search

vstakhov / libucl

Universal configuration library parser
BSD 2-Clause "Simplified" License
1.63k stars 139 forks source link

Stack overflow on malformed input #293

Closed gabe-sherman closed 7 months ago

gabe-sherman commented 7 months ago

A stack overflow occurs in the below program when provided with malformed input.

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include "ucl.h"

int main(int argc, char *argv[])
{
    long size;
    FILE *f = fopen(argv[1], "rb");
    fseek(f, 0, SEEK_END);
    size = ftell(f);
    rewind(f);
    unsigned char *data = malloc((size_t)size+1);         
    fread(data, (size_t)size, 1, f);
    data[size] = '\0';

    struct ucl_parser* v0 = ucl_parser_new(0);
    bool v1 = ucl_parser_add_string(v0, (char*)data, size);
    if (v1 == false) exit(EXIT_FAILURE);
    bool v2 = ucl_parser_add_chunk_priority(v0, (unsigned char*)data, size, 0);

    return 0;
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 51c5e2f0526c41efc5e919e0b834a87b1976f33c

Poc File

https://github.com/FuturesLab/POC/blob/main/ucl/poc-14

Address Sanitizer Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1020146==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fee98 (pc 0x7ffff7d7673e bp 0x7fffff7ffc90 sp 0x7fffff7feea0 T0)
    #0 0x7ffff7d7673e in glob64 posix/../posix/glob.c:568:18
    #1 0x7ffff7d76790 in glob64 posix/../posix/glob.c:598:21

... same glob messages continue ...

SUMMARY: AddressSanitizer: stack-overflow posix/../posix/glob.c:568:18 in glob64
==1020146==ABORTING
vstakhov commented 7 months ago

It seems it is also fixed.

vstakhov commented 7 months ago

Thank you @gabe-sherman for finding that out! Probably, we should add these PoC and corresponding code to the tests suite to exclude future regressions.