Crash when parsing malformed OCD file

Question

Crash when parsing malformed OCD file

Opened this issue 3 years ago · 3 comments

retpoline commented 3 years ago

Steps to reproduce

Open OCD file
Observe crash

Actual behaviour

mapper crashes

Expected behaviour

mapper handles malformed OCD file gracefully and doesn't crash

Configuration

Mapper Version: 0.9.5
Operating System: Windows 10

Repro OCD file:

crash.ocd.txt

Access violation (second chance) at mapper!start+0x983ed

Security risk level: Unknown
  Exploitability unknown.

Registers:
rax=0000000000093080 rbx=000000000772add0 rcx=0000000000000000
rdx=00000000090e739c rsi=000000000775e310 rdi=00000000077b7830
rip=00000000004998ad rsp=0000000000a6bb80 rbp=00000000006f0069
 r8=000000000001799d  r9=0000000000000000 r10=000000000001799e
r11=0000000008fcc040 r12=0000000000000000 r13=0000000004df5dd0
r14=0000000004dc59b0 r15=0000000000000000
iopl=0         no up ei ng nz na pe cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010285

Answer 1 · 2022-02-15T07:02:42.000Z

Thanks for the report, @retpoline! I appreciate your interest in OO Mapper code security. I'll have a look at what is causing the crash.

As part of the security aspect, would you upload the example file here instead of some download site unknown to me?

Answer 2 · 2022-02-15T16:37:43.000Z

Sure, I've added it with .ocd.txt extension so github would allow the upload.

Thanks for your time!

Answer 3 · 2022-02-16T16:43:56.000Z

The root cause of the crash is a mishandled bogus number of vertexes in an area object. Mapper tries to read coordinates beyond the end of the file. I'm attaching a minimal reproducer generated with Mapper and tweaked with a hex editor.

minimal-crash.zip