michaelrsweet / htmldoc

HTML Conversion Software
https://www.msweet.org/htmldoc
GNU General Public License v2.0
208 stars 47 forks source link

Heap overflow in pdf_write_contents() #468

Closed Jorgecmartins closed 2 years ago

Jorgecmartins commented 2 years ago

In pdf_write_contents(), in ps-pdf.cxx, there is a heap buffer overflow:

2982    i = heading_pages[*heading];

In this case, the variable num_headings = 36 and *heading can be larger than num_headings, the array size.

I've attached poc.zip that can trigger the heap overflow.

Steps to reproduce

$ unzip poc.zip
$ # Compiling htmldoc with -fsanitize=address,bounds
$ htmldoc -f output.pdf poc

=================================================================
==164645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000388 at pc 0x55e9c7443313 bp 0x7ffdee44e1b0 sp 0x7ffdee44e1a0
READ of size 4 at 0x611000000388 thread T0
    #0 0x55e9c7443312 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2982
    #1 0x55e9c7443754 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:3002
    #2 0x55e9c743f8f8 in pdf_write_document /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2331
    #3 0x55e9c743619b in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:910
    #4 0x55e9c7417caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #5 0x7fdffa9830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x55e9c7405bed in _start (/home/fuzz/fuzzing/htmldoc/fuzzing/analysis/htmldoc_asan+0x57bed)

0x611000000388 is located 0 bytes to the right of 200-byte region [0x6110000002c0,0x611000000388)
allocated by thread T0 here:
    #0 0x7fdffb9c8bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55e9c7452724 in parse_heading /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4640
    #2 0x55e9c744d04f in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4206
    #3 0x55e9c744b852 in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4092
    #4 0x55e9c744b852 in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4092
    #5 0x55e9c7434e7c in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:803
    #6 0x55e9c7417caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #7 0x7fdffa9830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2982 in pdf_write_contents
michaelrsweet commented 2 years ago

[master 23c960a] Fix a potential heap overflow bug with headings (Issue #468)