OpenCC Heap-Out-Of-Bound-Read in MarisaDict::NewFromFile()

Heap-Out-Of-Bound-Read in MarisaDict::NewFromFile()

Open morningbread opened this issue 9 months ago • 0 comments

Hi, i found a heap-out-of-bound-read vulnerability in MarisaDict::NewFromFile().

I put the POC in the attachment, prove it like this. (compile open_dict with address sanitizer). ./opencc_dict -i poc -o tmp -f ocd2 -t text

Then, ASAN would catch the error:

==267900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001b8 at pc 0x7fe6ae3e795c bp 0x7ffcefe73630 sp 0x7ffcefe73628                                                                                                  READ of size 8 at 0x6020000001b8 thread T0                                                                                
#0 0x7fe6ae3e795b in marisa::grimoire::vector::BitVector::select1(unsigned long) const /home/coco/work/OpenCC/deps/marisa-0.2.6/lib/marisa/grimoire/vector/bit-vector.cc:509:38                                                             
#1 0x7fe6ae38c3e6 in marisa::grimoire::trie::LoudsTrie::restore_(marisa::Agent&, unsigned long) const /home/coco/work/OpenCC/deps/marisa-0.2.6/lib/marisa/grimoire/trie/louds-trie.cc:747:22                                               
#2 0x7fe6ae3770de in marisa::grimoire::trie::LoudsTrie::restore(marisa::Agent&, unsigned long) const /home/coco/work/OpenCC/deps/marisa-0.2.6/lib/marisa/grimoire/trie/louds-trie.cc:696:17                                                
#3 0x7fe6ae3770de in marisa::grimoire::trie::LoudsTrie::predictive_search(marisa::Agent&) const /home/coco/work/OpenCC/deps/marisa-0.2.6/lib/marisa/grimoire/trie/louds-trie.cc:182:9                                                       
#4 0x7fe6ae302d4c in opencc::MarisaDict::NewFromFile(_IO_FILE*) /home/coco/work/OpenCC/src/MarisaDict.cpp:115:34      
#5 0x7fe6ae2d9854 in bool opencc::SerializableDict::TryLoadFromFile<opencc::MarisaDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::shared_ptr<opencc::MarisaDict>*) /home/coco/work/OpenCC/src/SerializableDict.hpp:62:40                                                                                      
#6 0x7fe6ae2ee7af in std::shared_ptr<opencc::MarisaDict> opencc::SerializableDict::NewFromFile<opencc::MarisaDict>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/SerializableDict.hpp:71:10                                                                                                  
#7 0x7fe6ae2ee7af in LoadDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:38:12                                                                                            
#8 0x7fe6ae2ef0f4 in opencc::ConvertDictionary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/coco/work/OpenCC/src/DictConverter.cpp:65:22
#9 0x4db5cf in main /home/coco/work/OpenCC/src/tools/DictConverter.cpp:48:5
#10 0x7fe6add33082 in __libc_start_main /build/glibc-5hggjy/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41e81d in _start (/home/coco/work/OpenCC/build/rel/src/tools/opencc_dict+0x41e81d)

poc.zip

Sep 26 '23 11:09 morningbread

OpenCC OpenCC copied to clipboard

Heap-Out-Of-Bound-Read in MarisaDict::NewFromFile()

OpenCC
OpenCC copied to clipboard