Headline
CVE-2022-29358: Integer overflow bug in _parse_special_tag function, sxmlc.c · Issue #22 · kevinboone/epub2txt2
epub2txt2 v2.04 was discovered to contain an integer overflow via the function bug in _parse_special_tag at sxmlc.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted XML file.
Hi, there is a integer overflow bug in _parse_special_tag function, sxmlc.c.
static TagType _parse_special_tag(const SXML_CHAR* str, int len, _TAG* tag, XMLNode* node)
{
if (sx_strncmp(str, tag->start, tag->len_start))
return TAG_NONE;
if (sx_strncmp(str + len - tag->len_end, tag->end, tag->len_end)) /* There probably is a ‘>’ inside the tag */
return TAG_PARTIAL;
node->tag = __malloc((len - tag->len_start - tag->len_end + 1)*sizeof(SXML_CHAR));
if (node->tag == NULL)
return TAG_ERROR;
sx_strncpy(node->tag, str + tag->len_start, len - tag->len_start - tag->len_end);
node->tag[len - tag->len_start - tag->len_end] = NULC;
node->tag_type = tag->tag_type;
return node->tag_type;
}
It passes ((len - tag->len_start - tag->len_end + 1)*sizeof(SXML_CHAR)) as a parameter to malloc function.
If (len - tag->len_start - tag->len_end) == -1, then (len - tag->len_start - tag->len_end + 1) == 0.
It is legal to use 0 as an argument to the malloc function, and it will return the address of a small heap successfully.
However, in line 1214, it passes (len - tag->len_start - tag->len_end) as a parameter to strncpy function.
-1 will be coerced to an unsigned integer: 0xffffffffffffffff. It is a huge size and will make the program crashed.
poc:
poc.zip
To reproduce:
$ wget https://github.com/kevinboone/epub2txt2/files/8482640/poc.zip
......
$ unzip poc.zip
Archive: poc.zip
inflating: poc
$ ls
epub2txt poc poc.zip
$ ./epub2txt --version
epub2txt version 2.04
Copyright (c)2013-2022 Kevin Boone and contributors
Distributed under the terms of the GNU Public Licence, v3.0
$ ./epub2txt poc
/tmp/epub2txt5552/OPS/epb.opf bad CRC cb87c959 (should be 0192f2f4)
Segmentation fault (core dumped)
The epub2txt is built with:
git clone https://github.com/kevinboone/epub2txt2 && cd epub2txt2
make && sudo make install
Tested on: Ubuntu 20.04