Heap buffer overflow caused by an integer overflow
Closed this issue · 2 comments
kangwoosukeq commented
Hi, the latest version of htmldoc has a heap-buffer-overflow bug which is caused by an integer overflow.
This issue is related to #423, since the fix in 6a8322a was incomplete.
The patch checks img->width and img->height at line 1266.
However, they can differ from the values used in line 1347.
The attacker can easily bypass the bound checking and cause buggy behavior.
Thank you.
1260 fread(buf, 13, 1, fp);
1261
1262 img->width = (buf[7] << 8) | buf[6];
1263 img->height = (buf[9] << 8) | buf[8];
1264 ncolors = 2 << (buf[10] & 0x07);
1265
1266 if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
1267 return (-1);
...
1299 case ',' : /* Image data */
1300 fread(buf, 9, 1, fp);
...
1341 img->width = (buf[5] << 8) | buf[4];
1342 img->height = (buf[7] << 8) | buf[6];
1343 img->depth = gray ? 1 : 3;
...
1347 img->pixels = (uchar *)malloc((size_t)(img->width * img->height * img->depth));POC : htmldoc-poc.zip
# ./htmldoc/htmldoc --webpage -f out.pdf htmldoc-poc.html
PAGES: 2
=================================================================
==4604==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f5e2 at pc 0x5593fa4cf8bc bp 0x7fff40ecd3d0 sp 0x7fff40ecd3c0
WRITE of size 1 at 0x63000000f5e2 thread T0
#0 0x5593fa4cf8bb in gif_read_image /src/htmldoc/htmldoc/image.cxx:320
#1 0x5593fa4cf8bb in image_load_gif /src/htmldoc/htmldoc/image.cxx:1351
#2 0x5593fa4cf8bb in image_load /src/htmldoc/htmldoc/image.cxx:829
#3 0x5593fa487ff6 in write_image /src/htmldoc/htmldoc/ps-pdf.cxx:10305
#4 0x5593fa48c5fe in pdf_write_page /src/htmldoc/htmldoc/ps-pdf.cxx:2693
#5 0x5593fa4a2e28 in pdf_write_page /src/htmldoc/htmldoc/ps-pdf.cxx:2651
#6 0x5593fa4a2e28 in pdf_write_outpage /src/htmldoc/htmldoc/ps-pdf.cxx:2605
#7 0x5593fa4a2e28 in pdf_write_document /src/htmldoc/htmldoc/ps-pdf.cxx:2319
#8 0x5593fa4a7db0 in pspdf_export /src/htmldoc/htmldoc/ps-pdf.cxx:910
#9 0x5593fa44174c in main /src/htmldoc/htmldoc/htmldoc.cxx:1291
#10 0x7f8c4215c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#11 0x5593fa441bad in _start (/src/htmldoc/htmldoc/htmldoc+0x4bbad)
0x63000000f5e2 is located 0 bytes to the right of 61922-byte region [0x630000000400,0x63000000f5e2)
allocated by thread T0 here:
#0 0x7f8c42ab9bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5593fa4cf096 in image_load_gif /src/htmldoc/htmldoc/image.cxx:1347
#2 0x5593fa4cf096 in image_load /src/htmldoc/htmldoc/image.cxx:829
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/htmldoc/htmldoc/image.cxx:320 in gif_read_image
Shadow bytes around the buggy address:
0x0c607fff9e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fff9e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fff9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fff9e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c607fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c607fff9eb0: 00 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa
0x0c607fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff9ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff9ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c607fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4604==ABORTING
michaelrsweet commented
Will fix in the next bug fix release.
michaelrsweet commented