Stack-based buffer overflow in the hd_strlcpy() function
fcambus opened this issue · 4 comments
fcambus commented
Hi,
While fuzzing htmldoc with Honggfuzz, I found a stack-based buffer overflow in the hd_strlcpy() function, in string.c.
Attaching a reproducer (gzipped so GitHub accepts it): test01.html.gz
Issue can be reproduced by running:
htmldoc test01.html -f test01.ps
=================================================================
==27915==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffefa66f0df at pc 0x000000494c40 bp 0x7ffefa66f070 sp 0x7ffefa66e838
WRITE of size 3 at 0x7ffefa66f0df thread T0
#0 0x494c3f in __asan_memcpy (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f)
#1 0x556aa5 in hd_strlcpy /home/fcambus/htmldoc-1.9.7/htmldoc/string.c:191:3
#2 0x509ee3 in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3765:5
#3 0x4f3cfb in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3853:13
#4 0x4f3f6c in parse_contents(tree_str*, float, float, float, float, float*, int*, int*, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx
#5 0x4e4fce in pspdf_export /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:860:5
#6 0x4d17bb in main /home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc.cxx:1276:3
#7 0x7f68626141e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#8 0x41d84d in _start (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x41d84d)
Address 0x7ffefa66f0df is located in stack of thread T0 at offset 63 in frame
#0 0x5084be in render_contents(tree_str*, float, float, float, float, float*, int*, int, tree_str*) /home/fcambus/htmldoc-1.9.7/htmldoc/ps-pdf.cxx:3563
This frame has 2 object(s):
[32, 44) 'rgb' (line 3564)
[64, 1088) 'number' (line 3570) <== Memory access at offset 63 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/fcambus/htmldoc-1.9.7/htmldoc/htmldoc+0x494c3f) in __asan_memcpy
Shadow bytes around the buggy address:
0x10005f4c5dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005f4c5e10: 00 00 00 00 f1 f1 f1 f1 00 04 f2[f2]00 00 00 00
0x10005f4c5e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005f4c5e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==27915==ABORTING
carnil commented
This issue got assigned CVE-2019-19630 according to the MITRE information.
michaelrsweet commented
Unable to reproduce on macOS with address sanitizer enabled. Trying Ubuntu...
michaelrsweet commented
Does show up on Ubuntu 18.04, so might be a GCC bug...
michaelrsweet commented