NULL pointer dereference in safe mode

[ghost]

$ echo '[]()' | ./cmark --safe
Segmentation fault (core dumped)

$ gdb --args ./cmark --safe input.md
(gdb) r
Program received signal SIGSEGV, Segmentation fault.
0x0000000000407a38 in _scan_at (scanner=0x427ef6 <_scan_dangerous_url>, c=0x64f448, offset=0)
    at cmark/src/scanners.c:10
10        unsigned char lim = ptr[c->len];
(gdb) p ptr
$1 = (unsigned char *) 0x0
(gdb) bt
#0  0x0000000000407a38 in _scan_at (scanner=0x427ef6 <_scan_dangerous_url>, c=0x64f448, offset=0)
    at cmark/src/scanners.c:10
#1  0x0000000000434baf in S_render_node (node=0x64f3f0, ev_type=CMARK_EVENT_ENTER, state=0x7fffffffcaa0, options=32)
    at cmark/src/html.c:256
#2  0x0000000000434dfc in cmark_render_html (root=0x64f090, options=32)
    at cmark/src/html.c:309
#3  0x0000000000437ee4 in print_document (document=0x64f090, writer=FORMAT_HTML, options=32, width=0)
    at cmark/src/main.c:44
#4  0x0000000000438812 in main (argc=3, argv=0x7fffffffdc68) at cmark/src/main.c:184

afl

[ghost]

I also have a heap buffer overflow under ASan. It looks harmless, but I'm not a security expert.

[jgm]

+++ opennota [Sep 16 15 06:33 ]:

I also have a heap buffer overflow under ASan. It looks harmless, but
I'm not a security expert.

If you can give more details, that would be helpful.

[ghost]

Build cmark with -fsanitize=address, then

$ echo -e "# 000000[0\x00\x0000000000000000000\x000\x00000000000](p0000\\" | ./cmark

Output:

==7307== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600c0000bf38 at pc 0x4cb8dd bp 0x7ffc3308d950 sp 0x7ffc3308d948
READ of size 1 at 0x600c0000bf38 thread T0
    #0 0x4cb8dc (cmark/build/src/cmark+0x4cb8dc)
    #1 0x4537eb (cmark/build/src/cmark+0x4537eb)
    #2 0x446079 (cmark/build/src/cmark+0x446079)
    #3 0x42e25c (cmark/build/src/cmark+0x42e25c)
    #4 0x403057 (cmark/build/src/cmark+0x403057)
    #5 0x7f515758eaa4 (/lib64/libc-2.20.so+0x21aa4)
    #6 0x404369 (cmark/build/src/cmark+0x404369)
0x600c0000bf38 is located 0 bytes to the right of 56-byte region [0x600c0000bf00,0x600c0000bf38)
allocated by thread T0 here:
    #0 0x7f515791a5df (/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.4/libasan.so.0.0.0+0x155df)
    #1 0x5514bd (cmark/build/src/cmark+0x5514bd)
Shadow bytes around the buggy address:
  0x0c01ffff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c01ffff97e0: 00 00 00 00 00 00 00[fa]fa fa fa fa fd fd fd fd
  0x0c01ffff97f0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c01ffff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c01ffff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7307== ABORTING

[jgm]

I was able to reproduce this (after make asan on a linux box).

Since this issue is closed, would you mind opening a new
issue and pasting in the content of your last comment?

+++ opennota [Sep 16 15 09:24 ]:

$ echo -e "#
000000[0\x00\x0000000000000000000\x000\x00000000000](p0000" | ./cmark

Output:
==7307== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600c0000bf38
at pc 0x4cb8dd bp 0x7ffc3308d950 sp 0x7ffc3308d948
READ of size 1 at 0x600c0000bf38 thread T0
#0 0x4cb8dc (cmark/build/src/cmark+0x4cb8dc)
#1 0x4537eb (cmark/build/src/cmark+0x4537eb)
#2 0x446079 (cmark/build/src/cmark+0x446079)
#3 0x42e25c (cmark/build/src/cmark+0x42e25c)
#4 0x403057 (cmark/build/src/cmark+0x403057)
#5 0x7f515758eaa4 (/lib64/libc-2.20.so+0x21aa4)
#6 0x404369 (cmark/build/src/cmark+0x404369)
0x600c0000bf38 is located 0 bytes to the right of 56-byte region [0x600c0000bf00
,0x600c0000bf38)
allocated by thread T0 here:
#0 0x7f515791a5df (/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.4/libasan.so.0.0.0
+0x155df)
#1 0x5514bd (cmark/build/src/cmark+0x5514bd)
Shadow bytes around the buggy address:
0x0c01ffff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c01ffff97e0: 00 00 00 00 00 00 00[fa]fa fa fa fa fd fd fd fd
0x0c01ffff97f0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c01ffff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c01ffff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==7307== ABORTING

—
Reply to this email directly or [1]view it on GitHub.

References

1. NULL pointer dereference in safe mode #81 (comment)