A heap-buffer-overflow was discovered in tidy-html5 #1161
Description
Describe:
A heap-use-after-free was discovered in tidy-html5. The issue is being triggered in function CleanNode() at src/project/tidy-html5/src/gdoc.c:112
Reproduce:
Tested in Ubuntu 22.04
First,Compile the program with address sanitizer:
AFL_USE_ASAN=1 CC=afl-clang-fast CXX=afl-clang-fast++ cmake ..
Then:
./tidy -o output.html -f error.log -i -w 120 -c -b -g -n -e -q -asxhtml -access 3 -utf8 -language en /src/project/tidy-html5/build/cmake/poc/poc1 -t none
ASAN Reports:
=================================================================
==28987==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000000758 at pc 0x000000501ace bp 0x7ffce9b32ad0 sp 0x7ffce9b32ac8
READ of size 8 at 0x60b000000758 thread T0
#0 0x501acd in CleanNode /src/project/tidy-html5/src/gdoc.c:112:21
#1 0x501acd in prvTidyCleanGoogleDocument /src/project/tidy-html5/src/gdoc.c:173:5
#2 0x4fc971 in tidyDocCleanAndRepair /src/project/tidy-html5/src/tidylib.c:2158:9
#3 0x4fc971 in tidyCleanAndRepair /src/project/tidy-html5/src/tidylib.c:1422:14
#4 0x4ce22f in main /src/project/tidy-html5/console/tidy.c:2517:22
#5 0x7f758e30e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#6 0x42041d in _start (/src/project/tidy-html5/build/cmake/tidy+0x42041d)
0x60b000000758 is located 56 bytes inside of 112-byte region [0x60b000000720,0x60b000000790)
freed by thread T0 here:
#0 0x49b072 in free (/src/project/tidy-html5/build/cmake/tidy+0x49b072)
#1 0x5539bd in prvTidyFreeNode /src/project/tidy-html5/src/lexer.c:1548:13
previously allocated by thread T0 here:
#0 0x49b2dd in malloc (/src/project/tidy-html5/build/cmake/tidy+0x49b2dd)
#1 0x5d8a82 in defaultAlloc /src/project/tidy-html5/src/alloc.c:64:45
#2 0x52c064 in prvTidyParseHead /src/project/tidy-html5/src/parser.c:2662:20
#3 0x51da60 in ParseHTMLWithNode /src/project/tidy-html5/src/parser.c:1077:25
SUMMARY: AddressSanitizer: heap-use-after-free /src/project/tidy-html5/src/gdoc.c:112:21 in CleanNode
Shadow bytes around the buggy address:
0x0c167fff8090: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c167fff80a0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff80b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff80c0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd
0x0c167fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c167fff80e0: fa fa fa fa fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c167fff80f0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c167fff8100: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c167fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c167fff8120: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c167fff8130: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28987==ABORTING
Poc
Poc file is here
Fuzzer
Fuzzer is AFL++.