Headline
CVE-2021-26948: SEGV on unknown address 0x000000000000 · Issue #410 · michaelrsweet/htmldoc
Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.
While fuzzing htmldoc I found a segmentation fault in the copy_image() function, in epub.cxx:1221
testcase:(zipped so GitHub accepts it)
crash01.html.zip
reproduced by running:
htmldoc -f demo.epub crash01.html
htmldoc Version v1.9.11 git [master 0f9d20]
tested on:
OS :Ubuntu 20.04.1 LTS
kernel: 5.4.0-53-generic
compiler: clang version 10.0.0-4ubuntu1
Target: x86_64-pc-linux-gnu
OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)
Install from snap or download mac dmg don’t crash for this testcase.
addresssanitizer
==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0) ==3252595==The signal is caused by a READ memory access. ==3252595==Hint: address points to the zero page. #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/…/bits/stdlib-bsearch.h:33:23 #2 0x4c81b0 in copy_image(_zipc_s, char const) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25 #3 0x4c8434 in copy_images(_zipc_s, tree_str) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11 #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13 #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3 #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/…/csu/libc-start.c:308:16 #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp ==3252595==ABORTING
gdb
─[ DISASM ]─ ► 0x7ffff7de1ed7 <__strcmp_avx2+887> vmovdqu ymm1, ymmword ptr [rdi + rdx] 0x7ffff7de1edc <__strcmp_avx2+892> vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx] 0x7ffff7de1ee1 <__strcmp_avx2+897> vpminub ymm0, ymm0, ymm1 0x7ffff7de1ee5 <__strcmp_avx2+901> vpcmpeqb ymm0, ymm0, ymm7 0x7ffff7de1ee9 <__strcmp_avx2+905> vpmovmskb ecx, ymm0 0x7ffff7de1eed <__strcmp_avx2+909> test ecx, ecx 0x7ffff7de1eef <__strcmp_avx2+911> jne __strcmp_avx2+848 <__strcmp_avx2+848> ↓ 0x7ffff7de1eb0 <__strcmp_avx2+848> add rdi, rdx 0x7ffff7de1eb3 <__strcmp_avx2+851> add rsi, rdx 0x7ffff7de1eb6 <__strcmp_avx2+854> tzcnt edx, ecx 0x7ffff7de1eba <__strcmp_avx2+858> movzx eax, byte ptr [rdi + rdx] ─[ STACK ]── 00:0000│ rsp 0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test eax, eax 01:0008│ 0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— … 02:0010│ 0x7fffffffd958 ◂— 0x8 03:0018│ 0x7fffffffd960 ◂— 0x0 04:0020│ 0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— … 05:0028│ 0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480 06:0030│ 0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 (‘data:ima’) 07:0038│ 0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* ‘SRC’ */
pwndbg> bt #0 __strcmp_avx2 () at …/sysdeps/x86_64/multiarch/strcmp-avx2.S:736 #1 0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char, char)>) at …/bits/stdlib-bsearch.h:33 #2 0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 “data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC”) at epub.cxx:1235 #3 0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288 #4 0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211 #5 0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291 #6 0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at …/csu/libc-start.c:308 #7 0x000055555555d54e in _start () at htmldoc.cxx:1315
The bug locate in epub.cxx:1221 compare_images. The arguments of compare_images didn’t checked so strcmp() lead a segfault due to to null pointer.