Headline
CVE-2021-46142: uriNormalizeSyntax* may free stack memory in out-of-memory situation when handling URIs containing empty segments · Issue #122 · uriparser/uriparser
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.
A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.
The bug was found with a fuzzer based on the test-code"NormalizeSyntaxExMm"
_crash log
==3440==ERROR: AddressSanitizer: SEGV on unknown address 0x0000004d9be0 (pc 0x00000041ca94 bp 0x000000000000 sp 0x7ffd2468e6e0 T0)
==3440==The signal is caused by a WRITE memory access.
#0 0x41ca94 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
#1 0x493d41 in free
#2 0x4c6892 in (anonymous namespace)::countingFree(UriMemoryManagerStruct*, void*)
#3 0x7faf2e1ac4b2 in uriNormalizeSyntaxExMmA_
Steps to reproduce:
- git clone https://github.com/uriparser/uriparser.git
- cd uriparser & mkdir build & cd build
- Build
cmake -DCMAKE_BUILD_TYPE=Release -DURIPARSER_BUILD_DOCS:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON …
make -j8 - Download the attached file(2.cpp)
- Build TEST CODE (2.cpp)
clang++ -g -fsanitize=address,fuzzer-no-link -o 2 2.cpp -I uriparser/include/ -I uriparser/ -Luriparser/build -luriparser - Run
LD_LIBRARY_PATH=uriparser/build/ ./2
OS:ubuntu 18.04
uriparser_poc2.tar.gz