[crash] Out-of-bounds read occurs when using -F 0x03000000

[Ruanxingzhi]

When using the program with -F 0x03000000 and input a carefully crafted string, an out-of-bounds read occurs.

This bug affects versions 3.0.0a only.

Reproduce

Run:

./markdown -F 0x03000000

Input:

: Y:|
```|
|
```|

Result

root@worklab ~/f/d/src (main) [1]# ./markdown -F 0x03000000
: Y:|
```|
|
```|
=================================================================
==18233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b0000002ff at pc 0x5557369011e2 bp 0x7ffca987ca70 sp 0x7ffca987ca68
READ of size 1 at 0x60b0000002ff thread T0
    #0 0x5557369011e1 in splat /root/fuzz/discount/src/generate.c:1607:5
    #1 0x5557368ffc55 in printtable /root/fuzz/discount/src/generate.c:1700:2
    #2 0x5557368fd896 in display /root/fuzz/discount/src/generate.c:2010:2
    #3 0x5557368fd535 in htmlify_paragraphs /root/fuzz/discount/src/generate.c:1872:5
    #4 0x5557368f3575 in htmlify /root/fuzz/discount/src/generate.c:1916:5
    #5 0x5557368fd8e1 in display /root/fuzz/discount/src/generate.c:2014:2
    #6 0x5557368fd535 in htmlify_paragraphs /root/fuzz/discount/src/generate.c:1872:5
    #7 0x5557368f3575 in htmlify /root/fuzz/discount/src/generate.c:1916:5
    #8 0x5557368f2aba in mkd_document /root/fuzz/discount/src/generate.c:2065:6
    #9 0x5557368d9d9d in mkd_generatehtml /root/fuzz/discount/src/mkdio.c:200:5
    #10 0x5557368d294d in main /root/fuzz/discount/src/main.c:376:7
    #11 0x7f5452a946c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f5452a94784 in __libc_start_main csu/../csu/libc-start.c:360:3
    #13 0x5557367fa3f0 in _start (/root/fuzz/discount/src/markdown+0x283f0) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)

0x60b0000002ff is located 1 bytes before 100-byte region [0x60b000000300,0x60b000000364)
allocated by thread T0 here:
    #0 0x555736895042 in __interceptor_malloc (/root/fuzz/discount/src/markdown+0xc3042) (BuildId: afc94b815b20ad8be244845d74b6694ea7bab3d9)
    #1 0x5557368d7e8f in __mkd_enqueue /root/fuzz/discount/src/mkdio.c:67:6
    #2 0x5557368d8e4b in populate /root/fuzz/discount/src/mkdio.c:126:6
    #3 0x5557368d99c3 in mkd3_in /root/fuzz/discount/src/mkdio.c:161:12
    #4 0x5557368d25cc in main /root/fuzz/discount/src/main.c:341:10
    #5 0x7f5452a946c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz/discount/src/generate.c:1607:5 in splat
Shadow bytes around the buggy address:
  0x60b000000000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x60b000000080: fd fd fd fd fd fa fa fa fa fa fa fa fa fa 00 00
  0x60b000000100: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
  0x60b000000180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x60b000000200: 04 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x60b000000280: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa[fa]
  0x60b000000300: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
  0x60b000000380: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x60b000000400: 00 00 04 fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x60b000000480: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x60b000000500: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18233==ABORTING

Reason

In function splat():

Possible fix

Maybe there is a bug in parser. I am unsure about the root cause of this vulnerability.

[Orc]

Good catch(es) by your fuzzer! I found a few places where I was looking the contents @ S()-1 without first verifying S() > 0, and I've put them into sccs & mirrored them here.

Can you refuzz and see if it's still walking off the beginning of the world here?

[Ruanxingzhi]

Thank you for the fix.

I am glad to refuzz it. This time I didn't find any issues with S() < 0. It looks like it has been fixed nicely.

But some other bugs is found. See #280 and #281.