Null pointer dereference in function draw_bar().

What is the vulnerability? Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.

Affected version-: 8.14.6-master

Command-: ./abcm2ps $POC

Reproducer file-: Reproducer

Synopsis-: We discovered Null pointer dereference in draw_bar() at draw.c:1211. s2->abc_type is not being validated. Due to lack of validation of s2->abc_type, therefore it causes Null pointer dereference.

Vulnerable code-:

for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
            ;
        putxy(s2->x, yb + 12);
        a2b("mrep\n");

Debug-:

GDB-:

abcm2ps-8.14.6 (2019-11-05)
File NPD2
NPD2: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,#][B,,F,]- [B,,4F,4]|
                                         ^
NPD2: error: Not a note
  32 !fp![E,4G,4C4]- [E,3/G,3 program 53
                             ^
NPD2: error: Not a note
  32 !fp![E,4G,4C4]- [E,3/G,3 program 53
                                     ^
NPD2: error: Chord not closed
  32 !fp![E,4G,4C4]- [E,3/G,3 program 53
                      ^
NPD2: error: Not a note
  34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!...
                            ^
NPD2: error: Not a note
  34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!...
                                               ^
NPD2: error: Non standard measure repeat syntax
  36 [C,,4E,,4G,,4C,4]- [3/]!2!E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z _A,,|\
                          ^
NPD2: error: Bad character 'm'
NPD2: error: Bad character 'r'
NPD2: error: Bad character 'o'
NPD2: error: Bad character 'r'
NPD2: error: Bad character 'p'
NPD2: error: Bad character 'U'
NPD2: error: Decoration !3Trompette! not defined
NPD2: warning: Line underfull (270pt of 682pt)
NPD2: error: Bad tie

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x200             
$rbx   : 0x0               
$rcx   : 0x200             
$rdx   : 0x000055555593b208  →  0x0000555555970168  →  0x0000000000000000
$rsp   : 0x00007fffffffd180  →  0x0000000000000000
$rbp   : 0x000055555593b220  →  0x001800003f800000
$rsi   : 0x0               
$rdi   : 0x0000555555943300  →  0x0000000000000031 ("1"?)
$rip   : 0x00005555556092c4  →  <draw_systems+42340> cmp BYTE PTR [rsi+0x38], 0x5
$r8    : 0x1               
$r9    : 0x00007fffffffd0a0  →  0x0000003000000008
$r10   : 0x00007fffffffd0c0  →  0x0000000000000000
$r11   : 0x0               
$r12   : 0x000055555598b078  →  0x000055555598b2d0  →  0x000055555598b520  →  0x000055555598b770  →  0x000055555598b9c0  →  0x000055555598bc10  →  0x000055555598be60  →  0x000055555598c0b0
$r13   : 0x1               
$r14   : 0x1               
$r15   : 0x000055555593ade0  →  0x000055555598e2a8  →  0x0000000000000000
$eflags: [zero CARRY parity ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd180│+0x0000: 0x0000000000000000   ← $rsp
0x00007fffffffd188│+0x0008: 0xc0478000bf800000
0x00007fffffffd190│+0x0010: 0x00007fff43a060a1
0x00007fffffffd198│+0x0018: 0x00007ffff6816209  →  <__printf_fp_l+1449> mov ebx, eax
0x00007fffffffd1a0│+0x0020: 0x00007fffc2ea0000
0x00007fffffffd1a8│+0x0028: 0x430c0000ffffd3b0
0x00007fffffffd1b0│+0x0030: 0x00000001428c0000
0x00007fffffffd1b8│+0x0038: 0x00007fffc2ea0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555556092b4 <draw_systems+42324> mov    rdx, QWORD PTR [rsp]
   0x5555556092b8 <draw_systems+42328> lea    rsp, [rsp+0x98]
   0x5555556092c0 <draw_systems+42336> mov    rsi, QWORD PTR [rsi+0x18]
 → 0x5555556092c4 <draw_systems+42340> cmp    BYTE PTR [rsi+0x38], 0x5
   0x5555556092c8 <draw_systems+42344> jne    0x5555556092c0 <draw_systems+42336>
   0x5555556092ca <draw_systems+42346> xchg   ax, ax
   0x5555556092cc <draw_systems+42348> lea    rsp, [rsp-0x98]
   0x5555556092d4 <draw_systems+42356> mov    QWORD PTR [rsp], rdx
   0x5555556092d8 <draw_systems+42360> mov    QWORD PTR [rsp+0x8], rcx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+1211 ────
   1206     if (s->u.bar.len != 0) {
   1207         struct SYMBOL *s2;
   1208  
   1209         set_scale(s);
   1210         if (s->u.bar.len == 1) {
 → 1211             for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
   1212                 ;
   1213             putxy(s2->x, yb + 12);
   1214             a2b("mrep\n");
   1215         } else {
   1216             putxy(x, yb + 12);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555556092c4 → draw_bar(h=70, bot=-117, s=0x55555598b078)
[#1] 0x5555556092c4 → draw_systems(indent=0)
[#2] 0x55555567d76b → delayed_output(indent=0)
[#3] 0x55555567d76b → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x555555579865 → abc_parse(p=0x55555597b5f0 "", fname=0x5555559511d0 " NPD2", ln=0x26)
[#8] 0x555555633893 → txt_add_eos(linenum=0x26, fname=<optimized out>)
[#9] 0x555555633893 → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555556092c4 in draw_bar (h=70, bot=-117, s=0x55555598b078) at draw.c:1211
1211                for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
gef➤  p s2
$3 = (struct SYMBOL *) 0x0
gef➤  p s2->abc_type 
Cannot access memory at address 0x38
gef➤  x s2->abc_type
Cannot access memory at address 0x38
gef➤  i r
rax            0x200    0x200
rbx            0x0  0x0
rcx            0x200    0x200
rdx            0x55555593b208   0x55555593b208
rsi            0x0  0x0
rdi            0x555555943300   0x555555943300
rbp            0x55555593b220   0x55555593b220 <staff_tb+1088>
rsp            0x7fffffffd180   0x7fffffffd180
r8             0x1  0x1
r9             0x7fffffffd0a0   0x7fffffffd0a0
r10            0x7fffffffd0c0   0x7fffffffd0c0
r11            0x0  0x0
r12            0x55555598b078   0x55555598b078
r13            0x1  0x1
r14            0x1  0x1
r15            0x55555593ade0   0x55555593ade0
rip            0x5555556092c4   0x5555556092c4 <draw_systems+42340>
eflags         0x10293  [ CF AF SF IF RF ]
cs             0x33 0x33
ss             0x2b 0x2b
ds             0x0  0x0
es             0x0  0x0
fs             0x0  0x0
gs             0x0  0x0

