be5invis
commented
5 years ago Do you have a more detailed stack trace for this? @clerkma
Closed zzcentury closed 5 years ago
be5invis
commented
5 years ago Do you have a more detailed stack trace for this? @clerkma
hongxuchen
commented
5 years ago FYI, here is the result on my machine when building with ASAN and debug.
=================================================================
==13108==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000007f9561 at pc 0x0000004d91e2 bp 0x7ffece0d47c0 sp 0x7ffece0d3f70
READ of size 17 at 0x0000007f9561 thread T0
#0 0x4d91e1 in __asan_memcpy (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x4d91e1)
#1 0x7a7bfa in sdsnewlen /home/hongxu/FOT/otfcc-asan/build/gmake/../../dep/extern/sds.c:131:9
#2 0x78508c in utf16be_to_utf8 /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/support/unicodeconv/unicodeconv.c:123:12
#3 0x630b9a in otfcc_readName /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/table/name.c:63:22
#4 0x51f781 in readOtf /home/hongxu/FOT/otfcc-asan/build/gmake/../../lib/otf-reader/otf-reader.c:26:16
#5 0x514b0b in main /home/hongxu/FOT/otfcc-asan/build/gmake/../../src/otfccdump.c:199:10
#6 0x7f2bbd247b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x41a469 in _start (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x41a469)
0x0000007f9561 is located 0 bytes to the right of global variable '<string literal>' defined in '../../lib/support/unicodeconv/unicodeconv.c:40:22' (0x7f9560) of size 1
'<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/hongxu/FOT/otfcc-asan/bin/debug-x64/otfccdump+0x4d91e1) in __asan_memcpy
Shadow bytes around the buggy address:
0x0000800f7250: 00 00 00 00 00 00 00 06 f9 f9 f9 f9 00 00 02 f9
0x0000800f7260: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800f7270: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 06
0x0000800f7280: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800f7290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800f72a0: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9
0x0000800f72b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800f72c0: 01 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
0x0000800f72d0: 00 04 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0000800f72e0: 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800f72f0: 00 05 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13108==ABORTINGSimilar crashes happens with inputs such as cff.abs.otf inside https://github.com/caryll/otfcc/blob/master/tests/payload/cffspecial/
be5invis
commented
5 years ago I am curious about that why you are filing these bugs since I am deprecating otfcc (I have an internal TypeScript lib to deal with OTFs). Are you (or someone else) using it?
hongxuchen
commented
5 years ago Not exactly, I just saw some CVE entries and would like to find interesting projects to analyze :smile_cat:
be5invis
commented
5 years ago CVE? Also I am away from my dev env and want to depreciate this project (that TS lib would be much better.) PRs are welcome.
be5invis
commented
5 years ago The crash site is sds (a string library) 's allocation func.
be5invis
commented
5 years ago Hmm your file crashes TTX too.
Test Version
dev version, git clone https://github.com/caryll/otfcc.git
Test Program
otfcc/bin/release-x64/otfccdump [infile]
Asan Debug Information
POC file
https://github.com/moonAgirl/Bugs/blob/master/otfcc/2018-12-30-01-global-buffer-overflow.otf/