Headline
CVE-2021-46141: .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs · Issue #121 · uriparser/uriparser
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.
A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.
The bug was found with a fuzzer based on the test-code"TestNormalizeSyntaxMaskRequired"
_crash log
==2151==ERROR: AddressSanitizer: SEGV on unknown address 0x0000004d9be0 (pc 0x00000041ca94 bp 0x000000000000 sp 0x7fff34437d00 T0)
==2151==The signal is caused by a WRITE memory access.
#0 0x41ca94 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
#1 0x493d41 in free
#2 0x4c6892 in (anonymous namespace)::countingFree(UriMemoryManagerStruct*, void*)
#3 0x7fca1c05a4b2 in uriNormalizeSyntaxExMmA_
Steps to reproduce:
- git clone https://github.com/uriparser/uriparser.git
- cd uriparser & mkdir build & cd build
- Build
cmake -DCMAKE_BUILD_TYPE=Release -DURIPARSER_BUILD_DOCS:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON …
make -j8 - Download the attached file(1.cpp)
- Build TEST CODE (1.cpp)
clang++ -g -fsanitize=address,fuzzer-no-link -o 1 1.cpp -I uriparser/include/ -Luriparser/build -luriparser - Run
LD_LIBRARY_PATH=uriparser/build/ ./1
OS:ubuntu 18.04
uriparser_poc1.tar.gz