You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CFLAGS="-g" LDFLAGS="-g" CC=afl-clang-fast ./configure --disable-shared
AFL_USE_ASAN=1 make -j12
make install
./html2xhtml poc.html
Receive the output:
=================================================================
==209704==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd4c5900760 at pc 0x55e5ebaa1d80 bp 0x7ffee77f5d00 sp 0x7ffee77f54c0
READ of size 513 at 0x7fd4c5900760 thread T0
#0 0x55e5ebaa1d7f in StrstrCheck(void*, char*, char const*, char const*) asan_interceptors.cpp.o
#1 0x55e5ebaa1a1c in strstr (/root/Desktop/workdir/html2xhtml-1.3/fuzz/bin/html2xhtml+0x55a1c) (BuildId: aae9894f09b69ea8bef28f68d73e1991760dd031)
#2 0x55e5ebb89242 in doctype_scan /root/Desktop/workdir/html2xhtml-1.3/src/procesador.c:718:9
#3 0x55e5ebb89242 in saxDoctype /root/Desktop/workdir/html2xhtml-1.3/src/procesador.c:564:14
#4 0x55e5ebb67a40 in yyparse /root/Desktop/workdir/html2xhtml-1.3/src/htmlgr.y:72:3
#5 0x55e5ebb7f915 in main /root/Desktop/workdir/html2xhtml-1.3/src/html2xhtml.c:110:20
#6 0x7fd4c7d00082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x55e5eba8848d in _start (/root/Desktop/workdir/html2xhtml-1.3/fuzz/bin/html2xhtml+0x3c48d) (BuildId: aae9894f09b69ea8bef28f68d73e1991760dd031)
Address 0x7fd4c5900760 is located in stack of thread T0 at offset 864 in frame
#0 0x55e5ebb8908f in saxDoctype /root/Desktop/workdir/html2xhtml-1.3/src/procesador.c:550
This frame has 2 object(s):
[32, 288) 'msg.i' (line 745)
[352, 864) 'buffer.i' (line 710) <== Memory access at offset 864 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow asan_interceptors.cpp.o in StrstrCheck(void*, char*, char const*, char const*)
Shadow bytes around the buggy address:
0x7fd4c5900480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x7fd4c5900500: f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
0x7fd4c5900580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fd4c5900600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fd4c5900680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7fd4c5900700: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x7fd4c5900780: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x7fd4c5900800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fd4c5900880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fd4c5900900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fd4c5900980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==209704==ABORTING
Root Cause Analysis
When the strstr function is used, the argument string does not end with a null byte, resulting in a buffer overflow. The buffer variable should be checked for null bytes.
I have attached crash files to help reproduce the issue. poc.zip
The text was updated successfully, but these errors were encountered:
Hi there!
I fuzzed the tool and found some problems
Crash Out Phase
Run:
Receive the output:
Root Cause Analysis
When the strstr function is used, the argument string does not end with a null byte, resulting in a buffer overflow. The buffer variable should be checked for null bytes.
I have attached crash files to help reproduce the issue.
poc.zip
The text was updated successfully, but these errors were encountered: