search

mity / md4c

C Markdown parser. Fast. SAX-like interface. Compliant to CommonMark specification.
MIT License
756 stars 138 forks source link

Invalid size passed to memcpy in md_process_inlines #195

Closed rish9101 closed 5 months ago

rish9101 commented 1 year ago

I have found a bug at line 4348 of md4c.c at the md_process_inlines function. This bug is caused due to the size parameter to memcpy which is dest_size being a negative number, which when typecasted to size_t results in a large size(4GB) to copy which leads to a segmentation fault. Below is the stack trace for the bug

#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1  0x0000000000416c55 in md_process_inlines (ctx=0x7fffffffdc70, lines=0x7fffffffd9c0, n_lines=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4348
#2  0x000000000040cd11 in md_process_normal_block_contents (ctx=0x7fffffffdc70, lines=0x7fffffffd9c0, n_lines=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4641
#3  0x000000000040e576 in md_process_table_cell (ctx=0x7fffffffdc70, cell_type=MD_BLOCK_TH, align=MD_ALIGN_DEFAULT, beg=0x1, end=0x54) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4489
#4  0x000000000040dffd in md_process_table_row (ctx=0x7fffffffdc70, cell_type=MD_BLOCK_TH, beg=0x0, end=0x54, align=0x42e710, col_count=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4534
#5  0x000000000040cac9 in md_process_table_block_contents (ctx=0x7fffffffdc70, col_count=0x1, lines=0x42e508, n_lines=0x2) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4575
#6  0x000000000040c0df in md_process_leaf_block (ctx=0x7fffffffdc70, block=0x42e500) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4815
#7  0x0000000000406980 in md_process_all_blocks (ctx=0x7fffffffdc70) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4902
#8  0x000000000040360f in md_process_doc (ctx=0x7fffffffdc70) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:6331
#9  0x00000000004031fb in md_parse (text=0x42e498 "|\200Xe.ceh6www_www.cXxw_www.cXe.)))))lllll<<<<X", '<' <repeats 26 times>, "~\337;on\002", size=0x5f, parser=0x7fffffffdf18, userdata=0x7fffffffdf60) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:6399
#10 0x00000000004017f9 in md_html (input=0x42e498 "|\200Xe.ceh6www_www.cXxw_www.cXe.)))))lllll<<<<X", '<' <repeats 26 times>, "~\337;on\002", input_size=0x5f, process_output=0x401330 <process_output>, userdata=0x0, parser_flags=0x101ff00, renderer_flags=0x6e6f3bdf) at
 /home/jack/projects/closure/targets/md4c/md4c/src/md4c-html.c:571

The crashing input is attached below.

The bug has been tested on Ubuntu 20.04 with clang-11 used to build md4c on its latest commit.

invalid_memcpy.zip

P.S This bug has been found by fuzzing.

mity commented 5 months ago

I believe it got fixed with c6942ef03ed46a67bd9b3af8ce1eefd781622777.