abcm2ps
abcm2ps copied to clipboard
Published
20 hours ago •
lewdlime
lewdlime
Null pointer dereference in function calculate_beam().
What is the vulnerability? Null pointer Dereference is discovered in abcm2ps (8.14.6-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impacts when a victim opens a specially crafted file.
Affected version-: 8.14.6-master
Command-: ./abcm2ps $POC
Reproducer file-: Reproducer
Synopsis-: We discovered Null pointer dereference in calculate_beam() at draw.c:341. s->ts_prev is not being validated. Due to lack of validation of s->ts_prev, therefore it causes Null pointer dereference.
Vulnerable code-:
while (s->ts_prev->abc_type == ABC_T_NOTE
&& s->ts_prev->time == s->time
&& s->ts_prev->x > s1->xs)
s = s->ts_prev;
Debug-:
GDB-:
abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3: error: Cannot identify meter top
22 M:2}
^
NPD3: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3: error: Bad character
31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
^
NPD3: error: Bad character
31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
^
NPD3: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3: error: Cannot identify meter top
34 M:| C
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
42 zGFG AFEF#GEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3: error: Bad character
44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
^
NPD3: error: Bad character
44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
^
NPD3: error: Decoration !fp! not defined
NPD3: error: Decoration !fp! not defined
NPD3: error: End of line found inside a tuplet
NPD3: error: Decoration !D,3/! not defined
NPD3: error: Decoration !26E,/! not defined
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'W'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'I'
NPD3: error: Bad character 'm'
NPD3: error: Bad character 'i'
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000555555981028 → 0x0000555555981278 → 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188
$rbx : 0x000055555593ade0 → 0x0000555555969460 → 0x0000000000000000
$rcx : 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188 → 0x00005555559823d8 → 0x0000555555982628
$rdx : 0x0
$rsp : 0x00007fffffffdc00 → 0x0000555555657e06 → <set_pitch+2662> mov rax, QWORD PTR [rsp+0x10]
$rbp : 0x0
$rsi : 0x0
$rdi : 0xffffffff
$rip : 0x00005555555c332c → <calculate_beam+10412> cmp BYTE PTR [rbp+0x38], 0x4
$r8 : 0x0
$r9 : 0x0
$r10 : 0x00007fffffffdc90 → 0x0000000000000000
$r11 : 0x13e0
$r12 : 0x0000555555981028 → 0x0000555555981278 → 0x00005555559815f8 → 0x0000555555981848 → 0x0000555555981a98 → 0x0000555555981ce8 → 0x0000555555981f38 → 0x0000555555982188
$r13 : 0x1
$r14 : 0x1
$r15 : 0x0
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffdc00│+0x0000: 0x0000555555657e06 → <set_pitch+2662> mov rax, QWORD PTR [rsp+0x10] ← $rsp
0x00007fffffffdc08│+0x0008: 0x0000000000000000
0x00007fffffffdc10│+0x0010: 0x0000000000000004
0x00007fffffffdc18│+0x0018: 0x0000000041e89d7b
0x00007fffffffdc20│+0x0020: 0x0000007955655bba
0x00007fffffffdc28│+0x0028: 0x034a2b510999999a
0x00007fffffffdc30│+0x0030: 0x0000000000000000
0x00007fffffffdc38│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x5555555c331c <calculate_beam+10396> mov rdx, QWORD PTR [rsp]
0x5555555c3320 <calculate_beam+10400> lea rsp, [rsp+0x98]
0x5555555c3328 <calculate_beam+10408> mov rbp, QWORD PTR [rax+0x28]
→ 0x5555555c332c <calculate_beam+10412> cmp BYTE PTR [rbp+0x38], 0x4
0x5555555c3330 <calculate_beam+10416> je 0x5555555c3260 <calculate_beam+10208>
0x5555555c3336 <calculate_beam+10422> xchg ax, ax
0x5555555c3338 <calculate_beam+10424> lea rsp, [rsp-0x98]
0x5555555c3340 <calculate_beam+10432> mov QWORD PTR [rsp], rdx
0x5555555c3344 <calculate_beam+10436> mov QWORD PTR [rsp+0x8], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:draw.c+341 ────
336 b += ys;
337 } else if (!(s1->flags & ABC_F_GRACE)) { /* normal notes */
338 float stem_err, beam_h;
339
340 beam_h = BEAM_DEPTH + BEAM_SHIFT * (nflags - 1);
→ 341 while (s->ts_prev->abc_type == ABC_T_NOTE
342 && s->ts_prev->time == s->time
343 && s->ts_prev->x > s1->xs)
344 s = s->ts_prev;
345
346 for (; s && s->time <= s2->time; s = s->ts_next) {
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555c332c → calculate_beam(bm=0x7fffffffdc90, s1=0x555555981028)
[#1] 0x5555555f261a → draw_sym_near()
[#2] 0x55555567d748 → delayed_output(indent=0)
[#3] 0x55555567d748 → output_music()
[#4] 0x55555569c1a1 → generate()
[#5] 0x5555556bead1 → gen_ly(eob=0x0)
[#6] 0x5555556bead1 → do_tune()
[#7] 0x55555556a9b1 → abc_eof()
[#8] 0x55555563285d → frontend(s=0x55555597aeba "", ftype=<optimized out>, fname=<optimized out>, linenum=0x2c)
[#9] 0x5555555614c1 → treat_file(fn=<optimized out>, ext=<optimized out>)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555555c332c in calculate_beam (bm=bm@entry=0x7fffffffdc90, s1=s1@entry=0x555555981028) at draw.c:341
341 while (s->ts_prev->abc_type == ABC_T_NOTE
gef➤ p s->ts_prev
$9 = (struct SYMBOL *) 0x0
gef➤ p s->ts_prev->abc_type
Cannot access memory at address 0x38
gef➤ i r
rax 0x555555981028 0x555555981028
rbx 0x55555593ade0 0x55555593ade0
rcx 0x5555559815f8 0x5555559815f8
rdx 0x0 0x0
rsi 0x0 0x0
rdi 0xffffffff 0xffffffff
rbp 0x0 0x0
rsp 0x7fffffffdc00 0x7fffffffdc00
r8 0x0 0x0
r9 0x0 0x0
r10 0x7fffffffdc90 0x7fffffffdc90
r11 0x13e0 0x13e0
r12 0x555555981028 0x555555981028
r13 0x1 0x1
r14 0x1 0x1
r15 0x0 0x0
rip 0x5555555c332c 0x5555555c332c <calculate_beam+10412>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind-:
abcm2ps-8.14.6 (2019-11-05)
File NPD3
NPD3:22:2: error: Cannot identify meter top
22 M:2}
^
NPD3:27:69: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3:27:70: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3:27:71: error: Bad character
27 !fp!!3![=B,4D4F4]- [B,3/D3/F3/][B,/D/F/][B,3/D3/G3/][B,/D/A/] ([1 (2 3)}
^
NPD3:31:47: error: Bad character
31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
^
NPD3:31:54: error: Bad character
31 [C,,4E,,4G,,4C,4]- [C,,3/E,,3/G,,3/C,3/]!26E,/!3!D,3/!4!C,/ (!2!^F,4G,2)z...
^
NPD3:32:19: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3:32:20: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3:32:21: error: Bad character
32 _A,4-A,3/!2!A,/!1!),3/=F,/ E,4-dium II (WT II)
^
NPD3:34:2: error: Cannot identify meter top
34 M:| C
^
NPD3:42:11: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:54: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:55: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:56: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:57: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:58: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:59: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:42:60: error: Bad character
42 zGFG AFEFGEDE FDCD | E2c2F2c2 E2c2D2=B2 ÿÿÿ |
^
NPD3:44:31: error: Bad character
44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
^
NPD3:44:32: error: Bad character
44 C,2C2F,2C2 E,2C2D,2=B,2 | C,Gÿ
^
NPD3:26:4: error: Decoration !fp! not defined
NPD3:27:7: error: Decoration !fp! not defined
NPD3:27:66: error: End of line found inside a tuplet
NPD3:31:56: error: Decoration !D,3/! not defined
NPD3:31:56: error: Decoration !26E,/! not defined
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'W'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'I'
NPD3:42:2: error: Bad character 'm'
NPD3:42:2: error: Bad character 'i'
==7849== Invalid read of size 1
==7849== at 0x12006F: calculate_beam (draw.c:341)
==7849== by 0x126BA7: draw_sym_near (draw.c:4120)
==7849== by 0x13828B: delayed_output (music.c:5059)
==7849== by 0x13828B: output_music (music.c:5114)
==7849== by 0x13D9C0: generate (parse.c:1041)
==7849== by 0x13DF27: gen_ly (parse.c:1062)
==7849== by 0x143F07: do_tune (parse.c:3635)
==7849== by 0x112548: abc_eof (abcparse.c:202)
==7849== by 0x12E220: frontend (front.c:905)
==7849== by 0x110F1C: treat_file (abcm2ps.c:240)
==7849== by 0x11013B: main (abcm2ps.c:1041)
==7849== Address 0x38 is not stack'd, malloc'd or (recently) free'd
Segmentation fault
This revised version will not recognize the”/“ in the distribution’s voices.abcfile. Timm
On Feb 5, 2020, at 12:26 PM, Jean-François Moine [email protected] wrote:
Fixed. Thanks.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
