search

michaelrsweet / htmldoc

HTML Conversion Software
https://www.msweet.org/htmldoc
GNU General Public License v2.0
206 stars 46 forks source link

AddressSanitizer: heap-buffer-overflow in function render_table_row at ps-pdf.cxx:6150:34 #479

Closed hdthky closed 2 years ago

hdthky commented 2 years ago

Description

Whilst experimenting with htmldoc, built from commit 31f7804, we are able to induce a vulnerability at htmldoc/htmldoc/ps-pdf.cxx:6150:34 in function render_table_row , using a harness compiled from htmldoc/htmldoc.cxx.

Because there is no bounds checking, a heap-based out-of-bound read will be triggered when the software encounters a malformed file, result in information disclosure or denial of service.

Proof of Concept

The POC is: poc_heap_overflow2

The command is: `./htmldoc --webpage -t pdf -f /dev/null poc_heap_overflow2

The ASAN report is:

=================================================================
==50558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000041e0 at pc 0x000000444af1 bp 0x7fffffff0190 sp 0x7fffffff0188
READ of size 8 at 0x6290000041e0 thread T0
    #0 0x444af0 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:6150:34
    #1 0x430b16 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:7136:5
    #2 0x3d48ff in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:4185:11
    #3 0x3d6652 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:4531:13
    #4 0x43cb69 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:5854:9
    #5 0x430b16 in parse_table(tree_str*, float, float, float, float, float*, float*, int*, int) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:7136:5
    #6 0x3d48ff in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:4185:11
    #7 0x3d6652 in parse_doc(tree_str*, float*, float*, float*, float*, float*, float*, int*, tree_str*, int*) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:4531:13
    #8 0x3c2857 in pspdf_export /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:803:3
    #9 0x39a254 in main /work/libraries/htmldoc/htmldoc/htmldoc.cxx:1291:3
    #10 0x7ffff75070b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x2a051d in _start (/work/libraries/htmldoc/htmldoc/htmldoc+0x2a051d)

0x6290000041e0 is located 32 bytes to the right of 16320-byte region [0x629000000200,0x6290000041c0)
allocated by thread T0 here:
    #0 0x31b6f9 in realloc (/work/libraries/htmldoc/htmldoc/htmldoc+0x31b6f9)
    #1 0x3ddaf8 in check_pages(int) /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:8859:24

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/libraries/htmldoc/htmldoc/ps-pdf.cxx:6150:34 in render_table_row(hdtable_t&, tree_str***, int, unsigned char*, float, float, float, float, float*, float*, int*)
Shadow bytes around the buggy address:
  0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 00 fa fa fa fa[fa]fa fa fa
  0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==50558==ABORTING

Impact

This vulnerability is capable of inducing information disclosure or denial of service.

michaelrsweet commented 2 years ago

@hdthky Unable to reproduce when leak_check_at_exit is turned off, and I get much different results when it is turned on.

hdthky commented 2 years ago

Even if I turn off leak_check_at_exit, I can still reproduce it. Is it possible that you messed up with the poc that causes memory leak

michaelrsweet commented 2 years ago

@hdthky No, not unless you uploaded the wrong file.

hdthky commented 2 years ago

I didn't upload the wrong file, either. However, when I tested this vulnerability in the new version you just committed, it is fixed along with issue #478