ruiji icon indicating copy to clipboard operation
ruiji copied to clipboard

Published 20 hours ago verified publisher icon kamiyaa

Tag parsers are very fragile

Open Fuuzetsu opened this issue 6 years ago • 2 comments

The tag parsers are very easy to crash. Simplest way to replicate is to just feed JSON from one domain to tag parser for another and it's almost certain to crash ruiji. Unchecked uses of strstr seem to be main cause.


char* load_file(char *file_name)
{
  FILE * pFile;
  long lSize;
  char * buffer;
  size_t result;

  pFile = fopen ( file_name , "rb" );
  if (pFile==NULL) {fputs ("File error",stderr); exit (1);}

  // obtain file size:
  fseek (pFile , 0 , SEEK_END);
  lSize = ftell (pFile);
  rewind (pFile);

  // allocate memory to contain the whole file:
  buffer = (char*) malloc (sizeof(char)*lSize);
  if (buffer == NULL) {fputs ("Memory error",stderr); exit (2);}

  // copy the file into the buffer:
  result = fread (buffer,1,lSize,pFile);
  if (result != lSize) {fputs ("Reading error",stderr); exit (3);}

  /* the whole file is now loaded in the memory buffer. */
  fclose (pFile);
  return buffer;

}

int main(int argc, char *argv[]) {
  char *html_content = load_file(argv[1]);
  /*
  struct similar_image_llnode *image_list =
    create_image_list(html_content, 0);
  print_sim_results(image_list);
  free_similar_image_list(image_list);
  */

  char stop_seq = '\0';
  for (int i = 1; i <= 8; i++) {
    unsigned int domain_uuid = i;
    char *dl_url = get_image_source_url(domain_uuid, html_content, &stop_seq);
    struct image_tag_db *tags_db = get_image_tags(domain_uuid, html_content);
    printf("Tags:\n");
    print_image_tags(tags_db);
    free_image_tags(tags_db);
    free(dl_url);
  }

  free(html_content);
  return 0;
}

==12603==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f3eb at pc 0x7f9d99a8de2c bp 0x7ffe9ae35130 sp 0x7ffe9ae348e0
READ of size 2412 at 0x61d00001f3eb thread T0
    #0 0x7f9d99a8de2b  (/nix/store/snc31f0alikhh3a835riyqhbsjm29vki-gcc-6.4.0-lib/lib/libasan.so.3+0x42e2b)
    #1 0x7f9d99a8e217 in __interceptor_strstr (/nix/store/snc31f0alikhh3a835riyqhbsjm29vki-gcc-6.4.0-lib/lib/libasan.so.3+0x43217)
    #2 0x4087f5 in yandere_get_image_url /home/shana/programming/ruiji/src/yandere.c:29
    #3 0x4023b8 in main /home/shana/programming/ruiji/src/ruiji.c:172
    #4 0x7f9d9945352f in __libc_start_main (/nix/store/sgjc1147vi5hd57ck9xgck5xjkydg5lz-glibc-2.25/lib/libc.so.6+0x2052f)
    #5 0x402599 in _start (/home/shana/programming/ruiji/src/ruiji+0x402599)

0x61d00001f3eb is located 0 bytes to the right of 2411-byte region [0x61d00001ea80,0x61d00001f3eb)
allocated by thread T0 here:
    #0 0x7f9d99b0c338 in __interceptor_malloc (/nix/store/snc31f0alikhh3a835riyqhbsjm29vki-gcc-6.4.0-lib/lib/libasan.so.3+0xc1338)
    #1 0x40f381 in load_file /home/shana/programming/ruiji/src/ruiji.c:147
    #2 0x402389 in main /home/shana/programming/ruiji/src/ruiji.c:161
    #3 0x7f9d9945352f in __libc_start_main (/nix/store/sgjc1147vi5hd57ck9xgck5xjkydg5lz-glibc-2.25/lib/libc.so.6+0x2052f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/nix/store/snc31f0alikhh3a835riyqhbsjm29vki-gcc-6.4.0-lib/lib/libasan.so.3+0x42e2b) 
Shadow bytes around the buggy address:
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbe70: 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12603==ABORTING

input1.txt

Fuuzetsu avatar Sep 09 '17 14:09 Fuuzetsu

Sorry, school started so I probably won't be able to address these issues any time soon.

kamiyaa avatar Oct 01 '17 23:10 kamiyaa

There is no urgency from my side. These issues are basically for your information only.

Fuuzetsu avatar Oct 02 '17 06:10 Fuuzetsu