Null pointer dereference vulnerability in the function d_trill() - abcm2ps-8.14.1
December 18, 2018
CVE Number
-
CWE
CWE-476: NULL Pointer Dereference
Product Details
abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.
URL:https://github.com/leesavide/abcm2ps.git
Vulnerable Versions
8.14.1-master
Vulnerability Details
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
SYNOPSIS
In function draw_sym_near()
from draw.c
used for drawing the symbols near the notes calls the function draw_deco_note()
located at deco.c to draw the decorations tied to a note which calls function d_upstaff()
on the basis of the f = dd->func
,When f values is 0x03 it goes to the function d_upstaff and when 0x05 it goes to the function d_trill()
. In the function d_trill used for special cases for the long trill where de is accessing to the pointer start in the structure which is null has triggered a Null pointer dereference vulnerability while assigning the value from de->start->s
to s
.
Vulnerable code
Analysis
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Timeline
Vendor Disclosure: 2018-12-13
Public Disclosure:
Credit
Discovered by ACE Team - Loginsoft