search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
82 stars 31 forks source link

Null pointer dereference in function calculate_beam(). #72

Open Loginsoft-Research opened 4 years ago

Loginsoft-Research commented 4 years ago

What is the vulnerability? Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.

Affected version-: 8.14.6-master

Command-: ./abcm2ps $POC

Reproducer file-: Reproducer

Synopsis-: We discovered Null pointer dereference in calculate_beam() at draw.c:341. s->ts_prev is not being validated. Due to lack of validation of s->ts_prev, therefore it causes Null pointer dereference.

Vulnerable code-:

while (s->ts_prev->abc_type == ABC_T_NOTE
                && s->ts_prev->time == s->time
                && s->ts_prev->x > s1->xs)
                s = s->ts_prev;

Debug-:

GDB-:

abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3: error: Cannot identify meter top
  22 M:2}
       ^
NPD3: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                          ^
NPD3: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                           ^
NPD3: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                            ^
NPD3: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                    ^
NPD3: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                           ^
NPD3: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                        ^
NPD3: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                         ^
NPD3: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                          ^
NPD3: error: Cannot identify meter top
  34 M:| C
       ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                           ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                            ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                             ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                              ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                               ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                ^
NPD3: error: Bad character
  42   zGFG AFEF#GEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                 ^
NPD3: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                    ^
NPD3: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                     ^
NPD3: error: Decoration !fp! not defined
NPD3: error: Decoration !fp! not defined
NPD3: error: End of line found inside a tuplet
NPD3: error: Decoration !D,3/! not defined
NPD3: error: Decoration !26E,/! not defined
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'W'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'm'
NPD3: error: Bad character 'i'

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000555555981028  →  0x0000555555981278  →  0x00005555559815f8  →  0x0000555555981848  →  0x0000555555981a98  →  0x0000555555981ce8  →  0x0000555555981f38  →  0x0000555555982188
$rbx   : 0x000055555593ade0  →  0x0000555555969460  →  0x0000000000000000
$rcx   : 0x00005555559815f8  →  0x0000555555981848  →  0x0000555555981a98  →  0x0000555555981ce8  →  0x0000555555981f38  →  0x0000555555982188  →  0x00005555559823d8  →  0x0000555555982628
$rdx   : 0x0               
$rsp   : 0x00007fffffffdc00  →  0x0000555555657e06  →  <set_pitch+2662> mov rax, QWORD PTR [rsp+0x10]
$rbp   : 0x0               
$rsi   : 0x0               
$rdi   : 0xffffffff        
$rip   : 0x00005555555c332c  →  <calculate_beam+10412> cmp BYTE PTR [rbp+0x38], 0x4
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x00007fffffffdc90  →  0x0000000000000000
$r11   : 0x13e0            
$r12   : 0x0000555555981028  →  0x0000555555981278  →  0x00005555559815f8  →  0x0000555555981848  →  0x0000555555981a98  →  0x0000555555981ce8  →  0x0000555555981f38  →  0x0000555555982188
$r13   : 0x1               
$r14   : 0x1               
$r15   : 0x0               
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdc00│+0x0000: 0x0000555555657e06  →  <set_pitch+2662> mov rax, QWORD PTR [rsp+0x10]    ← $rsp
0x00007fffffffdc08│+0x0008: 0x0000000000000000
0x00007fffffffdc10│+0x0010: 0x0000000000000004
0x00007fffffffdc18│+0x0018: 0x0000000041e89d7b
0x00007fffffffdc20│+0x0020: 0x0000007955655bba
0x00007fffffffdc28│+0x0028: 0x034a2b510999999a
0x00007fffffffdc30│+0x0030: 0x0000000000000000
0x00007fffffffdc38│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555555c331c <calculate_beam+10396> mov    rdx, QWORD PTR [rsp]
   0x5555555c3320 <calculate_beam+10400> lea    rsp, [rsp+0x98]
   0x5555555c3328 <calculate_beam+10408> mov    rbp, QWORD PTR [rax+0x28]
 → 0x5555555c332c <calculate_beam+10412> cmp    BYTE PTR [rbp+0x38], 0x4
   0x5555555c3330 <calculate_beam+10416> je     0x5555555c3260 <calculate_beam+10208>
   0x5555555c3336 <calculate_beam+10422> xchg   ax, ax
   0x5555555c3338 <calculate_beam+10424> lea    rsp, [rsp-0x98]
   0x5555555c3340 <calculate_beam+10432> mov    QWORD PTR [rsp], rdx
   0x5555555c3344 <calculate_beam+10436> mov    QWORD PTR [rsp+0x8], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+341 ────
    336         b += ys;
    337     } else if (!(s1->flags & ABC_F_GRACE)) {    /* normal notes */
    338         float stem_err, beam_h;
    339  
    340         beam_h = BEAM_DEPTH + BEAM_SHIFT * (nflags - 1);
 →  341         while (s->ts_prev->abc_type == ABC_T_NOTE
    342             && s->ts_prev->time == s->time
    343             && s->ts_prev->x > s1->xs)
    344             s = s->ts_prev;
    345  
    346         for (; s && s->time <= s2->time; s = s->ts_next) {
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555c332c → calculate_beam(bm=0x7fffffffdc90, s1=0x555555981028)
[#1] 0x5555555f261a → draw_sym_near()
[#2] 0x55555567d748 → delayed_output(indent=0)
[#3] 0x55555567d748 → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x55555556a9b1 → abc_eof()
[#8] 0x55555563285d → frontend(s=0x55555597aeba "", ftype=<optimized out>, fname=<optimized out>, linenum=0x2c)
[#9] 0x5555555614c1 → treat_file(fn=<optimized out>, ext=<optimized out>)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555555c332c in calculate_beam (bm=bm@entry=0x7fffffffdc90, s1=s1@entry=0x555555981028) at draw.c:341
341         while (s->ts_prev->abc_type == ABC_T_NOTE
gef➤  p s->ts_prev 
$9 = (struct SYMBOL *) 0x0
gef➤  p s->ts_prev->abc_type 
Cannot access memory at address 0x38
gef➤  i r
rax            0x555555981028   0x555555981028
rbx            0x55555593ade0   0x55555593ade0
rcx            0x5555559815f8   0x5555559815f8
rdx            0x0  0x0
rsi            0x0  0x0
rdi            0xffffffff   0xffffffff
rbp            0x0  0x0
rsp            0x7fffffffdc00   0x7fffffffdc00
r8             0x0  0x0
r9             0x0  0x0
r10            0x7fffffffdc90   0x7fffffffdc90
r11            0x13e0   0x13e0
r12            0x555555981028   0x555555981028
r13            0x1  0x1
r14            0x1  0x1
r15            0x0  0x0
rip            0x5555555c332c   0x5555555c332c <calculate_beam+10412>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33 0x33
ss             0x2b 0x2b
ds             0x0  0x0
es             0x0  0x0
fs             0x0  0x0
gs             0x0  0x0

