Headline
CVE-2018-10771: stack-buffer-overflow parse.c:4081 in get_key(struct SYMBOL *s) · Issue #17 · lewdlime/abcm2ps
Stack-based buffer overflow in the get_key function in parse.c in abcm2ps through 8.13.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
https://drive.google.com/open?id=1HE9cht7WJPauA66acyJrEywXX8R4Hg-2
(gdb) set args POC2
(gdb) r
Starting program: /home/afl/parse/eval/abcm2ps/new_ver/abcm2ps/abcm2ps POC2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
abcm2ps-8.13.20 (2018-02-21)
File POC2
POC2:6:2: error: Bad character
6 [1�
^
POC2:6:3: error: Bad character
6 [1�
^
*** stack smashing detected ***: /home/afl/parse/eval/abcm2ps/new_ver/abcm2ps/abcm2ps terminated
Program received signal SIGABRT, Aborted.
0x00007ffff68bc428 in __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:54
54 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff68bc428 in __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff68be02a in __GI_abort () at abort.c:89
#2 0x00007ffff68fe7ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6a1649f “*** %s ***: %s terminated\n”) at …/sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff69a015c in __GI___fortify_fail (msg=,
msg@entry=0x7ffff6a16481 “stack smashing detected”) at fortify_fail.c:37
#4 0x00007ffff69a0100 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x0000000000546f05 in get_key (s=s@entry=0x82a828) at parse.c:4081
#6 0x00000000005684c8 in get_info (s=s@entry=0x82a828) at parse.c:2882
#7 0x0000000000574348 in do_tune () at parse.c:3484
#8 0x0000000000414731 in abc_eof () at abcparse.c:200
#9 0x00000000004e45e9 in frontend (s=,
s@entry=0x827ea0 "C>ZE\rC3\356E\rX:\374\rK:P>b_g=C&C,f\347(C&C\250:5ZV"Cx\001E\rw:\347\r[1\233", ftype=ftype@entry=0, fname=fname@entry=0x827ee0 "POC2", linenum=6, linenum@entry=0) at front.c:901
#10 0x000000000040b98d in treat_file (fn=, ext=) at abcm2ps.c:239
#11 0x00000000004084f9 in main (argc=0, argv=) at abcm2ps.c:1040