[bug-gettext] [bug #45391] Out of bounds read in xgettext on malformed input

Hanno Boeck Wed, 24 Jun 2015 06:18:07 -0700

URL:
  <http://savannah.gnu.org/bugs/?45391>


                 Summary: Out of bounds read in xgettext on malformed input
                 Project: GNU gettext
            Submitted by: hanno
            Submitted on: Wed 24 Jun 2015 03:17:28 PM CEST
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

The attached file will cause an out of bounds heap read access in xgettext.
Found with american fuzzy lop. This can be detected with either address
sanitizer or valgrind.

Address Sanitizer trace:
```
==29054==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000c6b2 at pc 0x0000004fad7e bp 0x7fff2b6eb190 sp 0x7fff2b6eb188
READ of size 1 at 0x60200000c6b2 thread T0
    #0 0x4fad7d in literalstring_parse
/f/gettext-0.19.4/gettext-tools/src/x-c.c:887:20
    #1 0x4f518b in arglist_parser_done
/f/gettext-0.19.4/gettext-tools/src/xgettext.c:3099:31
    #2 0x4ff01b in extract_parenthesized
/f/gettext-0.19.4/gettext-tools/src/x-c.c:2111:11
    #3 0x4fde0c in extract_parenthesized
/f/gettext-0.19.4/gettext-tools/src/x-c.c:2016:15
    #4 0x4fcc35 in extract_whole_file
/f/gettext-0.19.4/gettext-tools/src/x-c.c:2144:11
    #5 0x4fae27 in extract_c /f/gettext-0.19.4/gettext-tools/src/x-c.c:2163:3
    #6 0x4e93dd in extract_from_file
/f/gettext-0.19.4/gettext-tools/src/xgettext.c:2043:3
    #7 0x4e5e6c in main /f/gettext-0.19.4/gettext-tools/src/xgettext.c:818:7
    #8 0x7fc9d5a8af9f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #9 0x43cfa6 in _start (/mnt/ram/gettext/xgettext+0x43cfa6)

0x60200000c6b2 is located 0 bytes to the right of 2-byte region
[0x60200000c6b0,0x60200000c6b2)
allocated by thread T0 here:
    #0 0x4c3f72 in malloc (/mnt/ram/gettext/xgettext+0x4c3f72)
    #1 0x68ed0a in xmalloc
/f/gettext-0.19.4/gettext-tools/gnulib-lib/xmalloc.c:64:7
    #2 0x7fff2b6eb67f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/f/gettext-0.19.4/gettext-tools/src/x-c.c:887 literalstring_parse
Shadow bytes around the buggy address:
  0x0c047fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff98d0: fa fa 00 02 fa fa[02]fa fa fa fd fa fa fa 00 02
  0x0c047fff98e0: fa fa 00 07 fa fa fd fd fa fa 00 00 fa fa 00 fa
  0x0c047fff98f0: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9900: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9910: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9920: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29054==ABORTING




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 24 Jun 2015 03:17:28 PM CEST  Name:
xgettext-oob-heap-literalstring_parse.c  Size: 12B   By: hanno
sample file triggering out of bounds heap access
<http://savannah.gnu.org/bugs/download.php?file_id=34305>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?45391>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[bug-gettext] [bug #45391] Out of bounds read in xgettext on malformed input

Reply via email to