global-buffer-overflow in wc_any_to_ucs() #43

Closed
kcwu opened this Issue Nov 18, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@kcwu
Contributor

kcwu commented Nov 18, 2016

00000000: 3c6d 6574 6120 6368 6172 7365 743d 7669  <meta charset=vi
00000010: 7363 6969 3e3c 7461 626c 653e 3c62 3c3e  scii><table><b<>
00000020: 003c 6c69 7374 696e 673e 3c74 6162 6c65  .<listing><table
00000030: 3e3c 7468 3e30 3030 3030 3030 0a30 3030  ><th>0000000.000
00000040: 3030 3030 3030 3030 3030 3030 3030 0430  00000000000000.0
00000050: 3030 3030 3030 3020 3030 3030 3082 3030  0000000 00000.00
00000060: ffff e530 3030 3030 3c74 643e 303c 7461  ...00000<td>0<ta
00000070: 626c 653e 3c74 643e 303c 7072 653e 3030  ble><td>0<pre>00
00000080: 3030 3030 3030 303c 6973 696e 6465 783e  0000000<isindex>
00000090: 3030 3030 3030 3002 3030 3030 3030 3c74  0000000.000000<t
000000a0: 643e 303c 7461 626c 653e 303c 7461 626c  d>0<table>0<tabl
000000b0: 653e 3d30 3030 3030 3030 3030 3030 3030  e>=0000000000000
000000c0: 3030 3c2f 696e 7465 726e 616c 3e30 3030  00</internal>000
000000d0: 3030 3030 3030 3030 3030 3030 3c70 3e30  000000000000<p>0

how to reproduce

  1. build w3m with AddressSanitizer (-fsanitize=address)
  2. w3m.asan -T text/html -dump file

Asan output

==3207532==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000aef600 at pc 0x000000735d1b bp 0x7fff1be69eb0 sp 0x7fff1be69ea8
READ of size 2 at 0x000000aef600 thread T0
    #0 0x735d1a in wc_any_to_ucs /home/kcwu/w3m/libwc/ucs.c:281:15
    #1 0x74dc71 in wc_push_to_utf8 /home/kcwu/w3m/libwc/utf8.c:276:14
    #2 0x6fdcbd in wc_conv_to_ces /home/kcwu/w3m/libwc/conv.c:93:6
    #3 0x6fcf70 in wc_Str_conv /home/kcwu/w3m/libwc/conv.c:23:9
    #4 0x5a90ee in _saveBuffer /home/kcwu/w3m/file.c:7654:8
    #5 0x5a8e2a in saveBuffer /home/kcwu/w3m/file.c:7672:5
    #6 0x4fdca8 in do_dump /home/kcwu/w3m/main.c:1360:2
    #7 0x4f9c7a in main /home/kcwu/w3m/main.c:1066:6
    #8 0x7ffb4e428f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41bfc5 in _start (/home/kcwu/w3m/w3m.asan+0x41bfc5)

0x000000aef600 is located 32 bytes to the left of global variable 'vps1_ucs_map' defined in './map/vps_ucs.map:3:18' (0xaef620) of size 256
0x000000aef600 is located 0 bytes to the right of global variable 'viscii112_ucs_map' defined in './map/viscii11_ucs.map:22:18' (0xaef5c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow /home/kcwu/w3m/libwc/ucs.c:281:15 in wc_any_to_ucs
Shadow bytes around the buggy address:
  0x000080155e70: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080155e80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080155e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080155ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080155eb0: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x000080155ec0:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080155ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080155ee0: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080155ef0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080155f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080155f10: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3207532==ABORTING

ASAN_OPTIONS=abort_on_error=1 gdb --args w3m.asan -T text/html -dump file

Program received signal SIGABRT, Aborted.
0x00007ffff642ec37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) frame 6
#6  0x0000000000735d1b in wc_any_to_ucs (cc=...) at ucs.c:281
281         cc.code = map[cc.code];
(gdb) p cc.code
$1 = 32

map is viscii112_ucs_map, which is size=32.

This is found by afl-fuzz.

tats added a commit that referenced this issue Nov 18, 2016

@tats

This comment has been minimized.

Show comment
Hide comment
@tats

tats Nov 18, 2016

Owner

Fixed, thank you.

Owner

tats commented Nov 18, 2016

Fixed, thank you.

@tats tats closed this Nov 18, 2016

tats added a commit that referenced this issue Nov 18, 2016

@tats

This comment has been minimized.

Show comment
Hide comment
@tats

tats Nov 18, 2016

Owner

Oops, type mismatch fixed.

Owner

tats commented Nov 18, 2016

Oops, type mismatch fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment