Closed Halcy0nic closed 1 year ago
Thanks for testing html2xhtml and for reporting the issue you've found. The detail of your report and your example files have been quite helpful to triage the bug.
I've found the cause of the issue: the node received by elm_close
was expected to be of type element but was of type comment instead. I've fixed it and your files don't cause a segmentation fault anymore.
Awesome, thanks!
Hi there!
Great work on html2xhtml, I find myself using it quite often. While I was using the tool I created some fuzz tests to run in the background. A couple of test cases led to a segfault when using the '-t frameset' option, which led me to further investigate the crash.
Valgrind
I started with Valgrind, which reported an invalid read of size 4 in each of the test cases:
GDB Backtrace and Source Code
I attached gdb to html2xhtml in an attempt to find where the Out of Bounds Read was taking place:
Taking a look at the segfault in GDB led me to the following function:
https://github.com/jfisteus/html2xhtml/blob/ffb2f1f12910eb5945413e0bdb9272b508241aa1/src/procesador.c#L940
A user could provide a malformed document with an invalid 'ELM_PTR(nodo).contenttype[doctype]', resulting in the following comparison in assembly:
This could be leveraged to read locations that they should not have access to. I have attached multiple crash files to help reproduce the issue.
Thanks again!
crashes.zip