable '<string literal>' defined in 'url.c:1747:10' (0x7903e0) of size 23
  '<string literal>' is ascii string 'isprint(w3m_reqlog[0])'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/kcwu/w3m/url.c:844:16 in parseURL
Shadow bytes around the buggy address:
  0x0000800ea020: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0000800ea030: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0000800ea040: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0000800ea050: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800ea060: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000800ea070: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 00 07[f9]
  0x0000800ea080: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800ea090: 00 00 00 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9
  0x0000800ea0a0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x0000800ea0b0: 00 00 00 04 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800ea0c0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 02
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1331653==ABORTING
#11 0x0000000000463cfc in parseURL (url=0xd8d750 "//", p_url=0x7ffc377805d0, current=0xda2de0) at url.c:844
844             p_url->port = DefaultPort[p_url->scheme];
(rr) p p_url->scheme
$1 = 255

p_url->scheme=255=SCM_UNKNOWN, but length of DefaultPort is 13 or 14.

This is found by afl-fuzz.

@kcwu
Copy link
Contributor Author

@kcwu kcwu commented Nov 17, 2016

reduced case

00000000: 3c62 6173 6520 6872 6566 3d3a 3e3c 4120  <base href=:><A
00000010: 6872 6566 3d2f 2f3e                      href=//>
tats added a commit that referenced this issue Nov 17, 2016
@tats
Copy link
Owner

@tats tats commented Nov 17, 2016

Fixed, though unreproducible for me.

Feel free to reopen the bug if the problem still occurs.

@tats tats closed this Nov 17, 2016
@kcwu
Copy link
Contributor Author

@kcwu kcwu commented Nov 17, 2016

Can you reproduce if you replace

p_url->port = DefaultPort[p_url->scheme];

with

assert(p_url->scheme != SCM_UNKNOWN);
p_url->port = DefaultPort[p_url->scheme];

?

@kcwu
Copy link
Contributor Author

@kcwu kcwu commented Nov 17, 2016

ah, I found w3m will load cookie file. So it probably depends on the content of cookie. let me investigate more.

@tats
Copy link
Owner

@tats tats commented Nov 17, 2016

Ah, sorry, I misunderstood.

Reproducible and fixed. Thank you.

@kcwu
Copy link
Contributor Author

@kcwu kcwu commented Nov 17, 2016

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.