Created attachment 1316992 [details] Triggered by " ./lou_checktable POC3 " Description of problem: There is a Stack-buffer-overflow in liblouis which is triggered in function parseChars(). Version-Release number of selected component (if applicable): <= latest version How reproducible: ./lou_checktable POC3 Steps to Reproduce: Normal output: $ ./lou_checktable POC3 POC4:17: warning: invalid UTF-8. Assuming Latin-1. POC4:17: warning: invalid UTF-8. Assuming Latin-1. POC4:17: warning: invalid UTF-8. Assuming Latin-1. POC4:17: warning: invalid UTF-8. Assuming Latin-1. POC4:17: warning: invalid UTF-8. Assuming Latin-1. POC4:17: warning: invalid UTF-8. Assuming Latin-1. *** Error in `./lou_checktable': double free or corruption (!prev): 0x00000000017cea20 *** Aborted The GDB && ASAN debugging information is as follows: gdb-peda$ set args POC3 gdb-peda$ r ... Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>) at compileTranslationTable.c:1467 1467 result->chars[out++] = token->chars[lastIn]; gdb-peda$ c 511 Will ignore next 510 crossings of breakpoint 9. Continuing. Cannot resolve table 'elxame:' /home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined. /home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined. /home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:485: error: character class already defined. /home/icy/secreal/liblouis/install_asan/share/liblouis/tables/el.ctb:489: error: character class already defined. Cannot resolve table '.ctb' ... Breakpoint 9, parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>) at compileTranslationTable.c:1467 1467 result->chars[out++] = token->chars[lastIn]; ... Legend: code, data, rodata, value 1467 result->chars[out++] = token->chars[lastIn]; gdb-peda$ n ================================================================= ==61701==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff2492 at pc 0x7ffff7b15dcb bp 0x7ffffff7d730 sp 0x7ffffff7d728 WRITE of size 2 at 0x7fffffff2492 thread T0 #0 0x7ffff7b15dca (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x12dca) #1 0x7ffff7b23212 (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x20212) #2 0x7ffff7b5e547 (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x5b547) #3 0x7ffff7b1a80d (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1780d) #4 0x4dbcaf (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x4dbcaf) #5 0x7ffff6c10abf (/lib/x86_64-linux-gnu/libc.so.6+0x20abf) #6 0x435748 (/home/icy/secreal/liblouis/install_asan/bin/lou_checktable+0x435748) Address 0x7fffffff2492 is located in stack of thread T0 at offset 478194 in frame #0 0x7ffff7b1d92f (/home/icy/secreal/liblouis/install_asan/lib/liblouis.so.14+0x1a92f) This frame has 134 object(s): [32, 4130) 'token.i387' [4400, 8498) 'token.i384' [8768, 8772) 'offset.i47.i' [8784, 8788) 'offset.i26.i' [8800, 8804) 'offset.i3.i' [8816, 8820) 'offset.i.i338' [8832, 12930) 'token.i.i339' [13200, 17298) 'ruleChars.i340' [17568, 21666) 'ruleDots.i341' [21936, 26034) 'upperDots.i' [26304, 30402) 'lowerDots.i' [30672, 30676) 'offset.i18.i' [30688, 30692) 'offset.i10.i' [30704, 30708) 'offset.i2.i' [30720, 30724) 'offset.i.i' [30736, 34834) 'token.i.i' [35104, 39202) 'name.i322' [39472, 43570) 'groupChars.i' [43840, 47938) 'groupDots.i' [48208, 52306) 'dotsParsed.i' [52576, 56674) 'token.i319' [56944, 61042) 'token.i316' [61312, 65410) 'ruleChars.i' [65680, 69778) 'ruleDots.i' [70048, 74146) 'name.i' [74416, 78514) 'matches.i' [78784, 82882) 'replacements.i' [83152, 87250) 'token.i308' [87520, 87522) '' [87536, 91634) 'token.i281' [91904, 96000) 'wname.i' [96128, 100226) 'token.i266' [100496, 100500) 'offset.i255' [100512, 100516) 'offset.i' [100528, 104626) 'token.i249' [104896, 108994) 'token.i246' [109264, 113362) 'token.i243' [113632, 117730) 'token.i240' [118000, 122098) 'token.i237' [122368, 126466) 'token.i234' [126736, 130834) 'token.i231' [131104, 