jgm/peg-markdown

Stack overflow in process_raw_blocks

Opened this issue · 0 comments

danielpyon commented

Problem Description

Note: I am aware that this project is unmaintained. However, I am still opening this issue to follow CVE's guidelines for EOL software.

There is a stack overflow (aka: infinite recursion) in the process_raw_blocks function when the parser handles a specially crafted Markdown file. This could be used to perform a denial-of-service attack.

Here is a minimized proof-of-concept Markdown file that triggers the bug: min_stack_overflow.md. The output is as follows:

    #210 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #211 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #212 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #213 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #214 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #215 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #216 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #217 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #218 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #219 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #220 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #221 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #222 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #223 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #224 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #225 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #226 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #227 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #228 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #229 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #230 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #231 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #232 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #233 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #234 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #235 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #236 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #237 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #238 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #239 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #240 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #241 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #242 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #243 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #244 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #245 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #246 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #247 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
    #248 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33

SUMMARY: AddressSanitizer: stack-overflow /home/sanic/peg-markdown/markdown_lib.c:113 in process_raw_blocks
==2808508==ABORTING

Reproduction Steps

  1. Compile the project using ASAN (Address Sanitizer). For example, CC=afl-clang-fast AFL_USE_ASAN=1 make.
  2. Run ./markdown -x min_stack_overflow.md (use the proof-of-concept file attached to this report).
  3. Observe the stack overflow in the output.