oss-sec mailing list archives
two heap overflows in raptor
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 7 Jun 2017 13:08:24 +0200
Hi, raptor is a library to parse rdf data. Notably it is used by libreoffice. I reported two heap overflows in april. The bug reports are private http://bugs.librdf.org/mantis/view.php?id=617 http://bugs.librdf.org/mantis/view.php?id=618 Both are fixed by the same commit: https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1 I also informed the libreoffice security team. No new release has been made yet. I'm pasting the content of my bug reports below, poc files attached. ---------------------- Summary 0000617: heap buffer overflow in raptor_qname_format_as_xml Description The attached file will cause a heap buffer overflow in raptor. Can be tested with the rapper command line tool. This is a security bug, so I'm marking this private. Here's a stack trace of the crash (from address sanitizer): ==24627==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000002090 at pc 0x000000529a9c bp 0x7fffc7e52060 sp 0x7fffc7e52058 WRITE of size 8 at 0x604000002090 thread T0 #0 0x529a9b in raptor_qname_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_qname.c:666:15 #1 0x5cb770 in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:242:9 #2 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3 #3 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9 #4 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830 #5 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5 #6 0x7efcbd5decad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad) #7 0x7efcbd5ec323 (/usr/lib64/libxml2.so.2+0x4f323) #8 0x7efcbd5ed3ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba) #9 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10 #10 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8 #11 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10 #12 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554 #13 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8 #14 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8 #15 0x7efcbc4d52b0 in __libc_start_main (/lib64/libc.so.6+0x202b0) #16 0x41b919 in _start (/r/raptor/rapper+0x41b919) ------------------ Summary 0000618: heap buffer overflow in raptor_xml_writer_start_element_common Description The attached file will cause a heap buffer overflow and crash raptor. This was found via fuzzing with the tool american fuzzy lop. This is a security bug, so I'm marking it private. Here's a stack trace (from address sanitizer): ==3322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000001f88 at pc 0x0000005ccdbc bp 0x7ffe62bb8540 sp 0x7ffe62bb8538 WRITE of size 8 at 0x604000001f88 thread T0 #0 0x5ccdbb in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:241:65 #1 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3 #2 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9 #3 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830 #4 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5 #5 0x7f5125ce9cad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad) #6 0x7f5125cf7323 (/usr/lib64/libxml2.so.2+0x4f323) #7 0x7f5125cf83ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba) #8 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10 #9 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8 #10 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10 #11 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554 #12 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8 #13 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8 #14 0x7f5124be02b0 in __libc_start_main (/lib64/libc.so.6+0x202b0) #15 0x41b919 in _start (/r/raptor/rapper+0x41b919) 0x604000001f88 is located 8 bytes to the left of 38-byte region [0x604000001f90,0x604000001fb6) allocated by thread T0 here: #0 0x4d1d28 in malloc (/r/raptor/rapper+0x4d1d28) #1 0x525745 in raptor_namespace_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_namespace.c:791:12 #2 0x5cb4ed in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:201:9 -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Attachment:
raptor-heapoverflow-raptor_qname_format_as_xml.rdf
Description:
Attachment:
raptor-heapoverflow-raptor_xml_writer_start_element_common.rdf
Description:
Current thread:
- two heap overflows in raptor Hanno Böck (Jun 07)