GHSL-2023-105: Buffer Overflow in uchardet

Coordinated Disclosure Timeline

2023-05-08: Reported as a private issue in the repository.
2023-07-17: Fixed in the master branch, post v0.0.8.

Summary

A crafted sequence of bytes triggers memory read past the bounds of a globally allocated object buffer.

Product

uchardet

Tested Version

Master branch, post v0.0.8.

Details

Global buffer read overflow in `GetOrderFromCodePoint` (`GHSL-2023-105`)

The out of bounds read happens in GetOrderFromCodePoint [1] when i becomes equal to max. For example, in the PoC, initially max is set to 64 [2] (it is a half of the true size of the mModel->charOrderTable buffer). i is set to 32 [3]. The binary search in the loop increases the i until it reaches 63 in [4] and max is assigned to i. However in the next loop iteration the index i * 2 (64) [1] reads one integer out of the true buffer size (64).

int nsLanguageDetector::GetOrderFromCodePoint(int codePoint) { int max = mModel->charOrderTableSize; // [2] int i = max / 2; // [3] int c = mModel->charOrderTable[i * 2]; while ((c = mModel->charOrderTable[i * 2]) != codePoint) // [1] buffer read overflow { if (c > codePoint) { if (i == 0) break; max = i - 1; i = i / 2; } else if (i < max - 1) { i += (max - i) / 2; } else if (i == max - 1) // [4] { i = max; // [5] } else { break; } } return (c == codePoint) ? mModel->charOrderTable[i * 2 + 1] : -1; } 

Impact

This issue may be used to leak internal memory allocation information.

Resources

To reproduce the issue:

Make ASAN build or set breakpoint with the condition i == 64 at while ((c = mModel->charOrderTable[i * 2]) != codePoint).

Run the following program to hit the breakpoint or out of bounds access with ASAN:

uchardet_t ud = uchardet_new(); uchardet_handle_data(ud, "\xe6\xbc\xa2", 3); 

The output when built with ASAN:

==13==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006100a0 at pc 0x000000595025 bp 0x7ffc86d95830 sp 0x7ffc86d95828 READ of size 4 at 0x0000006100a0 thread T0 SCARINESS: 17 (4-byte-read-global-buffer-overflow) #0 0x595024 in GetOrderFromCodePoint /src/uchardet/src/nsLanguageDetector.cpp:254:15 #1 0x595024 in nsLanguageDetector::HandleData(int const*, unsigned int) /src/uchardet/src/nsLanguageDetector.cpp:49:13 #2 0x584dbd in nsMBCSGroupProber::HandleData(char const*, unsigned int, int**, int*) /src/uchardet/src/nsMBCSGroupProber.cpp:369:32 #3 0x57e3cd in nsUniversalDetector::HandleData(char const*, unsigned int) /src/uchardet/src/nsUniversalDetector.cpp:275:34 #4 0x5786ae in uchardet_handle_data /src/uchardet/src/uchardet.cpp:220:63 DEDUP_TOKEN: GetOrderFromCodePoint--nsLanguageDetector::HandleData(int const*, unsigned int)--nsMBCSGroupProber::HandleData(char const*, unsigned int, int**, int*) 0x0000006100a0 is located 0 bytes to the right of global variable 'Unicode_CharOrder' defined in '/src/uchardet/src/LangModels/LangArabicModel.cpp:110:27' (0x60fea0) of size 512 SUMMARY: AddressSanitizer: global-buffer-overflow /src/uchardet/src/nsLanguageDetector.cpp:254:15 in GetOrderFromCodePoint Shadow bytes around the buggy address: 0x0000800b9fc0: f9 f9 f9 f9 00 05 f9 f9 00 00 00 00 00 00 f9 f9 0x0000800b9fd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800b9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800b9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800ba010: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000800ba020: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 0x0000800ba030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800ba060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13==ABORTING 

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-105 in any communication regarding this issue.