search

BYVoid / OpenCC

Conversion between Traditional and Simplified Chinese
https://opencc.byvoid.com/
Apache License 2.0
8.46k stars 982 forks source link

Null pointer deference in KeyLength() #811

Open morningbread opened 1 year ago

morningbread commented 1 year ago

Hi, i found a null pointer pointer deference vulnerability in KeyLength().

I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd2 -t text

Then, ASAN would catch the error:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1338522==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff1de6447fb bp 0x7ffcbb091c10 sp 0x7ffcbb091ac0 T0)
==1338522==The signal is caused by a READ memory access.
==1338522==Hint: address points to the zero page.
    #0 0x7ff1de6447fb in opencc::DictEntry::KeyLength() const /home/coco/work/OpenCC/src/DictEntry.hpp:44:37
    #1 0x7ff1de6447fb in GetKeyMaxLength(std::shared_ptr<opencc::Lexicon> const&) /home/coco/work/OpenCC/src/TextDict.cpp:30:31
    #2 0x7ff1de6447fb in opencc::TextDict::TextDict(std::shared_ptr<opencc::Lexicon> const&) /home/coco/work/OpenCC/src/TextDict.cpp:82:17
    #3 0x7ff1de6447fb in opencc::TextDict::NewFromDict(opencc::Dict const&) /home/coco/work/OpenCC/src/TextDict.cpp:106:26
    #4 0x7ff1de5f6de5 in ConvertDict(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::shared_ptr<opencc::Dict>) /home/coco/work/OpenCC/src/DictConverter.cpp:47:12
    #5 0x7ff1de5f7202 in opencc::ConvertDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:66:32
    #6 0x4db5cf in main /home/coco/work/OpenCC/src/tools/DictConverter.cpp:48:5
    #7 0x7ff1de03b082 in __libc_start_main /build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41e81d in _start (/home/coco/work/OpenCC/build/rel/src/tools/opencc_dict+0x41e81d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/coco/work/OpenCC/src/DictEntry.hpp:44:37 in opencc::DictEntry::KeyLength() const==1338522==ABORTING

poc.zip