AddressSanitizer: heap-buffer-overflow in function pdf_write_links at ps-pdf.cxx:3371
hdthky opened this issue · 2 comments
Description
Whilst experimenting with htmldoc
, built from commit 0bef12c, we are able to induce a vulnerability at htmldoc/htmldoc/ps-pdf.cxx:3371
in function pdf_write_links
, using a harness compiled from htmldoc/htmldoc.cxx
.
Because there is no bounds checking, a heap-based out-of-bound read will be triggered when the software encounters a malformed file, result in information disclosure or denial of service.
Environment
Ubuntu 20.04
gcc 10.3.0 with ASAN
Proof of Concept
The POC is: poc_heap_overflow5
The command is: ./htmldoc --webpage -t pdf -f /dev/null poc_heap_overflow5
The ASAN report is:
=================================================================
==6776==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000458 at pc 0x5555556000ad bp 0x7fffffffb030 sp 0x7fffffffb020
READ of size 4 at 0x607000000458 thread T0
#0 0x5555556000ac in pdf_write_links /work/htmldoc/htmldoc/ps-pdf.cxx:3371
#1 0x5555556000ac in pdf_write_document /work/htmldoc/htmldoc/ps-pdf.cxx:2299
#2 0x555555606286 in pspdf_export /work/htmldoc/htmldoc/ps-pdf.cxx:910
#3 0x55555559f764 in main /work/htmldoc/htmldoc/htmldoc.cxx:1291
#4 0x7ffff6b620b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#5 0x55555559fbcd in _start (/work/htmldoc/htmldoc/htmldoc+0x4bbcd)
0x607000000458 is located 0 bytes to the right of 72-byte region [0x607000000410,0x607000000458)
allocated by thread T0 here:
#0 0x7ffff769bc47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55555560584d in pspdf_prepare_outpages /work/htmldoc/htmldoc/ps-pdf.cxx:1258
#2 0x55555560584d in pspdf_export /work/htmldoc/htmldoc/ps-pdf.cxx:901
SUMMARY: AddressSanitizer: heap-buffer-overflow /work/htmldoc/htmldoc/ps-pdf.cxx:3371 in pdf_write_links
Shadow bytes around the buggy address:
0x0c0e7fff8030: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fff8040: 00 00 00 00 00 04 fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff8050: 00 00 00 01 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 01 fa fa
=>0x0c0e7fff8080: fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6776==ABORTING
Impact
This vulnerability is capable of inducing information disclosure or denial of service.
Reproduced, as with the others it is highly unlikely this can result in information disclosure since this is overflowing an allocated buffer for some reason but it will cause a crash of HTMLDOC without writing any output...