Description:
Paps is an UTF-8 to PostScript converter that makes use of pango. It provides both a stand alone command line tool as well as a library
It was discovered that a crafted/empty file is able to cause an heap-based buffer overflow.
Apparently, the project does not have release(s) since 2007 and seems to be dead, but I just discovered right now that the project has moved silently to github where the PR has been sent.
The complete ASan output:
# paps $crafted.file
=================================================================
==30527==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dfaf at pc 0x0000004e122d bp 0x7ffd8f3dfe90 sp 0x7ffd8f3dfe88
READ of size 1 at 0x60200000dfaf thread T0
#0 0x4e122c in read_file /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:573:7
#1 0x4e122c in main /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:493
#2 0x7fd8aff707af in __libc_start_main (/lib64/libc.so.6+0x207af)
#3 0x436968 in _start (/usr/bin/paps+0x436968)
0x60200000dfaf is located 1 bytes to the left of 4-byte region [0x60200000dfb0,0x60200000dfb4)
allocated by thread T0 here:
#0 0x4bdc75 in realloc (/usr/bin/paps+0x4bdc75)
#1 0x7fd8b111c35d in g_realloc (/usr/lib64/libglib-2.0.so.0+0x4e35d)
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:573 read_file
Shadow bytes around the buggy address:
0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9bf0: fa fa fa fa fa[fa]04 fa fa fa 00 02 fa fa 00 02
0x0c047fff9c00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff9c10: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9c20: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa fd fa
0x0c047fff9c30: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00
0x0c047fff9c40: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30527==ABORTING
Affected version:
All versions.
Fixed version:
0.6.8-r2 (in Gentoo)
Commit fix:
https://gitweb.gentoo.org/repo/gentoo.git/tree/app-text/paps/files/paps-0.6.8-fix-empty-file.patch
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was fixed by Jason A. Donenfeld of Gentoo.
Timeline:
2015-06-09: bug discovered
2015-11-17: bug reported downstream (Gentoo)
2016-07-12: fixed produced downstream
2016-07-28: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink: