stack buffer overflow in function get_key() in parse.c

Version 0cf4a55 Stack buffer over found in parse.c in function get_key().

The root cause maybe is in function c_set_k_acc(), the array accs and pits size is 8. If s->u.key.sf bigger than 7 , then the array accs and pits will access out of index and corrupt the stack, if the value of s->u.key.sf is more bigger, then the stack frame will be corrupted.

static void set_k_acc(struct SYMBOL *s)
{
    int i, j, nacc;
    char accs[8], pits[8];
        ...
        if (s->u.key.sf > 0) {
        for (nacc = 0; nacc < s->u.key.sf; nacc++) {
            accs[nacc] = A_SH;
            pits[nacc] = sharp_tb[nacc];
        }
}

gdb

gef➤  disassemble set_k_acc
Dump of assembler code for function set_k_acc:
   0x000055555559f74c <+0>: endbr64
   0x000055555559f750 <+4>: push   rbp
   0x000055555559f751 <+5>: mov    rbp,rsp
   0x000055555559f754 <+8>: sub    rsp,0x40
   0x000055555559f758 <+12>:    mov    QWORD PTR [rbp-0x38],rdi
...

   0x55555559f941 <set_k_acc+501>  mov    rax, QWORD PTR [rbp-0x8]
 → 0x55555559f945 <set_k_acc+505>  xor    rax, QWORD PTR fs:0x28
   0x55555559f94e <[buffer-over-flow_parse.c_set_k_acc.zip](https://github.com/leesavide/abcm2ps/files/6381703/buffer-over-flow_parse.c_set_k_acc.zip)+514>  je     0x55555559f955 <set_k_acc+521>
   0x55555559f950 <set_k_acc+516>  call   0x55555555ba40 <__stack_chk_fail@plt>
   0x55555559f955 <set_k_acc+521>  leave

─ source:parse.c+3943 ────
   3938     for (i = 0; i < nacc; i++) {
   3939         s->u.key.accs[i] = accs[i];
   3940         s->u.key.pits[i] = pits[i];
   3941     }
●  3942     s->u.key.nacc = nacc;
 → 3943  }

gef➤  x/gx $rbp-0x8
0x7fffffffe038: 0x0101010101010101

reproduce :

abcm2ps -E poc

buffer-over-flow_parse.c_set_k_acc.zip

reporter ： chiba of topsec alphalab

lewdlime / abcm2ps

stack buffer overflow in function get_key() in parse.c #84