peg-markdown icon indicating copy to clipboard operation
peg-markdown copied to clipboard
verified publisher icon jgm

Null dereference in print_odf_element function

Open danielpyon opened this issue 2 years ago • 0 comments

Problem Description

Note: I am aware that this project is unmaintained. However, I am still opening this issue to follow CVE's guidelines for EOL software.

There is a null dereference in the print_odf_element function when the parser handles a specially crafted Markdown file. This could be used to perform a denial-of-service attack.

Here is a minimized proof-of-concept Markdown file that triggers the bug: min_null_deref_print_odf_element.md.

The output is as follows:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==761952==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005db3b7 bp 0x000000000014 sp 0x7fffffffe030 T0)
==761952==The signal is caused by a READ memory access.
==761952==Hint: address points to the zero page.
    #0 0x5db3b7 in print_odf_element /home/sanic/peg-markdown/markdown_output.c:1072:42
    #1 0x5dac3a in print_odf_element_list /home/sanic/peg-markdown/markdown_output.c:892:9
    #2 0x5dac3a in print_odf_element /home/sanic/peg-markdown/markdown_output.c:1054:9
    #3 0x5d4c0a in print_odf_element_list /home/sanic/peg-markdown/markdown_output.c:892:9
    #4 0x5d4c0a in print_element_list /home/sanic/peg-markdown/markdown_output.c:1146:26
    #5 0x5dca53 in markdown_to_g_string /home/sanic/peg-markdown/markdown_lib.c:163:5
    #6 0x5dce84 in markdown_to_string /home/sanic/peg-markdown/markdown_lib.c:175:11
    #7 0x4c4d06 in main /home/sanic/peg-markdown/markdown.c:180:11
    #8 0x7ffff7b25082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41c50d in _start (/home/sanic/peg-markdown/markdown+0x41c50d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/sanic/peg-markdown/markdown_output.c:1072:42 in print_odf_element
==761952==ABORTING

Reproduction Steps

  1. Compile the project using ASAN (Address Sanitizer). For example, CC=afl-clang-fast AFL_USE_ASAN=1 make.
  2. Run ./markdown --to=odf min_null_deref_print_odf_element.md (use the proof-of-concept file attached to this report).
  3. Observe the null dereference in the output.

danielpyon avatar Aug 22 '23 21:08 danielpyon