Heap-buffer-overflow in lexer.hpp

I found Stack Overflow in sassc binary and sassc is complied with clang enabling ASAN.

**Machine Setup**

```
Machine : Ubuntu 16.04.3 LTS
gcc version : 5.4.0 20160609(Ubuntu 5.4.0-6ubuntu1~16.04.11)
Command : sassc poc
```
**Complilation** : CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 make -C sassc -j4
**POC :** [poc.txt](https://github.com/sass/libsass/files/3922250/poc.txt)

**ASAN Output:**

```
==465==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000114 at pc 0x00000081db7b bp 0x7ffe64dc8c80 sp 0x7ffe64dc8c78
READ of size 1 at 0x602000000114 thread T0
    #0 0x81db7a in exactly<'\\'> /src/libsass/src/lexer.hpp:82:14
    #1 0x81db7a in sequence<&Sass::Prelexer::exactly, &Sass::Prelexer::re_linebreak> /src/libsass/src/lexer.hpp:216:20
    #2 0x81db7a in alternatives<&Sass::Prelexer::sequence, &Sass::Prelexer::escape_seq, &Sass::Prelexer::unicode_seq, &Sass::Prelexer::interpolant, &Sass::Prelexer::any_char_but> /src/libsass/src/lexer.hpp:200:19
    #3 0x81db7a in zero_plus<&Sass::Prelexer::alternatives> /src/libsass/src/lexer.hpp:234:30
    #4 0x81db7a in sequence<&Sass::Prelexer::zero_plus, &Sass::Prelexer::exactly> /src/libsass/src/lexer.hpp:216:20
    #5 0x81db7a in sequence<&Sass::Prelexer::exactly, &Sass::Prelexer::zero_plus, &Sass::Prelexer::exactly> /src/libsass/src/lexer.hpp:217:14
    #6 0x81db7a in single_quoted_string /src/libsass/src/prelexer.cpp:516:14
    #7 0x81db7a in alternatives<&Sass::Prelexer::single_quoted_string, &Sass::Prelexer::double_quoted_string> /src/libsass/src/lexer.hpp:200:19
    #8 0x81db7a in Sass::Prelexer::quoted_string(char const*) /src/libsass/src/prelexer.cpp:564:14
    #9 0x8359ac in char const* Sass::Prelexer::alternatives<&(Sass::Prelexer::quoted_string(char const*)), &(Sass::Prelexer::interpolant(char const*)), &(Sass::Prelexer::identifier(char const*)), &(Sass::Prelexer::variable(char const*)), &(Sass::Prelexer::percentage(char const*)), &(Sass::Prelexer::binomial(char const*)), &(Sass::Prelexer::dimension(char const*)), &(Sass::Prelexer::alnum(char const*))>(char const*) /src/libsass/src/lexer.hpp:200:19
    #10 0x8358ea in alternatives<&Sass::Prelexer::exactly, &Sass::Prelexer::quoted_string, &Sass::Prelexer::interpolant, &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &Sass::Prelexer::percentage, &Sass::Prelexer::binomial, &Sass::Prelexer::dimension, &Sass::Prelexer::alnum> /src/libsass/src/lexer.hpp:201:14
    #11 0x8358ea in alternatives<&Sass::Prelexer::kwd_optional, &Sass::Prelexer::exactly, &Sass::Prelexer::quoted_string, &Sass::Prelexer::interpolant, &Sass::Prelexer::identifier, &Sass::Prelexer::variable, &Sass::Prelexer::percentage, &Sass::Prelexer::binomial, &Sass::Prelexer::dimension, &Sass::Prelexer::alnum> /src/libsass/src/lexer.hpp:201:14
    #12 0x8358ea in sequence<&Sass::Prelexer::alternatives> /src/libsass/src/lexer.hpp:210:20
    #13 0x8358ea in char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::zero_plus<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)45>(char const*)), &(Sass::Prelexer::optional_spaces(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::alternatives<&(Sass::Prelexer::kwd_optional(char const*)), &(char const* Sass::Prelexer::exactly<(char)42>(char const*)), &(Sass::Prelexer::quoted_string(char const*)), &(Sass::Prelexer::interpolant(char const*)), &(Sass::Prelexer::identifier(char const*)), &(Sass::Prelexer::variable(char const*)), &(Sass::Prelexer::percentage(char const*)), &(Sass::Prelexer::binomial(char const*)), &(Sass::Prelexer::dimension(char const*)), &(Sass::Prelexer::alnum(char const*))>(char const*))>(char const*) /src/libsass/src/lexer.hpp:217:14
    #14 0x83550d in one_plus<&Sass::Prelexer::sequence> /src/libsass/src/lexer.hpp:242:23
    #15 0x83550d in sequence<&Sass::Prelexer::one_plus, &Sass::Prelexer::zero_plus> /src/libsass/src/lexer.hpp:216:20
    #16 0x83550d in sequence<&Sass::Prelexer::alternatives, &Sass::Prelexer::one_plus, &Sass::Prelexer::zero_plus> /src/libsass/src/lexer.hpp:217:14
