ASAn stack-based buffer overflow in compileTranslationTable.c in line 4560 in includeFile

[fgeek]

8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb.zip Tested commit: b381efd3248902ed2f9a797a46f79dfa0690a9c4 Credit: Henri Salo Tools: american fuzzy lop 2.52b, afl-utils Thanks to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.

I am more than happy to continue fuzzing this software after fixes has been applied. Thanks!

./lou_checktable 8b587f82559d919cb75395ff4508c4e1d21fe9e6.ctb
<snip>
=================================================================
==1606==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff7fe53f40 at pc 0x7fe7a31fc7c9 bp 0x7fff7fe534d0 sp 0x7fff7fe534c8
WRITE of size 1 at 0x7fff7fe53f40 thread T0
    #0 0x7fe7a31fc7c8 in includeFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4560
    #1 0x7fe7a31fc7c8 in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3196
    #2 0x7fe7a32024ca in compileFile /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4522
    #3 0x7fe7a3203707 in compileTranslationTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4627
    #4 0x7fe7a3203707 in lou_getTable /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4712
    #5 0x564fd1060f33 in main /home/hsalo/src/liblouis/tools/lou_checktable.c:112
    #6 0x7fe7a2e192e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x564fd1061199 in _start (/home/hsalo/builds/liblouis/b381efd3248902ed2f9a797a46f79dfa0690a9c4/bin/lou_checktable+0x2199)

Address 0x7fff7fe53f40 is located in stack of thread T0 at offset 2528 in frame
    #0 0x7fe7a31e3b9f in compileRule /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:3156

  This frame has 17 object(s):
    [32, 34) 'c'
    [96, 98) 'c'
    [160, 164) 'lastToken'
    [224, 228) 'after'
    [288, 292) 'before'
    [352, 356) 'holdOffset'
    [416, 432) 'dict'
    [480, 2528) 'includeThis' <== Memory access at offset 2528 overflows this variable
    [2560, 6658) 'token'
    [6720, 10818) 'ruleChars'
    [10880, 14978) 'ruleDots'
    [15040, 19138) 'name'
    [19200, 23298) 'ruleChars'
    [23360, 27458) 'ruleDots'
    [27520, 31618) 'upperDots'
    [31680, 35778) 'lowerDots'
    [35840, 39984) 'nested'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/src/liblouis/liblouis/compileTranslationTable.c:4560 in includeFile
Shadow bytes around the buggy address:
  0x10006ffc2790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc27d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006ffc27e0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
  0x10006ffc27f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006ffc2830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1606==ABORTING

[abergmann]

CVE-2018-11684 was assigned to this issue.