Open morningbread opened 1 year ago
Hi, i found a null pointer pointer deference vulnerability in KeyLength().
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd2 -t text
Then, ASAN would catch the error:
AddressSanitizer:DEADLYSIGNAL ================================================================= ==1338522==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff1de6447fb bp 0x7ffcbb091c10 sp 0x7ffcbb091ac0 T0) ==1338522==The signal is caused by a READ memory access. ==1338522==Hint: address points to the zero page. #0 0x7ff1de6447fb in opencc::DictEntry::KeyLength() const /home/coco/work/OpenCC/src/DictEntry.hpp:44:37 #1 0x7ff1de6447fb in GetKeyMaxLength(std::shared_ptr<opencc::Lexicon> const&) /home/coco/work/OpenCC/src/TextDict.cpp:30:31 #2 0x7ff1de6447fb in opencc::TextDict::TextDict(std::shared_ptr<opencc::Lexicon> const&) /home/coco/work/OpenCC/src/TextDict.cpp:82:17 #3 0x7ff1de6447fb in opencc::TextDict::NewFromDict(opencc::Dict const&) /home/coco/work/OpenCC/src/TextDict.cpp:106:26 #4 0x7ff1de5f6de5 in ConvertDict(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::shared_ptr<opencc::Dict>) /home/coco/work/OpenCC/src/DictConverter.cpp:47:12 #5 0x7ff1de5f7202 in opencc::ConvertDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:66:32 #6 0x4db5cf in main /home/coco/work/OpenCC/src/tools/DictConverter.cpp:48:5 #7 0x7ff1de03b082 in __libc_start_main /build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x41e81d in _start (/home/coco/work/OpenCC/build/rel/src/tools/opencc_dict+0x41e81d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/coco/work/OpenCC/src/DictEntry.hpp:44:37 in opencc::DictEntry::KeyLength() const==1338522==ABORTING
poc.zip
Hi, i found a null pointer pointer deference vulnerability in KeyLength().
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd2 -t text
Then, ASAN would catch the error:
poc.zip