Headline
CVE-2018-20822: AddressSanitizer: stack-overflow at Sass::Inspect::operator() (inspect.cpp:977) · Issue #2671 · sass/libsass
LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp).
We found with our fuzzer some stack over flow errors at Sass::Inspect::operator() (inspect.cpp:977)(45f5087) when compiled with Address Sanitizer (using sassc as the driver).
=================================================================
==2828==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd23974fd8 (pc 0x7f7c014511a4 bp 0x7ffd23975850 sp 0x7ffd23974fe0 T0)
#0 0x7f7c014511a3 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x701a3)
#1 0x7f7bffced43b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12143b)
#2 0x7f7c010a3c86 in bool std::operator==<char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const*) /usr/include/c++/5/bits/basic_string.h:4939
#3 0x7f7c010a3c86 in Sass::Inspect::operator()(Sass::Wrapped_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:977
#4 0x7f7c0109de50 in Sass::Inspect::operator()(Sass::Compound_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:996
#5 0x7f7c010abed7 in Sass::Compound_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2742
#6 0x7f7c010abed7 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1023
#7 0x7f7c010ac3f4 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2907
#8 0x7f7c010ac3f4 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1061
...
#447 0x7f7c010abed7 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1023
#448 0x7f7c010ac3f4 in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2907
#449 0x7f7c010ac3f4 in Sass::Inspect::operator()(Sass::Complex_Selector*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1061
#450 0x7f7c010ae63b in Sass::Complex_Selector::perform(Sass::Operation<void>*) /home/hongxu/FUZZ/libsass-orig/src/ast.hpp:2907
#451 0x7f7c010ae63b in Sass::Inspect::operator()(Sass::Selector_List*) /home/hongxu/FUZZ/libsass-orig/src/inspect.cpp:1098
SUMMARY: AddressSanitizer: stack-overflow ??:0 __interceptor_strlen
==2828==ABORTING