Re: Invalid memory read / heap out of bounds in parse_top_node_line()

2017-01-21 Thread Gavin Smith 
On 18 October 2016 at 10:51, Hanno Böck  wrote:
> Hi,
>
> The attached file will cause an out of bounds heap read in the
> function parse_top_node_line.
> To see this you need a memory safety detection tool like valgrind or
> address sanitizer (add "-fsanitize=address" to CFLAGS+LDFLAGS).
>
> This was found with the tool american fuzzy lop.
>
>
> Here's a stack trace from address sanitizer (latest svn code):
>
> ==4818==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6020dd9d at pc 0x0051c1dd bp 0x7fff7ca0ad10 sp 0x7fff7ca0ad08
> READ of size 1 at 0x6020dd9d thread T0
> #0 0x51c1dc in parse_top_node_line 
> /f/texinfo/trunk/info/info-utils.c:1174:11
> #1 0x51c1dc in scan_node_contents /f/texinfo/trunk/info/info-utils.c:1646
> #2 0x53d816 in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1445:11
> #3 0x53bada in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1486:10
> #4 0x53bada in info_get_node_of_file_buffer 
> /f/texinfo/trunk/info/nodes.c:1110
> #5 0x53b289 in info_get_node_with_defaults 
> /f/texinfo/trunk/info/nodes.c:993:14
> #6 0x55ef41 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3765:10
> #7 0x55ec52 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3728:11
> #8 0x5227b0 in main /f/texinfo/trunk/info/info.c:1027:7
> #9 0x7f2aa5adc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
> #10 0x419b28 in _start (/r/texinfo/ginfo+0x419b28)
>
> 0x6020dd9d is located 0 bytes to the right of 13-byte region 
> [0x6020dd90,0x6020dd9d)
> allocated by thread T0 here:
> #0 0x4c1758 in malloc (/r/texinfo/ginfo+0x4c1758)
> #1 0x58254e in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13

Thanks for the report, I've committed a fix.

Invalid memory read / heap out of bounds in parse_top_node_line()

2016-10-18 Thread Hanno Böck 
Hi,

The attached file will cause an out of bounds heap read in the
function parse_top_node_line.
To see this you need a memory safety detection tool like valgrind or
address sanitizer (add "-fsanitize=address" to CFLAGS+LDFLAGS).

This was found with the tool american fuzzy lop.


Here's a stack trace from address sanitizer (latest svn code):

==4818==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020dd9d 
at pc 0x0051c1dd bp 0x7fff7ca0ad10 sp 0x7fff7ca0ad08
READ of size 1 at 0x6020dd9d thread T0
#0 0x51c1dc in parse_top_node_line 
/f/texinfo/trunk/info/info-utils.c:1174:11
#1 0x51c1dc in scan_node_contents /f/texinfo/trunk/info/info-utils.c:1646
#2 0x53d816 in info_node_of_tag_ext /f/texinfo/trunk/info/nodes.c:1445:11
#3 0x53bada in info_node_of_tag /f/texinfo/trunk/info/nodes.c:1486:10
#4 0x53bada in info_get_node_of_file_buffer 
/f/texinfo/trunk/info/nodes.c:1110
#5 0x53b289 in info_get_node_with_defaults 
/f/texinfo/trunk/info/nodes.c:993:14
#6 0x55ef41 in dump_node_to_stream /f/texinfo/trunk/info/session.c:3765:10
#7 0x55ec52 in dump_nodes_to_file /f/texinfo/trunk/info/session.c:3728:11
#8 0x5227b0 in main /f/texinfo/trunk/info/info.c:1027:7
#9 0x7f2aa5adc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#10 0x419b28 in _start (/r/texinfo/ginfo+0x419b28)

0x6020dd9d is located 0 bytes to the right of 13-byte region 
[0x6020dd90,0x6020dd9d)
allocated by thread T0 here:
#0 0x4c1758 in malloc (/r/texinfo/ginfo+0x4c1758)
#1 0x58254e in xmalloc /f/texinfo/trunk/gnulib/lib/xmalloc.c:41:13

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/f/texinfo/trunk/info/info-utils.c:1174:11 in parse_top_node_line
Shadow bytes around the buggy address:
  0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b90: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff9ba0: fa fa 04 fa fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c047fff9bb0: fa fa 00[05]fa fa 04 fa fa fa 04 fa fa fa fd fd
  0x0c047fff9bc0: fa fa 02 fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9bd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9be0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff9bf0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c047fff9c00: fa fa fd fd fa fa fd fa fa fa 00 04 fa fa 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==4818==ABORTING


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


texinfo-oob-heap-parse_top_node_line.info
Description: Binary data


pgpjxZNcokl8Z.pgp
Description: OpenPGP digital signature