NULL pointer dereference in the process_raw_blocks() function
fcambus opened this issue · 2 comments
fcambus commented
Hi,
While fuzzing peg-markdown with Honggfuzz, I found a NULL pointer dereference in the process_raw_blocks() function.
Attaching a reproducer (gzipped so GitHub accepts it): test01.md.gz
Issue can be reproduced by running:
markdown test01.md
AddressSanitizer:DEADLYSIGNAL
=================================================================
==641623==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00000056945a bp 0x7ffeff8c0680 sp 0x7ffeff8c05b0 T0)
==641623==The signal is caused by a READ memory access.
==641623==Hint: address points to the zero page.
#0 0x56945a in process_raw_blocks /home/fcambus/peg-markdown/markdown_lib.c:131:41
#1 0x569616 in process_raw_blocks /home/fcambus/peg-markdown/markdown_lib.c:139:33
#2 0x569089 in markdown_to_g_string /home/fcambus/peg-markdown/markdown_lib.c:161:14
#3 0x5696e0 in markdown_to_string /home/fcambus/peg-markdown/markdown_lib.c:177:11
#4 0x4c4bbc in main /home/fcambus/peg-markdown/markdown.c:180:11
#5 0x7f71b46590b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41c43d in _start (/home/fcambus/peg-markdown/markdown+0x41c43d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fcambus/peg-markdown/markdown_lib.c:131:41 in process_raw_blocks
==641623==ABORTING
jgm commented
Thank you. I should perhaps clarify in the README that this is essentially an unmaintained package.
fcambus commented
Ah, makes sense. I had requested a CVE number just after posting that
issue, before seeing your answer. FWIW, this got assigned CVE-2020-25821.