search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
84 stars 31 forks source link

global buffer overflow draw.c:980 in draw_acc #27

Closed fgeek closed 4 years ago

fgeek commented 6 years ago

Reproducer: abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc.zip (SHA1: bd48041d13a2e3f59113e6a119d28a1ecee947ca) Tested in: 070cfe675580d8deb01227ade7fb854a4ebee641 Fuzzing tool used: afl-2.52b

00000000  58 3a 30 0a 54 3a 30 30  24 24 24 24 3e 24 24 24  |X:0.T:00$$$$>$$$|
00000010  24 24 24 24 24 24 24 24  24 24 24 24 24 24 24 24  |$$$$$$$$$$$$$$$$|
00000020  24 24 24 24 0a 4b 3a 47  3d 20 41 32 42 41 30 0a  |$$$$.K:G= A2BA0.|
00000030  20 20 47 41 42 63 20 64  65 64 42 7c 64 65 64 42  |  GABc dedB|dedB|
00000040  20 64 65 64 40 7c 63 32  65 63 20 42 32 64 42 7c  | ded@|c2ec B2dB||
00000050  41 32 46 32 20 47 34 3a  7c 0a 7c 3a 67 32 67 66  |A2F2 G4:|.|:g2gf|
00000060  20 67 64 42 64 7c 67 32  66 32 20 65 32 64 32 7c  | gdBd|g2f2 e2d2||
00000070  63 32 65 63 20 42 32 64  42 7c 63 32 66 7c 0a 20  |c2ec B2dB|c2f|. |
00000080  20 67 32 64 00 00 00 7f                           | g2d....|
00000088
./abcm2ps abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc
abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc:3:4: error: Missing note after accidental
   3 K:G= A2BA0
         ^
abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc:4:20: error: Bad character
   4   GABc dedB|dedB ded@|c2ec B2dB|A2F2 G4:|
                         ^
=================================================================
==8898==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555c6e86c678 at pc 0x555c6e51ba86 bp 0x7fffeadf33e0 sp 0x7fffeadf33d8
READ of size 8 at 0x555c6e86c678 thread T0
    #0 0x555c6e51ba85 in draw_acc /home/hsalo/src/abcm2ps/draw.c:980
    #1 0x555c6e51ba85 in draw_keysig /home/hsalo/src/abcm2ps/draw.c:1143
    #2 0x555c6e51ba85 in draw_symbols /home/hsalo/src/abcm2ps/draw.c:4785
    #3 0x555c6e51ba85 in draw_all_symb /home/hsalo/src/abcm2ps/draw.c:4835
    #4 0x555c6e58805e in output_music /home/hsalo/src/abcm2ps/music.c:5141
    #5 0x555c6e5b3d20 in generate /home/hsalo/src/abcm2ps/parse.c:1039
    #6 0x555c6e5db37c in gen_ly /home/hsalo/src/abcm2ps/parse.c:1060
    #7 0x555c6e5db37c in do_tune /home/hsalo/src/abcm2ps/parse.c:3621
    #8 0x555c6e4599b0 in abc_eof /home/hsalo/src/abcm2ps/abcparse.c:200
    #9 0x555c6e533df8 in frontend /home/hsalo/src/abcm2ps/front.c:905
    #10 0x555c6e451f3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
    #11 0x555c6e44e2b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
    #12 0x7fd7400dd2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #13 0x555c6e450649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)

0x555c6e86c678 is located 40 bytes to the left of global variable 'yn' defined in 'format.c:479:14' (0x555c6e86c6a0) of size 16
0x555c6e86c678 is located 8 bytes to the right of global variable 'acc_tb' defined in 'draw.c:27:14' (0x555c6e86c640) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/abcm2ps/draw.c:980 in draw_acc
Shadow bytes around the buggy address:
  0x0aac0dd05870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aac0dd05880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aac0dd05890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aac0dd058a0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0aac0dd058b0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0aac0dd058c0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9[f9]
  0x0aac0dd058d0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0aac0dd058e0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0aac0dd058f0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0aac0dd05900: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
  0x0aac0dd05910: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8898==ABORTING

abcm2ps-global-buffer-overflow-draw c-draw_acc abc Fun fact when running geeqie in Debian stable (stretch 1:1.3-1+b1) for the output SVG:

Thread 1 "geeqie" received signal SIGSEGV, Segmentation fault.
__memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:301
301 ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0  __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:301
#1  0x00007ffff4c5fd06 in ?? () from /usr/lib/x86_64-linux-gnu/libexiv2.so.14
#2  0x00007ffff4c59375 in Exiv2::PreviewManager::getPreviewImage(Exiv2::PreviewProperties const&) const () from /usr/lib/x86_64-linux-gnu/libexiv2.so.14
#3  0x00007ffff4c6d8f7 in Exiv2::Rw2Image::readMetadata() () from /usr/lib/x86_64-linux-gnu/libexiv2.so.14
hkiel commented 4 years ago

I can confirm this is fixed. Can we close this?

moinejf commented 4 years ago

yes