search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
84 stars 31 forks source link

Buffer overflow in parse.c get_info #92

Open Microsvuln opened 3 years ago

Microsvuln commented 3 years ago

There is a buffer overflow vulnerability in parse.c(get_info function) which is occurred when specific malformed file is parsed .

Output :

t terminated
  35 U:N = !te
            ^
=================================================================
==13093==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000012bec98 at pc 0x00000065fdc9 bp 0x7ffe016e9910 sp 0x7ffe016e9908
READ of size 8 at 0x0000012bec98 thread T0
    #0 0x65fdc8 in get_info /home/arash/abcm2ps/parse.c:3069:28
    #1 0x62a372 in do_tune /home/arash/abcm2ps/parse.c:3508:8
    #2 0x54a1da in abc_eof /home/arash/abcm2ps/abcparse.c:202:2
    #3 0x54a1da in frontend /home/arash/abcm2ps/front.c:905:2
    #4 0x33549c in treat_file /home/arash/abcm2ps/abcm2ps.c:240:2
    #5 0x339393 in main /home/arash/abcm2ps/abcm2ps.c:1041:3
    #6 0x7f8af6d08bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x2868d9 in _start (/home/arash/abcm2ps/abcm2ps.laf.asan+0x2868d9)

0x0000012bec98 is located 40 bytes to the left of global variable 'str_r' defined in 'abcm2ps.c:82:4' (0x12becc0) of size 24
0x0000012bec98 is located 16 bytes to the right of global variable 'fout' defined in 'abcm2ps.c:52:7' (0x12bec80) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /home/arash/abcm2ps/parse.c:3069:28 in get_info
Shadow bytes around the buggy address:
  0x00008024fd40: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x00008024fd50: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008024fd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008024fd70: 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008024fd80: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
=>0x00008024fd90: 00 f9 f9[f9]f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x00008024fda0: 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008024fdb0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008024fdc0: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x00008024fdd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x00008024fde0: 00 00 00 00 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13093==ABORTING

To reproduce :

./abcm2ps poc6

poc6.zip