search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
84 stars 31 forks source link

heap-buffer-overflow abcparse.c:2149 in parse_line #25

Closed fgeek closed 4 years ago

fgeek commented 6 years ago

Reproducer: abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc.zip (SHA1: a9b2a139ef095743544fbf78fb68291ac4549f37) Tested in: 070cfe675580d8deb01227ade7fb854a4ebee641 Fuzzing tool used: afl-2.52b

00000000  58 3a 30 0b 0d 30 30 30  30 30 30 30 30 30 0a 4d  |X:0..000000000.M|
00000010  3a 34 2f 34 0a 30 30 30  30 30 30 30 0a 4b 3a 30  |:4/4.0000000.K:0|
00000020  0a 7c 1a 47 41 42 63 20  64 65 64 42 7c 64 65 64  |.|.GABc dedB|ded|
00000030  42 20 64 65 63 20 5e 30  30 42 7c 63 32 30 30 30  |B dec ^00B|c2000|
00000040  30 30 42 0a 7c 3a 67 36  67 66 20 5c 64 42 64 5b  |00B.|:g6gf \dBd[|
00000050  67 32 66 29 2e 65 11 64  32 30 63 32 30 63 20 73  |g2f).e.d20c20c s|
00000060  30 64 64 66 7c 0a 28 30                           |0ddf|.(0|
00000068
./abcm2ps abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:6:1: error: Bad character
   6 |GABc dedB|dedB dec ^00B|c200000B
      ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:7: error: '\' ignored
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
            ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:18: error: Not a note
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                       ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:26: error: Not a note
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                               ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:28: error: Not a note
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                                 ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:31: error: Too many notes in chord
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                                    ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:32: error: Too many notes in chord
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                                     ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:32: error: Not a note
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                                     ^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:12: error: Chord not closed
   7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
                 ^
=================================================================
==12611==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028ff at pc 0x55ff23ed14cd bp 0x7fffc3d7d7f0 sp 0x7fffc3d7d7e8
READ of size 1 at 0x6250000028ff thread T0
    #0 0x55ff23ed14cc in parse_line /home/hsalo/src/abcm2ps/abcparse.c:2149
    #1 0x55ff23ed14cc in abc_parse /home/hsalo/src/abcm2ps/abcparse.c:164
    #2 0x55ff23f8d010 in txt_add_eos /home/hsalo/src/abcm2ps/front.c:379
    #3 0x55ff23f8d010 in frontend /home/hsalo/src/abcm2ps/front.c:891
    #4 0x55ff23eaaf3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
    #5 0x55ff23ea72b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
    #6 0x7f2a28e7f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x55ff23ea9649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)

0x6250000028ff is located 1 bytes to the left of 8192-byte region [0x625000002900,0x625000004900)
allocated by thread T0 here:
    #0 0x7f2a295c3d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x55ff23f8a697 in txt_add /home/hsalo/src/abcm2ps/front.c:109

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/abcm2ps/abcparse.c:2149 in parse_line
Shadow bytes around the buggy address:
  0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12611==ABORTING
hkiel commented 4 years ago

I can confirm this fix. Can we close this?

moinejf commented 4 years ago

yes