Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL Pointer Dereference @ ps-pdf.cxx:7430 #439

Closed
GoldenArrows777 opened this issue Jun 23, 2021 · 1 comment
Closed

NULL Pointer Dereference @ ps-pdf.cxx:7430 #439

GoldenArrows777 opened this issue Jun 23, 2021 · 1 comment
Assignees
Labels
bug Something isn't working priority-medium
Milestone

Comments

@GoldenArrows777
Copy link

Hello,

while fuzzing HTMLDOC with AFL in the context of a project @ my university, an input was found for which HTMLDOC crashes. The problem may be reproduced by running ./htmldoc crash.html -f out.ps using the HTML file contained in crash.zip.

GDB stacktrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6053c6a in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) where 
#0  0x00007ffff6053c6a in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x0000555555579b30 in parse_comment (t=t@entry=0x555555ca3d50, left=left@entry=0x7fffffffd680, 
    right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c, 
    x=x@entry=0x7fffffffd678, y=0x7fffffffd67c, page=0x7fffffffd690, para=0x555555ca2860, needspace=1)
    at ps-pdf.cxx:7430
#2  0x000055555558457c in parse_doc (t=0x555555ca3d50, left=left@entry=0x7fffffffd680,
    right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c, 
    x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
    needspace=<optimized out>) at ps-pdf.cxx:4470
#3  0x0000555555583070 in parse_doc (t=0x555555ca30d0, left=left@entry=0x7fffffffd680,
    right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c, 
    x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
    needspace=<optimized out>) at ps-pdf.cxx:4092
#4  0x0000555555583070 in parse_doc (t=0x555555ca2ae0, left=left@entry=0x7fffffffd680,
    right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c, 
    x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
    needspace=<optimized out>) at ps-pdf.cxx:4092
#5  0x0000555555583070 in parse_doc (t=t@entry=0x555555ca19b0, left=left@entry=0x7fffffffd680, 
    right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c, 
    x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
    needspace=<optimized out>) at ps-pdf.cxx:4092
#6  0x000055555558a45c in pspdf_export (document=0x555555ca19b0, toc=0x555555cac090) at ps-pdf.cxx:803
#7  0x000055555556077e in main (argc=<optimized out>, argv=<optimized out>) at htmldoc.cxx:1291

Compiled with gcc-10 (Ubuntu 10.3.0-1ubuntu1~18.04~1) 10.3.0 and g++-10 (Ubuntu 10.3.0-1ubuntu1~18.04~1) 10.3.0. System information:

NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

I think the crash is caused by a NULL pointer dereference. The code at the line reads:

  if (para != NULL && para->child != NULL && para->child->next == NULL &&
      para->child->child == NULL && para->child->markup == MARKUP_NONE &&
      strcmp((const char *)para->child->data, " ") == 0)
  {
    // Remove paragraph consisting solely of whitespace...
    htmlDeleteTree(para->child);
    para->child = para->last_child = NULL;
  }

para->child->data is apparently NULL.

@michaelrsweet michaelrsweet self-assigned this Jun 23, 2021
@michaelrsweet michaelrsweet added bug Something isn't working priority-medium labels Jun 23, 2021
@michaelrsweet michaelrsweet added this to the Stable milestone Jun 23, 2021
@michaelrsweet
Copy link
Owner

@GoldenArrows777 Confirmed, fix pushed:

[master 55242fe] Check that a comment isn't NULL (Issue #439)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working priority-medium
Projects
None yet
Development

No branches or pull requests

2 participants