Git Product home page Git Product logo

libdoc's People

Contributors

kasha13 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

wanweihua hl0071 54huaxiao igkuzm

libdoc's Issues

There is a heap-buffer-overflow on numutils.c:22 getlong

Test Version

latest version, git clone https://github.com/uvoteam/libdoc

Environment

Ubuntu 16.04-x64, gcc version 5.4.0 20160609

Test Program and command

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Gdb and Backtrace

Reading symbols from doc2txt...done.
(gdb) run libdoc_numutils_getlong_22.overflow 
Starting program: /var/normal/bin/doc2txt libdoc_numutils_getlong_22.overflow
*** Error in `/var/normal/bin/doc2txt': corrupted size vs. prev_size: 0x000000000064dfc0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x80d36)[0x7ffff7a8dd36]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff7a9153c]
/var/normal/bin/doc2txt[0x400e52]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/var/normal/bin/doc2txt[0x400c99]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 08:01 526540                             /var/normal/bin/doc2txt
0064b000-0064c000 r--p 0004b000 08:01 526540                             /var/normal/bin/doc2txt
0064c000-0064d000 rw-p 0004c000 08:01 526540                             /var/normal/bin/doc2txt
0064d000-0066e000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fde000-7ffff7fe1000 rw-p 00000000 00:00 0 
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2  0x00007ffff7a847ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a8dd36 in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=<optimized out>, str=0x7ffff7b9ac75 "corrupted size vs. prev_size", action=3) at malloc.c:5006
#4  _int_free (av=0x7ffff7dd1b20 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4005
#5  0x00007ffff7a9153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000400e52 in main ()

Asan Debug Information

root@leon-virtual-machine:/var/asan/bin# ./doc2txt libdoc_numutils_getlong_22.overflow 
=================================================================
==92310==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f120 at pc 0x000000403238 bp 0x7ffe6888f220 sp 0x7ffe6888f210
READ of size 1 at 0x60200000f120 thread T0
    #0 0x403237 in getlong /root/libdoc/numutils.c:22
    #1 0x404053 in ole_init /root/libdoc/ole.c:176
    #2 0x401d61 in analyze_format /root/libdoc/analyze.c:50
    #3 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
    #4 0x401715 in main /root/libdoc/example/main.c:24
    #5 0x7f082402e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401498 in _start (/var/asan/bin/doc2txt+0x401498)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc/numutils.c:22 getlong
Shadow bytes around the buggy address:
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9e20: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==92310==ABORTING

POC file

libdoc_numutils_getlong_22.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

Segmentation fault in catdoc.c:34 at libdoc master branch(2019/1/29) when using libdoc.a

A parameter which do not exist will lead to Segmentation fault in catdoc.c:34 at libdoc master branch(2019/1/29) when using libdoc.a

Triggered by

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [A filename which not exist]

Poc
./doc2txt d_000094,sig_06,src_000540,op_havoc,rep_2:

The ASAN information is as follows:

root:~/libdoc-master/example# ./doc2txt d_000094,sig_06,src_000540,op_havoc,rep_2:
ASAN:SIGSEGV
=================================================================
==37085==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000401a4a bp 0x0fffbea4dd3e sp 0x7ffdf526e9e0 T0)
    #0 0x401a49 in doc2text /root/libdoc-master/catdoc.c:34
    #1 0x4018ea in main /root/libdoc-master/example/main.c:23
    #2 0x7f60ad96782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x401668 in _start (/root/libdoc-master/example/doc2txt+0x401668)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libdoc-master/catdoc.c:34 doc2text
==37085==ABORTING

FoundBy: [email protected]

