Null pointer dereference in function calculate_beam() – abcm2ps – 1.8.2
Loginsoft-2020-1000
5 february, 2020
CVE Number
CWE
CWE – 476 : NULL Pointer Dereference
Product Details
abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format.
URL: https://github.com/leesavide/abcm2ps
Vulnerable Versions
1.8.2
Vulnerability Details
As per our research, We discovered Null pointer dereference in calculate_beam() at draw.c:341. s->ts_prev is not being validated. which can lead to a denial of service attack
SYNOPSIS
In Progress
vulnerable Source code
while (s->ts_prev->abc_type == ABC_T_NOTE
&& s->ts_prev->time == s->time
&& s->ts_prev->x > s1->xs)
s = s->ts_prev;
Analysis
DEBUG:
GDB :
Gdb:
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000555555981028 → 0x0000555555981278 → 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188
$rbx : 0x000055555593ade0 → 0x0000555555969460 → 0x0000000000000000
$rcx : 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188 → 0x00005555559823d8 → 0x0000555555982628
$rdx : 0x0
$rsp : 0x00007fffffffdc00 → 0x0000555555657e06 → mov rax, QWORD PTR [rsp+0x10]
$rbp : 0x0
$rsi : 0x0
$rdi : 0xffffffff
$rip : 0x00005555555c332c → cmp BYTE PTR [rbp+0x38], 0x4
$r8 : 0x0
$r9 : 0x0
$r10 : 0x00007fffffffdc90 → 0x0000000000000000
$r11 : 0x13e0
$r12 : 0x0000555555981028 → 0x0000555555981278 → 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188
$r13 : 0x1
$r14 : 0x1
$r15 : 0x0
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdc00│+0x0000: 0x0000555555657e06 → mov rax, QWORD PTR [rsp+0x10] ← $rsp
0x00007fffffffdc08│+0x0008: 0x0000000000000000
0x00007fffffffdc10│+0x0010: 0x0000000000000004
0x00007fffffffdc18│+0x0018: 0x0000000041e89d7b
0x00007fffffffdc20│+0x0020: 0x0000007955655bba
0x00007fffffffdc28│+0x0028: 0x034a2b510999999a
0x00007fffffffdc30│+0x0030: 0x0000000000000000
0x00007fffffffdc38│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x5555555c331c mov rdx, QWORD PTR [rsp]
0x5555555c3320 lea rsp, [rsp+0x98]
0x5555555c3328 mov rbp, QWORD PTR [rax+0x28]
→ 0x5555555c332c cmp BYTE PTR [rbp+0x38], 0x4
0x5555555c3330 je 0x5555555c3260
0x5555555c3336 xchg ax, ax
0x5555555c3338 lea rsp, [rsp-0x98]
0x5555555c3340 mov QWORD PTR [rsp], rdx
0x5555555c3344 mov QWORD PTR [rsp+0x8], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+341 ────
336 b += ys;
337 } else if (!(s1->flags & ABC_F_GRACE)) { /* normal notes */
338 float stem_err, beam_h;
339
340 beam_h = BEAM_DEPTH + BEAM_SHIFT * (nflags - 1);
→ 341 while (s->ts_prev->abc_type == ABC_T_NOTE
342 && s->ts_prev->time == s->time
343 && s->ts_prev->x > s1->xs)
344 s = s->ts_prev;
345
346 for (; s && s->time time; s = s->ts_next) {
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555c332c → calculate_beam(bm=0x7fffffffdc90, s1=0x555555981028)
[#1] 0x5555555f261a → draw_sym_near()
[#2] 0x55555567d748 → delayed_output(indent=0)
[#3] 0x55555567d748 → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x55555556a9b1 → abc_eof()
[#8] 0x55555563285d → frontend(s=0x55555597aeba "", ftype=, fname=, linenum=0x2c)
[#9] 0x5555555614c1 → treat_file(fn=, ext=)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555555c332c in calculate_beam (bm=bm@entry=0x7fffffffdc90, s1=s1@entry=0x555555981028) at draw.c:341
341 while (s->ts_prev->abc_type == ABC_T_NOTE
gef➤ p s->ts_prev
$9 = (struct SYMBOL *) 0x0
gef➤ p s->ts_prev->abc_type
Cannot access memory at address 0x38
gef➤ i r
rax 0x555555981028 0x555555981028
rbx 0x55555593ade0 0x55555593ade0
rcx 0x5555559815f8 0x5555559815f8
rdx 0x0 0x0
rsi 0x0 0x0
rdi 0xffffffff 0xffffffff
rbp 0x0 0x0
rsp 0x7fffffffdc00 0x7fffffffdc00
r8 0x0 0x0
r9 0x0 0x0
r10 0x7fffffffdc90 0x7fffffffdc90
r11 0x13e0 0x13e0
r12 0x555555981028 0x555555981028
r13 0x1 0x1
r14 0x1 0x1
r15 0x0 0x0
rip 0x5555555c332c 0x5555555c332c
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind:
abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3:22:2: error: Cannot identify meter top
22 M:2}
^
NPD3:27:69: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3:27:70: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3:27:71: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3:31:47: error: Bad character
31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
^
NPD3:31:54: error: Bad character
31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
^
NPD3:32:19: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3:32:20: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3:32:21: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3:34:2: error: Cannot identify meter top
34 M:| C
^
NPD3:42:11: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:54: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:55: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:56: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:57: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:58: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:59: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:60: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:44:31: error: Bad character
44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
^
NPD3:44:32: error: Bad character
44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
^
NPD3:26:4: error: Decoration !fp! not defined
NPD3:27:7: error: Decoration !fp! not defined
NPD3:27:66: error: End of line found inside a tuplet
NPD3:31:56: error: Decoration !D,3/! not defined
NPD3:31:56: error: Decoration !26E,/! not defined
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'W'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'm'
NPD3:42:2: error: Bad character 'i'
==7849== Invalid read of size 1
==7849== at 0x12006F: calculate_beam (draw.c:341)
==7849== by 0x126BA7: draw_sym_near (draw.c:4120)
==7849== by 0x13828B: delayed_output (music.c:5059)
==7849== by 0x13828B: output_music (music.c:5114)
==7849== by 0x13D9C0: generate (parse.c:1041)
==7849== by 0x13DF27: gen_ly (parse.c:1062)
==7849== by 0x143F07: do_tune (parse.c:3635)
==7849== by 0x112548: abc_eof (abcparse.c:202)
==7849== by 0x12E220: frontend (front.c:905)
==7849== by 0x110F1C: treat_file (abcm2ps.c:240)
==7849== by 0x11013B: main (abcm2ps.c:1041)
==7849== Address 0x38 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
Proof of Concept
./abcm2ps $POC
Vendor Disclosure: 2020-2-04
Public Disclosure: 2020-2-05
Credit
Discovered by ACE Team – Loginsoft