search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
84 stars 31 forks source link

Memory access violation in draw.c:4746 #28

Closed invictus1306 closed 6 years ago

invictus1306 commented 6 years ago

Hi,

I'm hitting this bug in the latest version of abcm2ps (abcm2ps-8.13.21 (2018-05-05))

valgrind ./abcm2ps ./report1.abc 
==17134== Memcheck, a memory error detector
==17134== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17134== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17134== Command: ./abcm2ps ../../abcm2ps/crashes_/report1.abc
==17134== 
abcm2ps-8.13.21 (2018-05-05)
File ../../abcm2ps/crashes_/report1.abc
error: Bad page width 0.0
../../abcm2ps/crashes_/report1.abc:56:10: error: Unknown clef
  56 [K:G clef=trfble
               ^
==17134== Invalid read of size 1
==17134==    at 0x41BF78: draw_symbols (draw.c:4746)
==17134==    by 0x41BF78: draw_all_symb (draw.c:4835)
==17134==    by 0x42960F: output_music (music.c:5141)
==17134==    by 0x42E1F0: generate (parse.c:1039)
==17134==    by 0x42E877: gen_ly (parse.c:1060)
==17134==    by 0x43433F: do_tune (parse.c:3621)
==17134==    by 0x4088A1: abc_parse (abcparse.c:177)
==17134==    by 0x41F686: txt_add_eos (front.c:379)
==17134==    by 0x4200E7: frontend (front.c:891)
==17134==    by 0x403FAC: treat_file (abcm2ps.c:239)
==17134==    by 0x4030E7: main (abcm2ps.c:1040)
==17134==  Address 0x10044817c is not stack'd, malloc'd or (recently) free'd
==17134== 
==17134== 
==17134== Process terminating with default action of signal 11 (SIGSEGV)
==17134==  Access not within mapped region at address 0x10044817C
==17134==    at 0x41BF78: draw_symbols (draw.c:4746)
==17134==    by 0x41BF78: draw_all_symb (draw.c:4835)
==17134==    by 0x42960F: output_music (music.c:5141)
==17134==    by 0x42E1F0: generate (parse.c:1039)
==17134==    by 0x42E877: gen_ly (parse.c:1060)
==17134==    by 0x43433F: do_tune (parse.c:3621)
==17134==    by 0x4088A1: abc_parse (abcparse.c:177)
==17134==    by 0x41F686: txt_add_eos (front.c:379)
==17134==    by 0x4200E7: frontend (front.c:891)
==17134==    by 0x403FAC: treat_file (abcm2ps.c:239)
==17134==    by 0x4030E7: main (abcm2ps.c:1040)
==17134==  If you believe this happened as a result of a stack
==17134==  overflow in your program's main thread (unlikely but
==17134==  possible), you can try to increase the size of the
==17134==  main thread stack using the --main-stacksize= flag.
==17134==  The main thread stack size used in this run was 8388608.
==17134== 
==17134== HEAP SUMMARY:
==17134==     in use at exit: 241,110 bytes in 35 blocks
==17134==   total heap usage: 61 allocs, 26 frees, 661,858 bytes allocated
==17134== 
==17134== LEAK SUMMARY:
==17134==    definitely lost: 0 bytes in 0 blocks
==17134==    indirectly lost: 0 bytes in 0 blocks
==17134==      possibly lost: 0 bytes in 0 blocks
==17134==    still reachable: 241,110 bytes in 35 blocks
==17134==         suppressed: 0 bytes in 0 blocks
==17134== Rerun with --leak-check=full to see details of leaked memory
==17134== 
==17134== For counts of detected and suppressed errors, rerun with: -v
==17134== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

It is a read access violation (draw_symbols (draw.c:4746))

0x41bf78 <draw_all_symb+4648> movsx edx, BYTE PTR [rax+0x44817d]

The value of raxcould be controlled by an attacker

$rax : 0x00000000ffffffff

but I did not do a thorough analysis.

report1.zip