View Issue Details

IDProjectCategoryView StatusLast Update
0005846libextractorextractpublic2019-08-23 09:39
ReporterjianglinAssigned ToChristian Grothoff 
PriorityhighSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformlinuxOSubuntuOS Version16.4
Product Version1.9 
Target Version1.10Fixed in Version1.10 
Summary0005846: A heap-buffer-overflow vulneribility in function EXTRACTOR_dvi_extract_method in dvi_extractor.c
DescriptionIn EXTRACTOR_dvi_extract_method function, it read klen from file, so a crafted file can set klen to an invalid value. When exceeding the valid size, it will cause an overflow and trigger a crash in the code.
Steps To Reproduceextract -i ../crashes/EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow
TagsError

Activities

jianglin

2019-08-21 09:31

reporter  

EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow.md (3,815 bytes)
EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow (112 bytes)

jianglin

2019-08-21 12:10

reporter   ~0014800

the data points to a chunk whose size is 129, but when tring to read 249 triggers a heap-over-flow.
pwndbg> malloc_chunk data-0x10
0x6072a0 FASTBIN {
  prev_size = 0,
  size = 129,
  fd = 0xf914f9f9fffe02f7,
  bk = 0xf9f9f9f9f9f9f9f9,
  fd_nextsize = 0xe8f9f9fffffffff8,
  bk_nextsize = 0xf9f9f9f9f9f9f903
}
pwndbg> p klen
$4 = 249

jianglin

2019-08-21 12:11

reporter  

EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow(1).md (4,210 bytes)

Christian Grothoff

2019-08-23 09:38

manager   ~0014801

Fixed in 1ecee9a..756ba06, thanks for reporting!

Issue History

Date Modified Username Field Change
2019-08-21 09:31 jianglin New Issue
2019-08-21 09:31 jianglin Tag Attached: Error
2019-08-21 09:31 jianglin File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow.md
2019-08-21 09:31 jianglin File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264-5___heap-buffer-overflow
2019-08-21 12:10 jianglin Note Added: 0014800
2019-08-21 12:11 jianglin File Added: EXTRACTOR_dvi_extract_method@dvi_extractor.c_264_heapbufferoverflow(1).md
2019-08-23 09:38 Christian Grothoff Note Added: 0014801
2019-08-23 09:38 Christian Grothoff Assigned To => Christian Grothoff
2019-08-23 09:38 Christian Grothoff Status new => resolved
2019-08-23 09:38 Christian Grothoff Resolution open => fixed
2019-08-23 09:38 Christian Grothoff Fixed in Version => 1.10
2019-08-23 09:39 Christian Grothoff Target Version => 1.10