135202) 'token.i227' [135472, 139570) 'cells.i228' [139840, 143938) 'token.i223' [144208, 148306) 'cells.i224' [148576, 152674) 'token.i213' [152944, 157042) 'token.i210' [157312, 161410) 'token.i207' [161680, 165778) 'token.i197' [166048, 170146) 'token.i187' [170416, 174514) 'token.i177' [174784, 178882) 'token.i173' [179152, 183250) 'cells.i174' [183520, 187618) 'token.i163' [187888, 191986) 'token.i153' [192256, 196354) 'token.i147' [196624, 200722) 'token.i143' [200992, 205090) 'cells.i144' [205360, 209458) 'token.i140' [209728, 213826) 'token.i137' [214096, 218194) 'token.i134' [218464, 222562) 'token.i130' [222832, 226930) 'cells.i131' [227200, 231298) 'token.i119' [231568, 235666) 'token.i115' [235936, 240034) 'cells.i116' [240304, 244402) 'token.i111' [244672, 248770) 'cells.i112' [249040, 253138) 'token.i105' [253408, 257506) 'tmp.i106' [257776, 261874) 'token.i101' [262144, 266242) 'cells.i102' [266512, 270610) 'token.i97' [270880, 274978) 'cells.i98' [275248, 279346) 'token.i93' [279616, 283714) 'cells.i94' [283984, 288082) 'token.i89' [288352, 292450) 'cells.i90' [292720, 296818) 'token.i85' [297088, 301186) 'cells.i86' [301456, 305554) 'token.i81' [305824, 309922) 'cells.i82' [310192, 314290) 'token.i76' [314560, 318658) 'token.i72' [318928, 323026) 'cells.i73' [323296, 327394) 'token.i68' [327664, 331762) 'cells.i69' [332032, 336130) 'token.i64' [336400, 340498) 'cells.i65' [340768, 344866) 'token.i60' [345136, 349234) 'cells.i61' [349504, 353602) 'token.i56' [353872, 357970) 'cells.i57' [358240, 362338) 'token.i52' [362608, 366706) 'cells.i53' [366976, 371074) 'token.i48' [371344, 375442) 'cells.i49' [375712, 379810) 'token.i46' [380080, 384178) 'tmp.i' [384448, 388546) 'token.i42' [388816, 392914) 'cells.i43' [393184, 397282) 'token.i39' [397552, 401650) 'token.i36' [401920, 406018) 'token.i33' [406288, 410386) 'token.i30' [410656, 414754) 'token.i28' [415024, 419122) 'token.i25' [419392, 423490) 'token.i23' [423760, 427858) 'token.i21' [428128, 432226) 'token.i' [432496, 436594) 'cells.i' [436864, 436866) '' [436880, 440978) 'hyph.i' [441248, 445346) 'word.i' [445616, 447664) 'pattern.i' [447792, 447808) 'dict.i' [447824, 447828) 'holdOffset.i' [447840, 447844) 'lastToken' [447856, 451954) 'token' [452224, 456322) 'ruleChars' [456592, 460690) 'ruleDots' [460960, 465058) 'cells' [465328, 469426) 'scratchPad' [469696, 473794) 'emphClass' [474064, 474068) 'after' [474080, 474084) 'before' [474096, 478194) 'includedFile' <== Memory access at offset 478194 overflows this variable [478464, 482562) 'ptn_before' [482832, 486930) 'ptn_after' [487200, 487204) 'offset' [487216, 491314) 'ptn_before1' [491584, 495682) 'ptn_after2' [495952, 495956) 'offset3' [495968, 500066) 'characters' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) Shadow bytes around the buggy address: 0x10007fff6440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff6490: 00 00[02]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x10007fff64a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x10007fff64b0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff64c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff64d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==61701==ABORTING [Inferior 1 (process 61701) exited with code 01] Warning: not running or target is remote gdb-peda$ The vulnerability was triggered in function: parseChars (nested=<optimized out>, result=<optimized out>, token=<optimized out>) at compileTranslationTable.c:1467 1462 if (in >= MAXSTRING) 1463 break; 1464 if (token->chars[in] < 128 || (token->chars[in] & 0x0040)) 1465 { 1466 compileWarning (nested, "invalid UTF-8. Assuming Latin-1."); 1467 result->chars[out++] = token->chars[lastIn]; 1468 in = lastIn + 1; 1469 continue; 1470 } 1471 utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f); Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.