Open morningbread opened 1 year ago
Hi, i found a stack overflow vulnerability in SerializedValues::NewFromFile().
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd2 -t text
Then, ASAN would catch the error:
==2189305==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffdbc341070 at pc 0x0000004328d6 bp 0x7ffdbc340e70 sp 0x7ffdbc340630 READ of size 7 at 0x7ffdbc341070 thread T0 #0 0x4328d5 in __interceptor_strlen /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:389:5 #1 0x7f5ca3ae7894 in std::char_traits<char>::length(char const*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/char_traits.h:342:9 #2 0x7f5ca3ae7894 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:531:39 #3 0x7f5ca3ae7894 in opencc::SerializedValues::NewFromFile(_IO_FILE*) /home/coco/work/OpenCC/src/SerializedValues.cpp:103:24 #4 0x7f5ca3ab89d2 in opencc::MarisaDict::NewFromFile(_IO_FILE*) /home/coco/work/OpenCC/src/MarisaDict.cpp:107:7 #5 0x7f5ca3a8f854 in bool opencc::SerializableDict::TryLoadFromFile<opencc::MarisaDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::shared_ptr<opencc::MarisaDict>*) /home/coco/work/OpenCC/src/SerializableDict.hpp:62:40 #6 0x7f5ca3aa47af in std::shared_ptr<opencc::MarisaDict> opencc::SerializableDict::NewFromFile<opencc::MarisaDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/SerializableDict.hpp:71:10 #7 0x7f5ca3aa47af in LoadDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:38:12 #8 0x7f5ca3aa50f4 in opencc::ConvertDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:65:22 #9 0x4db5cf in main /home/coco/work/OpenCC/src/tools/DictConverter.cpp:48:5 #10 0x7f5ca34e9082 in __libc_start_main /build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x41e81d in _start (/home/coco/work/OpenCC/build/rel/src/tools/opencc_dict+0x41e81d)
poc.zip
Hi, i found a stack overflow vulnerability in SerializedValues::NewFromFile().
I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd2 -t text
Then, ASAN would catch the error:
poc.zip