search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
84 stars 31 forks source link

Null pointer dereference vulnerability in the function d_trill() #41

Closed SegfaultMasters closed 5 years ago

SegfaultMasters commented 5 years ago

Tested environment : 64-bit ubuntu 16.04 LTS

Affected version : 8.14.1-master

Command : ./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10

Vulnerable code :

if (de->start) {        /* deco start */
s = de->start->s;
x = s->x;
if (s->abc_type == ABC_T_NOTE
&& s->u.note.dc.n > 1)
x += 10;

Debug:

GDB :

→  588          s = de->start->s;
    589         x = s->x;
    590         if (s->abc_type == ABC_T_NOTE
    591          && s->u.note.dc.n > 1)
    592             x += 10;
    593  // } else {            /* end without start */
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x5555555675bf → d_trill(de=0x5555557eb610)
[#1] 0x555555569064 → draw_deco_note()
[#2] 0x555555572d43 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤  p  de->start
$1 = (struct deco_elt *) 0x0
gef➤  p *de
$2 = {
  next = 0x5555557eb648, 
  prev = 0x5555557eb5d8, 
  s = 0x5555557e8390, 
  start = 0x0, 
  t = 0x4, 
  staff = 0x0, 
  flags = 0x0, 
  defl = 0x0, 
  m = 0xff, 
  x = 0, 
  y = 0, 
  dy = 0, 
  val = 0
}
gef➤  i r
rax            0x0  0x0
rbx            0x5555557eb610   0x5555557eb610
rcx            0x1f 0x1f
rdx            0x38 0x38
rsi            0x1f 0x1f
rdi            0x5555557eb610   0x5555557eb610
rbp            0x5555557e8390   0x5555557e8390
rsp            0x7fffffffd640   0x7fffffffd640
r8             0x5555557be7e8   0x5555557be7e8
r9             0x5555557eb5d8   0x5555557eb5d8
r10            0x0  0x0
r11            0x5555557e8130   0x5555557e8130
r12            0x5555557b4320   0x5555557b4320
r13            0x0  0x0

Reproducer file - Reproducer