Closed
Description
Hello,
while fuzzing HTMLDOC with AFL in the context of a project @ my university, an input was found for which HTMLDOC crashes. The problem may be reproduced by running ./htmldoc crash.html -f out.ps using the HTML file contained in crash.zip.
GDB stacktrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6053c6a in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) where
#0 0x00007ffff6053c6a in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000555555579b30 in parse_comment (t=t@entry=0x555555ca3d50, left=left@entry=0x7fffffffd680,
right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c,
x=x@entry=0x7fffffffd678, y=0x7fffffffd67c, page=0x7fffffffd690, para=0x555555ca2860, needspace=1)
at ps-pdf.cxx:7430
#2 0x000055555558457c in parse_doc (t=0x555555ca3d50, left=left@entry=0x7fffffffd680,
right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c,
x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
needspace=<optimized out>) at ps-pdf.cxx:4470
#3 0x0000555555583070 in parse_doc (t=0x555555ca30d0, left=left@entry=0x7fffffffd680,
right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c,
x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
needspace=<optimized out>) at ps-pdf.cxx:4092
#4 0x0000555555583070 in parse_doc (t=0x555555ca2ae0, left=left@entry=0x7fffffffd680,
right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c,
x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
needspace=<optimized out>) at ps-pdf.cxx:4092
#5 0x0000555555583070 in parse_doc (t=t@entry=0x555555ca19b0, left=left@entry=0x7fffffffd680,
right=right@entry=0x7fffffffd684, bottom=bottom@entry=0x7fffffffd688, top=top@entry=0x7fffffffd68c,
x=x@entry=0x7fffffffd678, y=<optimized out>, page=<optimized out>, cpara=<optimized out>,
needspace=<optimized out>) at ps-pdf.cxx:4092
#6 0x000055555558a45c in pspdf_export (document=0x555555ca19b0, toc=0x555555cac090) at ps-pdf.cxx:803
#7 0x000055555556077e in main (argc=<optimized out>, argv=<optimized out>) at htmldoc.cxx:1291
Compiled with gcc-10 (Ubuntu 10.3.0-1ubuntu1~18.04~1) 10.3.0 and g++-10 (Ubuntu 10.3.0-1ubuntu1~18.04~1) 10.3.0. System information:
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
I think the crash is caused by a NULL pointer dereference. The code at the line reads:
if (para != NULL && para->child != NULL && para->child->next == NULL &&
para->child->child == NULL && para->child->markup == MARKUP_NONE &&
strcmp((const char *)para->child->data, " ") == 0)
{
// Remove paragraph consisting solely of whitespace...
htmlDeleteTree(para->child);
para->child = para->last_child = NULL;
}para->child->data is apparently NULL.