A heap-buffer-overflow in reader.c:203 process_file

Test Version

latest version, git clone https://github.com/uvoteam/libdoc

Environment

Ubuntu 16.04-x64, gcc version 5.4.0 20160609

Test Program and command

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Gdb and Backtrace

Reading symbols from doc2txt...done.
(gdb) run libdoc_reader_process_file_203.overflow 
Starting program: /var/normal/bin/doc2txt libdoc_reader_process_file_203.overflow
*** Error in `/var/normal/bin/doc2txt': malloc(): memory corruption: 0x000000000064e1c0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff7a91184]
/var/normal/bin/doc2txt[0x402a63]
/var/normal/bin/doc2txt[0x4012fd]
/var/normal/bin/doc2txt[0x400f3d]
/var/normal/bin/doc2txt[0x400e46]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830]
/var/normal/bin/doc2txt[0x400c99]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 08:01 526540                             /var/normal/bin/doc2txt
0064b000-0064c000 r--p 0004b000 08:01 526540                             /var/normal/bin/doc2txt
0064c000-0064d000 rw-p 0004c000 08:01 526540                             /var/normal/bin/doc2txt
0064d000-0066e000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 1053568                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1053530                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fde000-7ffff7fe1000 rw-p 00000000 00:00 0 
7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1053502                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a42428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff7a4402a in __GI_abort () at abort.c:89
#2  0x00007ffff7a847ea in __libc_message (do_abort=2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a8f13e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=0x64e1c0, str=0x7ffff7b9ad3f "malloc(): memory corruption", action=<optimized out>)
    at malloc.c:5006
#4  _int_malloc (av=av@entry=0x7ffff7dd1b20 <main_arena>, bytes=bytes@entry=200) at malloc.c:3474
#5  0x00007ffff7a91184 in __GI___libc_malloc (bytes=200) at malloc.c:2913
#6  0x0000000000402a63 in ole_readdir (f=0x64d290, ole_params=0x7fffffffe1d0) at /root/libdoc/ole.c:314
#7  0x00000000004012fd in analyze_format (f=0x64d290, out=0x64d010) at /root/libdoc/analyze.c:52
#8  0x0000000000400f3d in doc2text (buf=0x64e250 "", size=41095, buffer_out=0x7fffffffe368) at /root/libdoc/catdoc.c:55
#9  0x0000000000400e46 in main ()

Asan Debug Information

root@leon-virtual-machine:/var/asan/bin# ./doc2txt libdoc_reader_process_file_203.overflow 
=================================================================
==76395==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa2b88fa7fe at pc 0x000000407d19 bp 0x7ffc58dcb2a0 sp 0x7ffc58dcb290
READ of size 2 at 0x7fa2b88fa7fe thread T0
    #0 0x407d18 in process_file /root/libdoc/reader.c:203
    #1 0x402344 in parse_word_header /root/libdoc/analyze.c:123
    #2 0x401e54 in analyze_format /root/libdoc/analyze.c:57
    #3 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
    #4 0x401715 in main /root/libdoc/example/main.c:24
    #5 0x7fa2b748b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401498 in _start (/var/asan/bin/doc2txt+0x401498)

0x7fa2b88fa7fe is located 2 bytes to the left of 524288-byte region [0x7fa2b88fa800,0x7fa2b897a800)
allocated by thread T0 here:
    #0 0x7fa2b78cd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x407733 in process_file /root/libdoc/reader.c:111
    #2 0x402344 in parse_word_header /root/libdoc/analyze.c:123
    #3 0x401e54 in analyze_format /root/libdoc/analyze.c:57
    #4 0x4019a2 in doc2text /root/libdoc/catdoc.c:55
    #5 0x401715 in main /root/libdoc/example/main.c:24
    #6 0x7fa2b748b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc/reader.c:203 process_file
Shadow bytes around the buggy address:
  0x0ff4d71174a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff4d71174e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff4d71174f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0ff4d7117500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff4d7117540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==76395==ABORTING

POC file

libdoc_reader_process_file_203.zip

CREDIT

Zhao Liang, Huawei Weiran Labs

division by zero in ole.c:390 at libdoc master branch(2019/1/29) when using libdoc.a

A crafted input will lead to ’division by zero‘ in ole.c:390 at libdoc master branch(2019/1/29) when using libdoc.a

Triggered by

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Poc
libdoc_poc3.zip

The gdb information is as follows:

Starting program: /root/libdoc-master/example/doc2txt id_0000102,sig_08,src_000304,op_flip1,pos_32
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGFPE, Arithmetic exception.
0x0000000000403669 in calcFileBlockOffset (ole_params=0x7fffffffe0a0, blk=0, e=0x60c00000bd40) at /root/libdoc-master/ole.c:390
390                     long int sbdSecNum=e->blocks[blk]/sbdPerSector;
(gdb) bt
#0  0x0000000000403669 in calcFileBlockOffset (ole_params=0x7fffffffe0a0, blk=0, e=0x60c00000bd40) at /root/libdoc-master/ole.c:390
#1  ole_read (ptr=0x7fffffffe140, size=<optimized out>, nmemb=<optimized out>, stream=0x60c00000bd40, ole_params=0x7fffffffe0a0) at /root/libdoc-master/ole.c:436
#2  0x00000000004020b7 in analyze_format (f=f@entry=0x61200000bec0, out=out@entry=0x61600000f980) at /root/libdoc-master/analyze.c:56
#3  0x0000000000401a94 in doc2text (buf=0x62c000000200 "\320\317\021\340\241\261\032\341", '\060' <repeats 15 times>, ")000000\t0\026", '\060' <repeats 11 times>, "\001",
    size=<optimized out>, buffer_out=<optimized out>) at /root/libdoc-master/catdoc.c:55
#4  0x00000000004018eb in main (argc=2, argv=0x7fffffffe488) at main.c:23
(gdb)

FoundBy: [email protected]

heap-buffer-overflow in reader.c:203 at libdoc master branch(2019/1/29) when using libdoc.a

A crafted input will lead to heap-buffer-overflow in reader.c:203 at libdoc master branch(2019/1/29) when using libdoc.a

Triggered by

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Poc
libdoc_poc2.zip

The ASAN information is as follows:

=================================================================
==30477==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe37c9507fe at pc 0x0000004075e8 bp 0x7fff893cc130 sp 0x7fff893cc120
READ of size 2 at 0x7fe37c9507fe thread T0
    #0 0x4075e7 in process_file /root/libdoc-master/reader.c:203
    #1 0x401e30 in parse_word_header /root/libdoc-master/analyze.c:123
    #2 0x4020d6 in analyze_format /root/libdoc-master/analyze.c:57
    #3 0x401a93 in doc2text /root/libdoc-master/catdoc.c:55
    #4 0x4018ea in main /root/libdoc-master/example/main.c:23
    #5 0x7fe37b4de82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401668 in _start (/root/libdoc-master/example/doc2txt+0x401668)

0x7fe37c9507fe is located 2 bytes to the left of 524288-byte region [0x7fe37c950800,0x7fe37c9d0800)
allocated by thread T0 here:
    #0 0x7fe37b920602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x407045 in process_file /root/libdoc-master/reader.c:111
    #2 0x40307f  (/root/libdoc-master/example/doc2txt+0x40307f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libdoc-master/reader.c:203 process_file
Shadow bytes around the buggy address:
  0x0ffcef9220a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcef9220b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcef9220c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcef9220d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcef9220e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ffcef9220f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0ffcef922100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcef922110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcef922120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcef922130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcef922140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==30477==ABORTING

FoundBy: [email protected]

Segmentation fault in numutils.c:22 at libdoc master branch(2019/1/29) when using libdoc.a

A crafted input will lead to Segmentation fault in numutils.c:22 at libdoc master branch(2019/1/29) when using libdoc.a

Triggered by

gcc main.c -o doc2txt -L ../build/ -lasan -fsanitize=address -ggdb ../build/libdoc.a
doc2txt [infile]

Poc
libdoc_poc1.zip

The ASAN information is as follows:

ASAN:SIGSEGV
=================================================================
==30179==ERROR: AddressSanitizer: SEGV on unknown address 0x60200028efe8 (pc 0x000000402eeb bp 0x00000000000a sp 0x7ffd46f34450 T0)
    #0 0x402eea in getlong /root/libdoc-master/numutils.c:22
    #1 0x40588a in ole_init /root/libdoc-master/ole.c:176
    #2 0x40201a in analyze_format /root/libdoc-master/analyze.c:50
    #3 0x401a93 in doc2text /root/libdoc-master/catdoc.c:55
    #4 0x4018ea in main /root/libdoc-master/example/main.c:23
    #5 0x7ff33d21882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401668 in _start (/root/libdoc-master/example/doc2txt+0x401668)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libdoc-master/numutils.c:22 getlong

FoundBy: [email protected]

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.