Closed hdthky closed 2 years ago
@hdthky Unable to reproduce when leak_check_at_exit is turned off, and I get much different results when it is turned on.
Even if I turn off leak_check_at_exit, I can still reproduce it. Is it possible that you messed up with the poc that causes memory leak
@hdthky No, not unless you uploaded the wrong file.
I didn't upload the wrong file, either. However, when I tested this vulnerability in the new version you just committed, it is fixed along with issue #478
Description
Whilst experimenting with
htmldoc
, built from commit 31f7804, we are able to induce a vulnerability athtmldoc/htmldoc/ps-pdf.cxx:6150:34
in functionrender_table_row
, using a harness compiled fromhtmldoc/htmldoc.cxx
.Because there is no bounds checking, a heap-based out-of-bound read will be triggered when the software encounters a malformed file, result in information disclosure or denial of service.
Proof of Concept
The POC is: poc_heap_overflow2
The command is: `./htmldoc --webpage -t pdf -f /dev/null poc_heap_overflow2
The ASAN report is:
Impact
This vulnerability is capable of inducing information disclosure or denial of service.