Buffer overflow on axohelp
Semmle Security Reports
security-reports at semmle.com
Thu Jul 18 15:09:03 CEST 2019
Dear text-live team,
I would like to report a security vulnerability in your axohelp.
There is a buffer overflow on the way axohelp handle the .ax1 files.
On the DoOneObject function, there is an unsecure sprintf being used which
could end on a memory corruption.
int DoOneObject(char *cinput)
{
int num, i, num1, num2;
char *s, *t, *StartClean;
double *argbuf = 0;
SetDefaults();
s = cinput; while ( *s != '[' ) s++;
s++; t = s; while ( *t != ']' ) t++;
*t++ = 0; while ( *t == ' ' || *t == '\t' || *t == '\n' ) t++;
outpos = outputbuffer;
outpos += sprintf(outpos,"\\axo at setObject{%s}%%\n{%s%c}%%\n{",s,t,TERMCHAR);
[1]
if ( *s == '0' && s[1] == ']' ) {
If a line is being sent bigger than the size of outputbuffer (1000000),
the overflow will happend. I have attached an example file compress, so you
could test it yourself.
$ axohelp POC.ax1
Please let me know when you have fixed the vulnerability so that I can
coordinate my disclosure with yours. For reference, here is a link to
Semmle's vulnerability disclosure policy:
https://lgtm.com/security#disclosure_policy
Thank you,
Nico Waisman
Semmle Security Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20190718/bfbe281f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: POC_stack_overflow.ax1.gz
Type: application/gzip
Size: 4807 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20190718/bfbe281f/attachment.gz>
More information about the tex-live
mailing list