Giters

skystrife / cpptoml

cpptoml is a header-only library for parsing TOML

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Heap buffer overflow in parser::consume_whitespace()

grievejia opened this issue · comments

commented

Here's the input that triggers the problem:
heap_bof2.txt
Feed it into master(07a7b07) cpptoml-parser built with AddressSanitizer will crash the parser:

> cat heap_bof2 | cpptoml-parser
==12673==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000002f at pc 0x0000005d69e1 bp 0x7fffd176a5c0 sp 0x7fffd176a5b8
READ of size 1 at 0x60300000002f thread T0
 #0 0x5d69e0 in cpptoml::parser::consume_whitespace(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) (/home/grieve/scratch/fuzz_toml/cpptoml/build/cpptoml-parser+0x5d69e0)
    #1 0x5e40cd in cpptoml::parser::parse_single_table(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&, cpptoml::table*&) (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x5e40cd)
    #2 0x5d7bbc in cpptoml::parser::parse_table(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&, cpptoml::table*&) (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x5d7bbc)
    #3 0x59786c in cpptoml::parser::parse() (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x59786c)
    #4 0x58bb2a in main (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x58bb2a)
    #5 0x7f4e66b414c9 in __libc_start_main (/usr/lib/libc.so.6+0x204c9)
    #6 0x492eb9 in _start (/home/grieve/scratch/cpptoml/build/cpptoml-parser+0x492eb9)

0x60300000002f is located 0 bytes to the right of 31-byte region [0x603000000010,0x60300000002f)
allocated by thread T0 here:
    #0 0x587260 in operator new(unsigned long) /home/grieve/LLVM/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:92
    #1 0x7f4e67b3f0e9 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/basic_string.tcc:317

It is a malformed input, and the expected behavior is to reject the input instead of crashing.

commented

Thanks for the report! I think the latest commit should fix this.