Stack overflow in process_raw_blocks
Opened this issue · 0 comments
danielpyon commented
Problem Description
Note: I am aware that this project is unmaintained. However, I am still opening this issue to follow CVE's guidelines for EOL software.
There is a stack overflow (aka: infinite recursion) in the process_raw_blocks
function when the parser handles a specially crafted Markdown file. This could be used to perform a denial-of-service attack.
Here is a minimized proof-of-concept Markdown file that triggers the bug: min_stack_overflow.md. The output is as follows:
#210 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#211 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#212 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#213 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#214 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#215 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#216 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#217 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#218 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#219 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#220 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#221 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#222 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#223 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#224 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#225 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#226 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#227 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#228 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#229 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#230 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#231 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#232 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#233 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#234 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#235 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#236 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#237 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#238 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#239 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#240 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#241 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#242 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#243 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#244 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#245 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#246 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#247 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
#248 0x5dcd55 in process_raw_blocks /home/sanic/peg-markdown/markdown_lib.c:137:33
SUMMARY: AddressSanitizer: stack-overflow /home/sanic/peg-markdown/markdown_lib.c:113 in process_raw_blocks
==2808508==ABORTING
Reproduction Steps
- Compile the project using ASAN (Address Sanitizer). For example,
CC=afl-clang-fast AFL_USE_ASAN=1 make
. - Run
./markdown -x min_stack_overflow.md
(use the proof-of-concept file attached to this report). - Observe the stack overflow in the output.