Valgrind-:

abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3:22:2: error: Cannot identify meter top
  22 M:2}
       ^
NPD3:27:69: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                          ^
NPD3:27:70: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                           ^
NPD3:27:71: error: Bad character
  27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
                                                                            ^
NPD3:31:47: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                    ^
NPD3:31:54: error: Bad character
  31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
                                                           ^
NPD3:32:19: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                        ^
NPD3:32:20: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                         ^
NPD3:32:21: error: Bad character
  32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
                          ^
NPD3:34:2: error: Cannot identify meter top
  34 M:| C
       ^
NPD3:42:11: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                ^
NPD3:42:54: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                           ^
NPD3:42:55: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                            ^
NPD3:42:56: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                             ^
NPD3:42:57: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                              ^
NPD3:42:58: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                               ^
NPD3:42:59: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                ^
NPD3:42:60: error: Bad character
  42   zGFG AFEFGEDE FDCD     | E2c2F2c2 E2c2D2=B2        ÿÿÿ      |
                                                                 ^
NPD3:44:31: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                    ^
NPD3:44:32: error: Bad character
  44   C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
                                     ^
NPD3:26:4: error: Decoration !fp! not defined
NPD3:27:7: error: Decoration !fp! not defined
NPD3:27:66: error: End of line found inside a tuplet
NPD3:31:56: error: Decoration !D,3/! not defined
NPD3:31:56: error: Decoration !26E,/! not defined
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'W'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'm'
NPD3:42:2: error: Bad character 'i'
==7849== Invalid read of size 1
==7849==    at 0x12006F: calculate_beam (draw.c:341)
==7849==    by 0x126BA7: draw_sym_near (draw.c:4120)
==7849==    by 0x13828B: delayed_output (music.c:5059)
==7849==    by 0x13828B: output_music (music.c:5114)
==7849==    by 0x13D9C0: generate (parse.c:1041)
==7849==    by 0x13DF27: gen_ly (parse.c:1062)
==7849==    by 0x143F07: do_tune (parse.c:3635)
==7849==    by 0x112548: abc_eof (abcparse.c:202)
==7849==    by 0x12E220: frontend (front.c:905)
==7849==    by 0x110F1C: treat_file (abcm2ps.c:240)
==7849==    by 0x11013B: main (abcm2ps.c:1041)
==7849==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
moinejf commented 4 years ago

Fixed. Thanks.

timmbo9 commented 4 years ago

This revised version will not recognize the”/“ in the distribution’s voices.abcfile. Timm

On Feb 5, 2020, at 12:26 PM, Jean-François Moine notifications@github.com wrote:

Fixed. Thanks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

moinejf commented 4 years ago

Indeed, I should have done more tests! Many thanks, Timm.