Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap overflow in pdf_write_contents() #468

Closed
Jorgecmartins opened this issue Jan 14, 2022 · 1 comment
Closed

Heap overflow in pdf_write_contents() #468

Jorgecmartins opened this issue Jan 14, 2022 · 1 comment
Assignees
@michaelrsweet
Labels
bug Something isn't working priority-medium
Milestone
Stable

Comments

@Jorgecmartins
Copy link
Contributor

In pdf_write_contents(), in ps-pdf.cxx, there is a heap buffer overflow:

2982    i = heading_pages[*heading];

In this case, the variable num_headings = 36 and *heading can be larger than num_headings, the array size.

I've attached poc.zip that can trigger the heap overflow.

Steps to reproduce

$ unzip poc.zip
$ # Compiling htmldoc with -fsanitize=address,bounds
$ htmldoc -f output.pdf poc

=================================================================
==164645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000388 at pc 0x55e9c7443313 bp 0x7ffdee44e1b0 sp 0x7ffdee44e1a0
READ of size 4 at 0x611000000388 thread T0
    #0 0x55e9c7443312 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2982
    #1 0x55e9c7443754 in pdf_write_contents /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:3002
    #2 0x55e9c743f8f8 in pdf_write_document /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2331
    #3 0x55e9c743619b in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:910
    #4 0x55e9c7417caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #5 0x7fdffa9830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #6 0x55e9c7405bed in _start (/home/fuzz/fuzzing/htmldoc/fuzzing/analysis/htmldoc_asan+0x57bed)

0x611000000388 is located 0 bytes to the right of 200-byte region [0x6110000002c0,0x611000000388)
allocated by thread T0 here:
    #0 0x7fdffb9c8bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55e9c7452724 in parse_heading /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4640
    #2 0x55e9c744d04f in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4206
    #3 0x55e9c744b852 in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4092
    #4 0x55e9c744b852 in parse_doc /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:4092
    #5 0x55e9c7434e7c in pspdf_export /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:803
    #6 0x55e9c7417caf in main /home/fuzz/fuzzing/htmldoc/htmldoc/htmldoc.cxx:1291
    #7 0x7fdffa9830b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzzing/htmldoc/htmldoc/ps-pdf.cxx:2982 in pdf_write_contents
@michaelrsweet michaelrsweet self-assigned this Jan 16, 2022
@michaelrsweet michaelrsweet added bug Something isn't working priority-medium labels Jan 16, 2022
@michaelrsweet michaelrsweet added this to the Stable milestone Jan 16, 2022
michaelrsweet added a commit that referenced this issue Jan 16, 2022
@michaelrsweet
Fix a potential heap overflow bug with headings (Issue #468)
23c960a
@michaelrsweet
Copy link
Owner

[master 23c960a] Fix a potential heap overflow bug with headings (Issue #468)

@michaelrsweet michaelrsweet mentioned this issue Jan 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
bug Something isn't working priority-medium
Projects
None yet
Milestone
Stable
Development

No branches or pull requests
2 participants
@michaelrsweet @Jorgecmartins