Null pointer dereference vulnerability in the function d_trill() – abcm2ps-8.14.1
December 18, 2018
CVE Number
–
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL: https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
In function draw_sym_near() from draw.c used for drawing the symbols near the notes calls the function draw_deco_note() located at deco.c to draw the decorations tied to a note which calls function d_upstaff() on the basis of the f = dd->func ,When f values is 0x03 it goes to the function d_upstaff and when 0x05 it goes to the function d_trill() . In the function d_trill used for special cases for the long trill where de is accessing to the pointer start in the structure which is null has triggered a Null pointer dereference vulnerability while assigning the value from de->start->s to s.
Vulnerable code
if (de->start) { /* deco start */
s = de->start->s;
x = s->x;
if (s->abc_type == ABC_T_NOTE
&& s->u.note.dc.n > 1)
x += 10;
Analysis
→ 588 s = de->start->s;
589 x = s->x;
590 if (s->abc_type == ABC_T_NOTE
591 && s->u.note.dc.n > 1)
592 x += 10;
593 // } else { /* end without start */
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x5555555675bf → d_trill(de=0x5555557eb610)
[#1] 0x555555569064 → draw_deco_note()
[#2] 0x555555572d43 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤ p de->start
$1 = (struct deco_elt *) 0x0
gef➤ p *de
$2 = {
next = 0x5555557eb648,
prev = 0x5555557eb5d8,
s = 0x5555557e8390,
start = 0x0,
t = 0x4,
staff = 0x0,
flags = 0x0,
defl = 0x0,
m = 0xff,
x = 0,
y = 0,
dy = 0,
val = 0
}
gef➤ i r
rax 0x0 0x0
rbx 0x5555557eb610 0x5555557eb610
rcx 0x1f 0x1f
rdx 0x38 0x38
rsi 0x1f 0x1f
rdi 0x5555557eb610 0x5555557eb610
rbp 0x5555557e8390 0x5555557e8390
rsp 0x7fffffffd640 0x7fffffffd640
r8 0x5555557be7e8 0x5555557be7e8
r9 0x5555557eb5d8 0x5555557eb5d8
r10 0x0 0x0
r11 0x5555557e8130 0x5555557e8130
r12 0x5555557b4320 0x5555557b4320
r13 0x0 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team – Loginsoft