Valgrind-:

abcm2ps-8.14.6 (2019-11-05)
File NPD2
NPD2:20:36: error: Not a note
  20 [B,,3G,3][B,,G,]- [B,,4G,4]|[_B,,3F,#][B,,F,]- [B,,4F,4]|
                                         ^
NPD2:32:24: error: Not a note
  32 !fp![E,4G,4C4]- [E,3/G,3 program 53
                             ^
NPD2:32:32: error: Not a note
  32 !fp![E,4G,4C4]- [E,3/G,3 program 53
                                     ^
NPD2:32:17: error: Chord not closed
  32 !fp![E,4G,4C4]- [E,3/G,3 program 53
                      ^
NPD2:34:23: error: Not a note
  34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!...
                            ^
NPD2:34:42: error: Not a note
  34 !fp!!3![=B,4D4F4]- [B,3?D3/F3/][B,/D/F/][U,3/D3/G3/][B,/D/A/] ([B,4D4A4]!...
                                               ^
NPD2:36:21: error: Non standard measure repeat syntax
  36 [C,,4E,,4G,,4C,4]- [3/]!2!E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z _A,,|\
                          ^
NPD2:32:16: error: Bad character 'm'
NPD2:32:16: error: Bad character 'r'
NPD2:32:16: error: Bad character 'o'
NPD2:32:16: error: Bad character 'r'
NPD2:32:16: error: Bad character 'p'
NPD2:34:40: error: Bad character 'U'
NPD2:34:84: error: Decoration !3Trompette! not defined
NPD2:36:19: warning: Line underfull (270pt of 682pt)
NPD2:32:4: error: Bad tie
==15190== Invalid read of size 1
==15190==    at 0x128E32: draw_bar (draw.c:1211)
==15190==    by 0x128E32: draw_systems (draw.c:4593)
==15190==    by 0x1382AE: delayed_output (music.c:5063)
==15190==    by 0x1382AE: output_music (music.c:5114)
==15190==    by 0x13D9C0: generate (parse.c:1041)
==15190==    by 0x13DF27: gen_ly (parse.c:1062)
==15190==    by 0x143F07: do_tune (parse.c:3635)
==15190==    by 0x115B61: abc_parse (abcparse.c:179)
==15190==    by 0x12DEE3: txt_add_eos (front.c:379)
==15190==    by 0x12E373: frontend (front.c:891)
==15190==    by 0x110F1C: treat_file (abcm2ps.c:240)
==15190==    by 0x11013B: main (abcm2ps.c:1041)
==15190==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
Segmentation fault

lewdlime / abcm2ps

Null pointer dereference in function draw_bar(). #71