Menu

#20 Security: heap-buffer-overflow in htmlcxx::HTML::Node::parseAttributes()

v1.0 (example)
open
nobody
heap-buffer-overflow (1)
5
2023-11-29
2023-11-29
schsiung
No

When dealing with some malicious HTML content,htmlcxx will crash with heap-buffer-overflow.
The crash can be reproduced with following steps:
tar -xvf crash.tar.gz
htmlcxx crashes/id\:000001\,sig\:06\,src\:000000+000045\,time\:39\,execs\:1195\,op\:splice\,rep\:7

0@[0;44)
1@[0;6) html
2@[6;12) bod
3@[12;26) hey<2bod����y>
4@[26;37) </h�ml<htm>
5@[37;44) bodyeq</htm>

CSS attributes:

@[0:44)

HTML@[0:6)

BOD@[6:12)

=================================================================
==2850470==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000001508 at pc 0x55bfa8bd5d17 bp 0x7ffec8b5aa50 sp 0x7ffec8b5aa48
READ of size 1 at 0x611000001508 thread T0
#0 0x55bfa8bd5d16 in htmlcxx::HTML::Node::parseAttributes() /data/openeuler/aflbuild/html/../../htmlcxx-0.86/html/Node.cc:28:18
#1 0x55bfa8bbac85 in main /data/openeuler/aflbuild/../htmlcxx-0.86/htmlcxx.cc:151:9
#2 0x7f62ced68d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#3 0x7f62ced68e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
#4 0x55bfa8af1a94 in _start (/data/openeuler/aflbuild/htmlcxx+0x65a94) (BuildId: 4ea70980e50c843e)

0x611000001508 is located 0 bytes to the right of 200-byte region [0x611000001440,0x611000001508)
allocated by thread T0 here:
#0 0x55bfa8baf72d in operator new(unsigned long) (/data/openeuler/aflbuild/htmlcxx+0x12372d) (BuildId: 4ea70980e50c843e)
#1 0x55bfa8bc7f54 in tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::pre_order_iterator tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::replace<tree\<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::pre_order_iterator>(tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::pre_order_iterator, tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::iterator_base const&) /data/openeuler/aflbuild/../htmlcxx-0.86/html/tree.h
#2 0x55bfa8bc183c in tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::copy_(tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > > const&) /data/openeuler/aflbuild/../htmlcxx-0.86/html/tree.h:461:10
#3 0x55bfa8bb828d in tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > >::operator=(tree<htmlcxx::html::node, std::allocator\<tree_node_\<htmlcxx::html::node=""> > > const&) /data/openeuler/aflbuild/../htmlcxx-0.86/html/tree.h:438:4
#4 0x55bfa8bb828d in main /data/openeuler/aflbuild/../htmlcxx-0.86/htmlcxx.cc:114:6
#5 0x7f62ced68d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)</htmlcxx::html::node,></htmlcxx::html::node,></htmlcxx::html::node,></htmlcxx::html::node,></htmlcxx::html::node,></htmlcxx::html::node,></tree\<htmlcxx::html::node,></htmlcxx::html::node,></htmlcxx::html::node,>

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/openeuler/aflbuild/html/../../htmlcxx-0.86/html/Node.cc:28:18 in htmlcxx::HTML::Node::parseAttributes()
Shadow bytes around the buggy address:
0x0c227fff8250: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8270: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c227fff8280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff82a0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff82b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff82c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c227fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2850470==ABORTING

https://github.com/dhoerl/htmlcxx/issues/12

1 Attachments
htmlcxx_crash_POC.zip

Discussion

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.