I have found a bug at line 4348 of md4c.c at the md_process_inlines function. This bug is caused due to the size parameter to memcpy which is dest_size being a negative number, which when typecasted to size_t results in a large size(4GB) to copy which leads to a segmentation fault. Below is the stack trace for the bug
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1 0x0000000000416c55 in md_process_inlines (ctx=0x7fffffffdc70, lines=0x7fffffffd9c0, n_lines=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4348
#2 0x000000000040cd11 in md_process_normal_block_contents (ctx=0x7fffffffdc70, lines=0x7fffffffd9c0, n_lines=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4641
#3 0x000000000040e576 in md_process_table_cell (ctx=0x7fffffffdc70, cell_type=MD_BLOCK_TH, align=MD_ALIGN_DEFAULT, beg=0x1, end=0x54) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4489
#4 0x000000000040dffd in md_process_table_row (ctx=0x7fffffffdc70, cell_type=MD_BLOCK_TH, beg=0x0, end=0x54, align=0x42e710, col_count=0x1) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4534
#5 0x000000000040cac9 in md_process_table_block_contents (ctx=0x7fffffffdc70, col_count=0x1, lines=0x42e508, n_lines=0x2) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4575
#6 0x000000000040c0df in md_process_leaf_block (ctx=0x7fffffffdc70, block=0x42e500) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4815
#7 0x0000000000406980 in md_process_all_blocks (ctx=0x7fffffffdc70) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:4902
#8 0x000000000040360f in md_process_doc (ctx=0x7fffffffdc70) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:6331
#9 0x00000000004031fb in md_parse (text=0x42e498 "|\200Xe.ceh6www_www.cXxw_www.cXe.)))))lllll<<<<X", '<' <repeats 26 times>, "~\337;on\002", size=0x5f, parser=0x7fffffffdf18, userdata=0x7fffffffdf60) at /home/jack/projects/closure/targets/md4c/md4c/src/md4c.c:6399
#10 0x00000000004017f9 in md_html (input=0x42e498 "|\200Xe.ceh6www_www.cXxw_www.cXe.)))))lllll<<<<X", '<' <repeats 26 times>, "~\337;on\002", input_size=0x5f, process_output=0x401330 <process_output>, userdata=0x0, parser_flags=0x101ff00, renderer_flags=0x6e6f3bdf) at
/home/jack/projects/closure/targets/md4c/md4c/src/md4c-html.c:571
The crashing input is attached below.
The bug has been tested on Ubuntu 20.04 with clang-11 used to build md4c on its latest commit.
I have found a bug at line 4348 of md4c.c at the
md_process_inlines
function. This bug is caused due to the size parameter to memcpy which isdest_size
being a negative number, which when typecasted tosize_t
results in a large size(4GB) to copy which leads to a segmentation fault. Below is the stack trace for the bugThe crashing input is attached below.
The bug has been tested on Ubuntu 20.04 with clang-11 used to build md4c on its latest commit.
invalid_memcpy.zip
P.S This bug has been found by fuzzing.