dhoerl/htmlcxx

Security: heap-buffer-overflow in htmlcxx::HTML::Node::parseAttributes()

Opened this issue · 0 comments

schsiung commented

version: commit 6b001dd

When dealing with some malicious HTML content,htmlcxx will crash with heap-buffer-overflow.
The crash can be reproduced with following steps:
crash.tar.gz

tar -xvf crash.tar.gz
htmlcxx crashes/id\:000001\,sig\:06\,src\:000000+000045\,time\:39\,execs\:1195\,op\:splice\,rep\:7 

-----
0@[0;44) 
  1@[0;6) html
    2@[6;12) bod
      3@[12;26) hey<2bod����y>
      4@[26;37) </h�ml<htm>
      5@[37;44) bodyeq
-----

CSS attributes:

@[0:44)

HTML@[0:6)

BOD@[6:12)

=================================================================
==2850470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000001508 at pc 0x55bfa8bd5d17 bp 0x7ffec8b5aa50 sp 0x7ffec8b5aa48
READ of size 1 at 0x611000001508 thread T0
    #0 0x55bfa8bd5d16 in htmlcxx::HTML::Node::parseAttributes() /data/openeuler/aflbuild/html/../../htmlcxx-0.86/html/Node.cc:28:18
    #1 0x55bfa8bbac85 in main /data/openeuler/aflbuild/../htmlcxx-0.86/htmlcxx.cc:151:9
    #2 0x7f62ced68d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #3 0x7f62ced68e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #4 0x55bfa8af1a94 in _start (/data/openeuler/aflbuild/htmlcxx+0x65a94) (BuildId: 4ea70980e50c843e)

0x611000001508 is located 0 bytes to the right of 200-byte region [0x611000001440,0x611000001508)
allocated by thread T0 here:
    #0 0x55bfa8baf72d in operator new(unsigned long) (/data/openeuler/aflbuild/htmlcxx+0x12372d) (BuildId: 4ea70980e50c843e)
    #1 0x55bfa8bc7f54 in tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::pre_order_iterator tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::replace<tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::pre_order_iterator>(tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::pre_order_iterator, tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::iterator_base const&) /data/openeuler/aflbuild/../htmlcxx-0.86/html/tree.h
    #2 0x55bfa8bc183c in tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::copy_(tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > > const&) /data/openeuler/aflbuild/../htmlcxx-0.86/html/tree.h:461:10
    #3 0x55bfa8bb828d in tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > >::operator=(tree<htmlcxx::HTML::Node, std::allocator<tree_node_<htmlcxx::HTML::Node> > > const&) /data/openeuler/aflbuild/../htmlcxx-0.86/html/tree.h:438:4
    #4 0x55bfa8bb828d in main /data/openeuler/aflbuild/../htmlcxx-0.86/htmlcxx.cc:114:6
    #5 0x7f62ced68d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/openeuler/aflbuild/html/../../htmlcxx-0.86/html/Node.cc:28:18 in htmlcxx::HTML::Node::parseAttributes()
Shadow bytes around the buggy address:
  0x0c227fff8250: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8270: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c227fff8280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff82a0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff82b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff82c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c227fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2850470==ABORTING

From: xiongshengchao@jyhlab.org.cn