CVE-2020-12825: Stack overflow in cr_parser_parse_any_core in cr-parser.c
Too many recursion in function cr_parser_parse_any_core
could cause stack overflow, if attacker provides many '('.
reproduce step:
- compile libcroco with ASAN
- run poc using command
./csslint-0.6 poc
poc: poc
result:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==34840==ERROR: AddressSanitizer: stack-overflow on address 0x7fff6fd36fe8 (pc 0x0000004d9119 bp 0x000000000048 sp 0x7
fff6fd36fc0 T0)
#0 0x4d9118 in __sanitizer::StackDepotPut(__sanitizer::StackTrace) /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/proje
cts/compiler-rt/lib/sanitizer_common/sanitizer_stackdepot.cc:97
#1 0x4255ad in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan:
:AllocType, bool) /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:509
#2 0x4265b6 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /home/casper/fuzz/fuzzdeps/llv
m-9.0.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:875
#3 0x4a8883 in malloc /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc
:146
#4 0x539891 in cr_token_new /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-token.c:138:18
#5 0x53f30b in cr_tknzr_get_next_token /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-tknzr.c:2007:17
#6 0x50db42 in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1179:18
#7 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#8 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#9 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#10 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#11 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#12 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#13 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#14 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#15 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#16 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#17 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
#18 0x50e43f in cr_parser_parse_any_core /home/casper/targets/gramma/libcroco/afl/BUILD/src/cr-parser.c:1240:34
...
Edited by Simon McVittie