bug-libextractor
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-libextractor] An Out-of-bounds Read vulnerability in dvi_extrac

From: Christian Grothoff
Subject: Re: [bug-libextractor] An Out-of-bounds Read vulnerability in dvi_extractor.c
Date: Thu, 19 Oct 2017 22:09:26 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 
Thanks for reporting, fixed in bc2a59d..d4d488b.

Note that v1.6 is out, fixing various minor issues not reported by you
(yet? ;-)) as well.

Happy hacking!

Christian

On 10/17/2017 04:11 AM, Leon Zhao wrote:
> *Tested Version:*
> v1.4
> 
> *Details:*
> In EXTRACTOR_dvi_extract_method function, it read pos from file, so a
> crafted file can set pos to an invalid value, and it trigger a crash in
> the code 
> 213   if (data[pos] != 248)
> 
> *Vulnerability Code:*
> 208   opos = pos;
> 209   pos = getIntAt (&data[opos + 1]);
> 210   if (pos + 25 > size)
> 211     goto CLEANUP;
> 212   /* assert pos at 'post' command */
> 213   if (data[pos] != 248)
> 214     goto CLEANUP;
> 
> *Crash Information:*
> gdb and backtrace
> (gdb) run -i extract-dvi_extract_method-dvi_extractor-213.crash
> Starting program: /opt/asan/bin/extract -i
> extract-dvi_extract_method-dvi_extractor-213.crash
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Keywords for file extract-dvi_extract_method-dvi_extractor-213.crash:
> 
> Breakpoint 1, EXTRACTOR_dvi_extract_method (ec=0x7fffffffa050) at
> dvi_extractor.c:208
> 208       opos = pos;
> (gdb) n
> 209       pos = getIntAt (&data[opos + 1]);
> (gdb) s
> getIntAt (data=0x633000037b84) at dvi_extractor.c:131
> 131     {
> (gdb) n
> 134       memcpy (&p, data, 4);          /* ensure alignment! */
> (gdb) n
> 135       return ntohl (p);
> (gdb) p (int)p
> $1 = -1
> (gdb) n
> 131     {
> (gdb) 
> 136     }
> (gdb) 
> EXTRACTOR_dvi_extract_method (ec=0x7fffffffa050) at dvi_extractor.c:210
> 210       if (pos + 25 > size)
> (gdb) 
> 213       if (data[pos] != 248)
> (gdb) p pos
> $2 = 4294967295
> (gdb) 
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff243acdf in EXTRACTOR_dvi_extract_method (ec=0x7fffffffa050)
> at dvi_extractor.c:213
> 213       if (data[pos] != 248)
> (gdb) 
> 
> *CREDIT*
> Zhao Liang, Huawei Weiran Labs
> 
> Attachment is POC file
> 
> 
> _______________________________________________
> bug-libextractor mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-libextractor
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]