search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
82 stars 31 forks source link

out-of-bounds read vulnerability in the function calculate_beam() #43

Closed SegfaultMasters closed 5 years ago

SegfaultMasters commented 5 years ago

Out-of-bounds read vulnerability is discovered in the abcm2ps (8.14.1-master).

Tested environment : 64-bit ubuntu 16.04 LTS

Affected version : 8.14.1-master

Command - ./abcm2ps -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10

Vulnerable code :

if (s->nhd == 0)
stem_err = min_tb[0][(unsigned) s->nflags];

Debug:

GDB :

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ registers ]----
$rax   : 0x5555557d7740      ?  0x00005555557d79a0  ?  0x00005555557d7bf0  ?  0x00005555557d7e40  ?  0x00005555557d80a0  ?  0x00005555557d8300  ?  0x00005555557d8558  ?  0x00005555557d87b0
$rbx   : 0xffffffd0
$rcx   : 0x5555557d79a0      ?  0x00005555557d7bf0  ?  0x00005555557d7e40  ?  0x00005555557d80a0  ?  0x00005555557d8300  ?  0x00005555557d8558  ?  0x00005555557d87b0  ?  0x00005555557d8a10
$rdx   : 0xffffffd0
$rsp   : 0x7fffffffdad0      ?  0x0000004000000018
$rbp   : 0x5555557d7740      ?  0x00005555557d79a0  ?  0x00005555557d7bf0  ?  0x00005555557d7e40  ?  0x00005555557d80a0  ?  0x00005555557d8300  ?  0x00005555557d8558  ?  0x00005555557d87b0
$rsi   : 0x0
$rdi   : 0x0
$rip   : 0x55555556b074      ?  <calculate_beam+2580> movss xmm4, DWORD PTR [r15+rbx*4]
$r8    : 0x5555557c39a0      ?  0x00005555557d6448  ?  0x00005555557d66a0  ?  0x00005555557d6900  ?  0x00005555557d6b60  ?  0x00005555557d6dc0  ?  0x00005555557d7020  ?  0x00005555557d7280
$r9    : 0x7fffffffdb50      ?  0x0000000000000000
$r10   : 0x0
$r11   : 0x540
$r12   : 0x0
$r13   : 0x1
$r14   : 0x0
$r15   : 0x5555555a31c0      ?  <min_tb+0> add BYTE PTR [rax], al
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$es: 0x0000  $gs: 0x0000  $cs: 0x0033  $fs: 0x0000  $ds: 0x0000  $ss: 0x002b
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ stack ]----
0x00007fffffffdad0¦+0x00: 0x0000004000000018     ? $rsp
0x00007fffffffdad8¦+0x08: 0x0000000000000400
0x00007fffffffdae0¦+0x10: 0x00000040557d66a0 ("f}U@"?)
0x00007fffffffdae8¦+0x18: 0x0000000000000007
0x00007fffffffdaf0¦+0x20: 0x0000000000000410
0x00007fffffffdaf8¦+0x28: 0x00005555557d1208  ?  0x0000000000000000
0x00007fffffffdb00¦+0x30: 0x0000000000000430
0x00007fffffffdb08¦+0x38: 0x0000000000000000
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ code:i386:x86-64 ]----
   0x55555556b069 <calculate_beam+2569> test   dil, dil
   0x55555556b06c <calculate_beam+2572> jne    0x55555556b531 <calculate_beam+3793>
   0x55555556b072 <calculate_beam+2578> mov    ebx, edx
? 0x55555556b074 <calculate_beam+2580> movss  xmm4, DWORD PTR [r15+rbx*4]
   0x55555556b07a <calculate_beam+2586> cmp    BYTE PTR [rax+0x58], 0x0
   0x55555556b07e <calculate_beam+2590> jle    0x55555556b558 <calculate_beam+3832>
   0x55555556b084 <calculate_beam+2596> movsx  edi, BYTE PTR [rax+rdi*1+0x3d]
   0x55555556b089 <calculate_beam+2601> cmp    dil, 0x1a
   0x55555556b08d <calculate_beam+2605> jle    0x55555556b09f <calculate_beam+2623>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ source:draw.c+353 ]----
    348                         }
    349                         x = s->voice == voice ? s->xs : s->x;
    350                         ys = a * x + b - staff_tb[s->staff].y;
    351                         if (s->voice == voice) {
    352                                 if (s->nhd == 0)
    353                                         stem_err = min_tb[0][(unsigned) s->nflags];
    354                                 else
    355                                         stem_err = min_tb[1][(unsigned) s->nflags];
    356                                 if (s->stem > 0) {
    357                                         if (s->pits[s->nhd] > 26) {
    358                                                 stem_err -= 2;
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ threads ]----
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ trace ]----
[#0] 0x55555556b074 ? Name: calculate_beam(bm=0x7fffffffdb50, s1=0x5555557d7740)
[#1] 0x5555555719b8 ? Name: draw_sym_near()
[#2] 0x555555582f7d ? Name: delayed_output(indent=0)
[#3] 0x555555582f7d ? Name: output_music()
[#4] 0x5555555886c1 ? Name: generate()
[#5] 0x555555588c38 ? Name: gen_ly(eob=0x0)
[#6] 0x55555558eab8 ? Name: do_tune()
[#7] 0x555555560ce2 ? Name: abc_parse(p=0x5555557ddbb0 "", fname=0x5555557f7f10 "POC", ln=0x16b)
[#8] 0x555555578c14 ? Name: txt_add_eos(fname=0x5555557f7f10 "POC", linenum=0x16b)
[#9] 0x5555555790a4 ? Name: frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x000055555556b074 in calculate_beam (bm=bm@entry=0x7fffffffdb50, s1=s1@entry=0x5555557d7740) at draw.c:353
gef➤  p  min_tb
$377 = {{16, 16, 14, 12, 10, 10}, {14, 14, 10, 9, 9, 9}}
gef➤  p  min_tb[0][(unsigned) s->nflags]
$379 = 16
gef➤  p s->nflags
$381 = 0x1
gef➤  p/d s->nflags
$392 = -48
gef➤  i r
rax            0x5555557d7740   0x5555557d7740
rbx            0xffffffd0       0xffffffd0
rcx            0x5555557d79a0   0x5555557d79a0
rdx            0xffffffd0       0xffffffd0
rsi            0x0      0x0
rdi            0x0      0x0
rbp            0x5555557d7740   0x5555557d7740
rsp            0x7fffffffdad0   0x7fffffffdad0
r8             0x5555557c39a0   0x5555557c39a0
r9             0x7fffffffdb50   0x7fffffffdb50
r10            0x0      0x0
r11            0x540    0x540
r12            0x0      0x0
r13            0x1      0x1
r14            0x0      0x0
r15            0x5555555a31c0   0x5555555a31c0
rip            0x55555556b074   0x55555556b074 <calculate_beam+2580>
eflags         0x10246 [ PF ZF IF RF]
cs             0x33     0x33
ss             0x2b     0x2b
ds             0x0      0x0
es             0x0      0x0
fs             0x0      0x0
gs             0x0      0x0

Reproducer file - Reproducer