    #17 0x83550d in char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::optional<&(Sass::Prelexer::namespace_schema(char const*))>(char const*)), &(char const* Sass::Prelexer::alternatives<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)35>(char const*)), &(char const* Sass::Prelexer::negate<&(char const* Sass::Prelexer::exactly<(char)123>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::exactly<(char)46>(char const*)), &(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::optional<&(Sass::Prelexer::pseudo_prefix(char const*))>(char const*)), &(char const* Sass::Prelexer::negate<&(Sass::Prelexer::uri_prefix(char const*))>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::one_plus<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::zero_plus<&(char const* Sass::Prelexer::sequence<&(char const* Sass::Prelexer::exactly<(char)45>(char const*)), &(Sass::Prelexer::optional_spaces(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::alternatives<&(Sass::Prelexer::kwd_optional(char const*)), &(char const* Sass::Prelexer::exactly<(char)42>(char const*)), &(Sass::Prelexer::quoted_string(char const*)), &(Sass::Prelexer::interpolant(char const*)), &(Sass::Prelexer::identifier(char const*)), &(Sass::Prelexer::variable(char const*)), &(Sass::Prelexer::percentage(char const*)), &(Sass::Prelexer::binomial(char const*)), &(Sass::Prelexer::dimension(char const*)), &(Sass::Prelexer::alnum(char const*))>(char const*))>(char const*))>(char const*)), &(char const* Sass::Prelexer::zero_plus<&(char const* Sass::Prelexer::exactly<(char)45>(char const*))>(char const*))>(char const*) /src/libsass/src/lexer.hpp:217:14
    #18 0x82b9ee in alternatives<&Sass::Prelexer::block_comment, &Sass::Prelexer::line_comment, &Sass::Prelexer::schema_reference_combinator, &Sass::Prelexer::class_char, &Sass::Prelexer::class_char, &Sass::Prelexer::sequence, &Sass::Prelexer::alternatives, &Sass::Prelexer::sequence> /src/libsass/src/lexer.hpp:201:14
    #19 0x82b9ee in alternatives<&Sass::Prelexer::spaces, &Sass::Prelexer::block_comment, &Sass::Prelexer::line_comment, &Sass::Prelexer::schema_reference_combinator, &Sass::Prelexer::class_char, &Sass::Prelexer::class_char, &Sass::Prelexer::sequence, &Sass::Prelexer::alternatives, &Sass::Prelexer::sequence> /src/libsass/src/lexer.hpp:201:14
    #20 0x82b9ee in one_plus<&Sass::Prelexer::alternatives> /src/libsass/src/lexer.hpp:242:23
    #21 0x82b9ee in alternatives<&Sass::Prelexer::one_plus> /src/libsass/src/lexer.hpp:194:19
    #22 0x82b9ee in alternatives<&Sass::Prelexer::sequence, &Sass::Prelexer::one_plus> /src/libsass/src/lexer.hpp:201:14
    #23 0x82b9ee in Sass::Prelexer::re_selector_list(char const*) /src/libsass/src/prelexer.cpp:1643:14
    #24 0x71e885 in peek<&Sass::Prelexer::re_selector_list> /src/libsass/src/parser.hpp:140:27
    #25 0x71e885 in Sass::Parser::lookahead_for_selector(char const*) /src/libsass/src/parser.cpp:2630:7
    #26 0x6f4e0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:274:28
    #27 0x6ec35d in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:189:11
    #28 0x6e856b in Sass::Parser::parse() /src/libsass/src/parser.cpp:115:5
    #29 0x5a2968 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:306:24
    #30 0x5b5654 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:620:5
    #31 0x582635 in sass_parse_block /src/libsass/src/sass_context.cpp:180:31
    #32 0x582635 in sass_compiler_parse /src/libsass/src/sass_context.cpp:434:22
    #33 0x581b08 in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:317:7
    #34 0x57f786 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
    #35 0x485391 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #36 0x46feb1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #37 0x475b6e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #38 0x49fa92 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #39 0x7faf70aef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #40 0x449328 in _start (/out/data_context_fuzzer+0x449328)

0x602000000114 is located 0 bytes to the right of 4-byte region [0x602000000110,0x602000000114)
allocated by thread T0 here:
    #0 0x54cf2d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x57f700 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:4:29
    #2 0x485391 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #3 0x46feb1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #4 0x475b6e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
    #5 0x49fa92 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #6 0x7faf70aef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libsass/src/lexer.hpp:82:14 in exactly<'\\'>
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 fa
  0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa 03 fa fa fa 03 fa
=>0x0c047fff8020: fa fa[04]fa fa fa 00 03 fa fa fd fa fa fa 06 fa
  0x0c047fff8030: fa fa 00 03 fa fa fd fa fa fa 00 fa fa fa 00 00
  0x0c047fff8040: fa fa 06 fa fa fa 06 fa fa fa 00 00 fa fa 06 fa
  0x0c047fff8050: fa fa 00 00 fa fa 04 fa fa fa fd fa fa fa 00 00
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==465==ABORTING
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Heap-buffer-overflow in lexer.hpp #3045

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Heap-buffer-overflow in lexer.hpp #3045

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions