Closed zzcentury closed 5 years ago
Do you have a more detailed stack trace for this? @clerkma
FYI, here is the result on my machine when building with ASAN and debug.
=================================================================
==13108==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007f9561 at pc 0x0000004d91e2 bp 0x7ffece0d47c0 sp 0x7ffece0d3f70
READ of size 17 at 0x0000007f9561 thread T0
#0 0x4d91e1 in __asan_memcpy (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x4d91e1)
#1 0x7a7bfa in sdsnewlen /home/hongxu/FOT/otfcc-asan/build/gmake/../../dep/extern/sds.c:131:9
#2 0x78508c in utf16be_to_utf8 /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/support/unicodeconv/unicodeconv.c:123:12
#3 0x630b9a in otfcc_readName /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/table/name.c:63:22
#4 0x51f781 in readOtf /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/otf-reader/otf-reader.c:26:16
#5 0x514b0b in main /home/hongxu/FOT/otfcc-asan/build/gmake/../../src/otfccdump.c:199:10
#6 0x7f2bbd247b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41a469 in _start (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x41a469)
0x0000007f9561 is located 0 bytes to the right of global variable '<string literal>' defined in '../../lib/support/unicodeconv/unicodeconv.c:40:22' (0x7f9560) of size 1
'<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x4d91e1) in __asan_memcpy
Shadow bytes around the buggy address:
0x0000800f7250: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 02 f9
0x0000800f7260: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800f7270: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 06
0x0000800f7280: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800f7290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800f72a0: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9
0x0000800f72b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800f72c0: 01 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
0x0000800f72d0: 00 04 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0000800f72e0: 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800f72f0: 00 05 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13108==ABORTING
Similar crashes happens with inputs such as cff.abs.otf
inside https://github.com/caryll/otfcc/blob/master/tests/payload/cffspecial/
I am curious about that why you are filing these bugs since I am deprecating otfcc (I have an internal TypeScript lib to deal with OTFs). Are you (or someone else) using it?
Not exactly, I just saw some CVE entries and would like to find interesting projects to analyze :smile_cat:
CVE? Also I am away from my dev env and want to depreciate this project (that TS lib would be much better.) PRs are welcome.
The crash site is sds (a string library) 's allocation func.
Hmm your file crashes TTX too.
Test Version
dev version, git clone https://github.com/caryll/otfcc.git
Test Program
otfcc/bin/release-x64/otfccdump [infile]
Asan Debug Information
POC file
https://github.com/moonAgirl/Bugs/blob/master/otfcc/2018-12-30-01-global-buffer-overflow.otf/