heap-buffer-overflow in set_integered_width() #70

kcwu · 2016-12-02T17:55:16Z

input (xxd cases/tats-w3m-70)

00000000: 3c74 6162 6c65 3e7f 303c 7468 2063 6f6c  <table>.0<th col
00000010: 7370 616e 3d39 3e3c 7468 2063 6f6c 7370  span=9><th colsp
00000020: 616e 3d39 3e3c 7468 2063 6f6c 7370 616e  an=9><th colspan
00000030: 3d39 3e3c 7468 2063 6f6c 7370 616e 3d39  =9><th colspan=9
00000040: 3e3c 7468 2063 6f6c 7370 616e 3d39 3e3c  ><th colspan=9><
00000050: 7468 2063 6f6c 7370 616e 3d39 3e3c 7468  th colspan=9><th
00000060: 2063 6f6c 7370 616e 3d39 3e3c 7468 3e3c   colspan=9><th><
00000070: 7468 2063 6f6c 7370 616e 3d39 3e3c 7468  th colspan=9><th
00000080: 2063 6f6c 7370 616e 3d39 3e3c 7468 3e30   colspan=9><th>0
00000090: 303c 7468 2063 6f6c 7370 616e 3d39 3e3c  0<th colspan=9><
000000a0: 7468 2063 6f6c 7370 616e 3d39 3e3c 7468  th colspan=9><th
000000b0: 2063 6f6c 7370 616e 3d39 3e3c 7468 2063   colspan=9><th c
000000c0: 6f6c 7370 616e 3d39 3e3c 7468 2063 6f6c  olspan=9><th col
000000d0: 7370 616e 3d39 3e3c 7468 2063 6f6c 7370  span=9><th colsp
000000e0: 616e 3d39 3e                             an=9>

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 LD_LIBRARY_PATH=./notgc ./w3m-tats.asan -T text/html -dump cases/tats-w3m-70

stderr:

=================================================================
==2732560==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000680 at pc 0x00000060f11c bp 0x7fff7b81be10 sp 0x7fff7b81be08
READ of size 8 at 0x619000000680 thread T0
    #0 0x60f11b in set_integered_width /targets/w3m-tats/table.c:1017:24
    #1 0x607904 in renderTable /targets/w3m-tats/table.c:1789:2
    #2 0x59240b in HTMLlineproc0 /targets/w3m-tats/file.c:6452:3
    #3 0x5a7d14 in completeHTMLstream /targets/w3m-tats/file.c:7022:2
    #4 0x5a5b21 in loadHTMLstream /targets/w3m-tats/file.c:7258:5
    #5 0x55bbf8 in loadHTMLBuffer /targets/w3m-tats/file.c:6781:5
    #6 0x55ee64 in loadSomething /targets/w3m-tats/file.c:224:16
    #7 0x5535ac in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #8 0x4f9202 in main /targets/w3m-tats/main.c:1017:12
    #9 0x7f64aa02cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #10 0x41bf25 in _start (/w3m-tats.asan+0x41bf25)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /targets/w3m-tats/table.c:1017:24 in set_integered_width
Shadow bytes around the buggy address:
  0x0c327fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff80d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2732560==ABORTING

This is detected with help of dummy libgc wrapper. See http://github.com/kcwu/fuzzing-w3m/notgc for detail.
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
LD_LIBRARY_PATH=./notgc ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-70

This is found by afl-fuzz.

The text was updated successfully, but these errors were encountered:

kcwu · 2016-12-02T18:27:09Z

table.c

992                         int ii = indexarray[i + kk];
993                         if (ii >= bcol && ii < ecol) {
994                             idx[m] = ii;

indexarray[] is short array and ecol may be larger than 127 (in this case , ii=128, ecol=129). But idx[] is char array.
The result of idx[m] = ii; may became negative if char is signed.

Later,

1017                            (double)rulewidth - mod[(int)idx[kk]] > 0.5)

ASan detected heap buffer overflow READ.

There may be buffer overflow WRITE

1011                                fixed[(int)idx[kk]] = 2;

and

1024                                fixed[(int)idx[kk]] = 1;

But I haven't check whether write is really possible or not, though.

Bug-Debian: #70

tats · 2016-12-05T13:50:34Z

Fixed, thank you.

kcwu · 2016-12-13T00:57:09Z

FYI, this case demonstrates heap-buffer-overflow WRITE if this issue is not fixed.

00000000: 3c74 6162 6c65 3e3c 7464 2063 6f6c 7370  <table><td colsp
00000010: 616e 3d35 303e 3c74 6420 636f 6c73 7061  an=50><td colspa
00000020: 6e3d 3830 3e3c 7464 2063 6f6c 7370 616e  n=80><td colspan
00000030: 3d35 3e30 3030 3030                      =5>00000

- New patch 934_menu.patch to fix buffer overflow (#49) - New patch 935_shiftanchor.patch to fix buffer overflow (#62) - New patch 936_metarefresh.patch to fix buffer overflow (#63) - New patch 937_lineproc0.patch to fix buffer overflow (#67) - New patch 938_lineproc2body.patch to fix buffer overflow (#61) - New patch 939_textarea.patch to fix buffer overflow (#58) - New patch 940_tabattr.patch to fix buffer overflow (#60) - New patch 941_integeredwidth.patch to fix buffer overflow (#70) - New patch 942_tridvalue.patch to fix buffer overflow (#71) - New patch 943_pushlink.patch to fix buffer overflow (#64, #66) - New patch 944_lineproc0.patch to fix use after free (#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (#57) - New patch 946_strnewsize.patch to fix buffer overflow (#72) - New patch 947_realcolumn.patch to fix buffer overflow (#69) - New patch 948_getmclen.patch to fix buffer overflow (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (#77) - New patch 950_textarea.patch to fix infinite loop (#85) - New patch 951_lineproc0.patch to fix use after free (#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (#82) - New patch 953_formupdateline.patch to fix buffer overflow (#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (#68)

Bug-Debian: #70 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a3ed914b0cfc3750e0eb57bb21e2ec6f86ca94f0

tats added a commit that referenced this issue Dec 5, 2016

Prevent negative array index in set_integered_width()

a3ed914

Bug-Debian: #70

tats closed this as completed Dec 5, 2016

tats added a commit that referenced this issue May 5, 2017

Prevent negative array index in set_integered_width()

a197df2

Bug-Debian: #70 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a3ed914b0cfc3750e0eb57bb21e2ec6f86ca94f0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow in set_integered_width() #70

heap-buffer-overflow in set_integered_width() #70

kcwu commented Dec 2, 2016 •

edited

Loading

kcwu commented Dec 2, 2016

tats commented Dec 5, 2016

kcwu commented Dec 13, 2016

heap-buffer-overflow in set_integered_width() #70

heap-buffer-overflow in set_integered_width() #70

Comments

kcwu commented Dec 2, 2016 • edited Loading

kcwu commented Dec 2, 2016

tats commented Dec 5, 2016

kcwu commented Dec 13, 2016

kcwu commented Dec 2, 2016 •

edited

Loading