Null pointer dereference in function calculate_beam() – abcm2ps – 1.8.2
Loginsoft-2020-1000
5 february, 2020
CVE Number
CWE
CWE – 476 : NULL Pointer Dereference
Product Details
abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format.
URL: https://github.com/leesavide/abcm2ps
Vulnerable Versions
1.8.2
Vulnerability Details
As per our research, We discovered Null pointer dereference in calculate_beam() at draw.c:341. s->ts_prev is not being validated. which can lead to a denial of service attack
SYNOPSIS
In Progress
vulnerable Source code
while (s->ts_prev->abc_type == ABC_T_NOTE && s->ts_prev->time == s->time && s->ts_prev->x > s1->xs) s = s->ts_prev;
Analysis
DEBUG:
GDB :
Gdb: [ Legend: Modified register | Code | Heap | Stack | String ] ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── $rax : 0x0000555555981028 → 0x0000555555981278 → 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188 $rbx : 0x000055555593ade0 → 0x0000555555969460 → 0x0000000000000000 $rcx : 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188 → 0x00005555559823d8 → 0x0000555555982628 $rdx : 0x0 $rsp : 0x00007fffffffdc00 → 0x0000555555657e06 → mov rax, QWORD PTR [rsp+0x10] $rbp : 0x0 $rsi : 0x0 $rdi : 0xffffffff $rip : 0x00005555555c332c → cmp BYTE PTR [rbp+0x38], 0x4 $r8 : 0x0 $r9 : 0x0 $r10 : 0x00007fffffffdc90 → 0x0000000000000000 $r11 : 0x13e0 $r12 : 0x0000555555981028 → 0x0000555555981278 → 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188 $r13 : 0x1 $r14 : 0x1 $r15 : 0x0 $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification] $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── 0x00007fffffffdc00│+0x0000: 0x0000555555657e06 → mov rax, QWORD PTR [rsp+0x10] ← $rsp 0x00007fffffffdc08│+0x0008: 0x0000000000000000 0x00007fffffffdc10│+0x0010: 0x0000000000000004 0x00007fffffffdc18│+0x0018: 0x0000000041e89d7b 0x00007fffffffdc20│+0x0020: 0x0000007955655bba 0x00007fffffffdc28│+0x0028: 0x034a2b510999999a 0x00007fffffffdc30│+0x0030: 0x0000000000000000 0x00007fffffffdc38│+0x0038: 0x0000000000000000 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── 0x5555555c331c mov rdx, QWORD PTR [rsp] 0x5555555c3320 lea rsp, [rsp+0x98] 0x5555555c3328 mov rbp, QWORD PTR [rax+0x28] → 0x5555555c332c cmp BYTE PTR [rbp+0x38], 0x4 0x5555555c3330 je 0x5555555c3260 0x5555555c3336 xchg ax, ax 0x5555555c3338 lea rsp, [rsp-0x98] 0x5555555c3340 mov QWORD PTR [rsp], rdx 0x5555555c3344 mov QWORD PTR [rsp+0x8], rcx ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+341 ──── 336 b += ys; 337 } else if (!(s1->flags & ABC_F_GRACE)) { /* normal notes */ 338 float stem_err, beam_h; 339 340 beam_h = BEAM_DEPTH + BEAM_SHIFT * (nflags - 1); → 341 while (s->ts_prev->abc_type == ABC_T_NOTE 342 && s->ts_prev->time == s->time 343 && s->ts_prev->x > s1->xs) 344 s = s->ts_prev; 345 346 for (; s && s->time time; s = s->ts_next) { ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── [#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── [#0] 0x5555555c332c → calculate_beam(bm=0x7fffffffdc90, s1=0x555555981028) [#1] 0x5555555f261a → draw_sym_near() [#2] 0x55555567d748 → delayed_output(indent=0) [#3] 0x55555567d748 → output_music() [#4] 0x55555569c1a1 → generate() [#5] 0x5555556bead1 → gen_ly(eob=0x0) [#6] 0x5555556bead1 → do_tune() [#7] 0x55555556a9b1 → abc_eof() [#8] 0x55555563285d → frontend(s=0x55555597aeba "", ftype=, fname=, linenum=0x2c) [#9] 0x5555555614c1 → treat_file(fn=, ext=) ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x00005555555c332c in calculate_beam (bm=bm@entry=0x7fffffffdc90, s1=s1@entry=0x555555981028) at draw.c:341 341 while (s->ts_prev->abc_type == ABC_T_NOTE gef➤ p s->ts_prev $9 = (struct SYMBOL *) 0x0 gef➤ p s->ts_prev->abc_type Cannot access memory at address 0x38 gef➤ i r rax 0x555555981028 0x555555981028 rbx 0x55555593ade0 0x55555593ade0 rcx 0x5555559815f8 0x5555559815f8 rdx 0x0 0x0 rsi 0x0 0x0 rdi 0xffffffff 0xffffffff rbp 0x0 0x0 rsp 0x7fffffffdc00 0x7fffffffdc00 r8 0x0 0x0 r9 0x0 0x0 r10 0x7fffffffdc90 0x7fffffffdc90 r11 0x13e0 0x13e0 r12 0x555555981028 0x555555981028 r13 0x1 0x1 r14 0x1 0x1 r15 0x0 0x0 rip 0x5555555c332c 0x5555555c332c eflags 0x10246 [ PF ZF IF RF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0
Valgrind: abcm2ps-8.14.6 (2019-11-05) File NPD3 NPD3:22:2: error: Cannot identify meter top 22 M:2} ^ NPD3:27:69: error: Bad character 27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)} ^ NPD3:27:70: error: Bad character 27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)} ^ NPD3:27:71: error: Bad character 27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)} ^ NPD3:31:47: error: Bad character 31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z... ^ NPD3:31:54: error: Bad character 31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z... ^ NPD3:32:19: error: Bad character 32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II) ^ NPD3:32:20: error: Bad character 32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II) ^ NPD3:32:21: error: Bad character 32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II) ^ NPD3:34:2: error: Cannot identify meter top 34 M:| C ^ NPD3:42:11: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:54: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:55: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:56: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:57: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:58: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:59: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:42:60: error: Bad character 42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ | ^ NPD3:44:31: error: Bad character 44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ ^ NPD3:44:32: error: Bad character 44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ ^ NPD3:26:4: error: Decoration !fp! not defined NPD3:27:7: error: Decoration !fp! not defined NPD3:27:66: error: End of line found inside a tuplet NPD3:31:56: error: Decoration !D,3/! not defined NPD3:31:56: error: Decoration !26E,/! not defined NPD3:42:2: error: Bad character 'I' NPD3:42:2: error: Bad character 'I' NPD3:42:2: error: Bad character 'W' NPD3:42:2: error: Bad character 'I' NPD3:42:2: error: Bad character 'I' NPD3:42:2: error: Bad character 'm' NPD3:42:2: error: Bad character 'i' ==7849== Invalid read of size 1 ==7849== at 0x12006F: calculate_beam (draw.c:341) ==7849== by 0x126BA7: draw_sym_near (draw.c:4120) ==7849== by 0x13828B: delayed_output (music.c:5059) ==7849== by 0x13828B: output_music (music.c:5114) ==7849== by 0x13D9C0: generate (parse.c:1041) ==7849== by 0x13DF27: gen_ly (parse.c:1062) ==7849== by 0x143F07: do_tune (parse.c:3635) ==7849== by 0x112548: abc_eof (abcparse.c:202) ==7849== by 0x12E220: frontend (front.c:905) ==7849== by 0x110F1C: treat_file (abcm2ps.c:240) ==7849== by 0x11013B: main (abcm2ps.c:1041) ==7849== Address 0x38 is not stack'd, malloc'd or (recently) free'd Segmentation fault
Proof of Concept
./abcm2ps $POC
Vendor Disclosure: 2020-2-04
Public Disclosure: 2020-2-05
Credit
Discovered by ACE Team – Loginsoft