[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-libextractor] NULL Pointer Dereference vulneribility in libextracto

From: Leon Zhao
Subject: [bug-libextractor] NULL Pointer Dereference vulneribility in libextractor EXTRACTOR_xm_extract_method
Date: Wed, 1 Nov 2017 14:28:45 +0800

Tested Version:
libextractor v1.6

Tested System:
Linux leon-virtual-machine 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

In function EXTRACTOR_xm_extract_method at xm_extractor.c 
 73   if (sizeof (struct Header) >
 74       ec->read (ec->cls,
 75                 &data,
 76                 sizeof (struct Header)))
 77     return;
 78   head = data;
 79   /* Check "magic" id bytes */
 80   if (memcmp (head->magicid, "Extended Module: ", 17))
 81     return;
ec->read function set data to NULL.
Crash Information:
The output with address sanitizer enabled
./extract -i extract.EXTRACTOR_xm_extract_method.xm_extractor.80.crash 
Keywords for file extract.EXTRACTOR_xm_extract_method.xm_extractor.80.crash:
==24253==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f30231c2051 bp 0x7ffc95c6e700 sp 0x7ffc95c6de88 T0)
    #0 0x7f30231c2050  (/lib/x86_64-linux-gnu/libc.so.6+0x16f050)
    #1 0x7f30236f074e in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7774e)
    #2 0x7f301bc86def in EXTRACTOR_xm_extract_method /root/libextractor-1.6/src/plugins/xm_extractor.c:80
    #3 0x7f30234399a1 in do_extract /root/libextractor-1.6/src/main/extractor.c:583
    #4 0x7f3023439db5 in EXTRACTOR_extract /root/libextractor-1.6/src/main/extractor.c:662
    #5 0x4044f9 in main /root/libextractor-1.6/src/main/extract.c:983
    #6 0x7f302307382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??

Zhao Liang, Huawei Weiran Labs

Attachment is POC file

Attachment: extract.EXTRACTOR_xm_extract_method.xm_extractor.80.crash
Description: Binary data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]