Null pointer dereference vulnerability in the function d_trill()

Null pointer dereference vulnerability in the function d_trill() - abcm2ps-8.14.1

Bug Reports

December 18, 2018

Jason Franscisco

Null pointer dereference vulnerability in the function d_trill() - abcm2ps-8.14.1

‍December 18, 2018

CVE Number

CWE

CWE-476: NULL Pointer Dereference

Product Details

abcm2ps is a C program which converts music tunes from the ABC music notation to PostScript or SVG.

‍URL:https://github.com/leesavide/abcm2ps.git

Vulnerable Versions

8.14.1-master

Vulnerability Details

Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.

SYNOPSIS

In function draw_sym_near() from draw.c used for drawing the symbols near the notes calls the function draw_deco_note() located at deco.c to draw the decorations tied to a note which calls function d_upstaff() on the basis of the f = dd->func ,When f values is 0x03 it goes to the function d_upstaff and when 0x05 it goes to the function d_trill() . In the function d_trill used for special cases for the long trill where de is accessing to the pointer start in the structure which is null has triggered a Null pointer dereference vulnerability while assigning the value from de->start->s to s.

Vulnerable code


if (de->start) {		/* deco start */
s = de->start->s;
x = s->x;
if (s->abc_type == ABC_T_NOTE
&& s->u.note.dc.n > 1)
x += 10;

Analysis


→  588	 		s = de->start->s;
   589	 		x = s->x;
   590	 		if (s->abc_type == ABC_T_NOTE
   591	 		 && s->u.note.dc.n > 1)
   592	 			x += 10;
   593	 //	} else {			/* end without start */
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x5555555675bf → d_trill(de=0x5555557eb610)
[#1] 0x555555569064 → draw_deco_note()
[#2] 0x555555572d43 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤  p  de->start
$1 = (struct deco_elt *) 0x0
gef➤  p *de
$2 = {
  next = 0x5555557eb648, 
  prev = 0x5555557eb5d8, 
  s = 0x5555557e8390, 
  start = 0x0, 
  t = 0x4, 
  staff = 0x0, 
  flags = 0x0, 
  defl = 0x0, 
  m = 0xff, 
  x = 0, 
  y = 0, 
  dy = 0, 
  val = 0
}
gef➤  i r
rax            0x0	0x0
rbx            0x5555557eb610	0x5555557eb610
rcx            0x1f	0x1f
rdx            0x38	0x38
rsi            0x1f	0x1f
rdi            0x5555557eb610	0x5555557eb610
rbp            0x5555557e8390	0x5555557e8390
rsp            0x7fffffffd640	0x7fffffffd640
r8             0x5555557be7e8	0x5555557be7e8
r9             0x5555557eb5d8	0x5555557eb5d8
r10            0x0	0x0
r11            0x5555557e8130	0x5555557e8130
r12            0x5555557b4320	0x5555557b4320
r13            0x0	0x0

Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10

Timeline

Vendor Disclosure: 2018-12-13

Public Disclosure:

Credit

Discovered by ACE Team - Loginsoft