Stack buffer overflow in function agclose()
Tested Environment : Windows 7/10 (32 bit)
Command : bcomps.exe -s -t -v -x -o OUT.ps POC
POC : REPRODUCER
DEBUG :
Debug: 0:000> kb
# ChildEBP RetAddr Args to Child
00 00c0316c 69e24c98 0125c1e0 00000000 00000080 cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12]
01 00c0324c 69e19d8d 0125be58 00c034bc 00cffbb8 cgraph!agfstsubg+0x38 [graphviz\lib\cgraph\subg.c @ 74]
02 00c03384 69e19db9 0125be58 00c035f4 00cffbb8 cgraph!agclose+0x9d [graphviz\lib\cgraph\graph.c @ 107]
03 00c034bc 69e19db9 0125b680 00c0372c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
04 00c035f4 69e19db9 0125aea8 00c03864 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
05 00c0372c 69e19db9 0125a6d0 00c0399c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
06 00c03864 69e19db9 01259ef8 00c03ad4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
07 00c0399c 69e19db9 01259720 00c03c0c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
08 00c03ad4 69e19db9 01258f48 00c03d44 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
09 00c03c0c 69e19db9 01258770 00c03e7c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0a 00c03d44 69e19db9 01257f98 00c03fb4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0b 00c03e7c 69e19db9 012577c0 00c040ec 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0c 00c03fb4 69e19db9 01256fe8 00c04224 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0d 00c040ec 69e19db9 01256810 00c0435c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0e 00c04224 69e19db9 01256038 00c04494 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0f 00c0435c 69e19db9 01255860 00c045cc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
10 00c04494 69e19db9 01255088 00c04704 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
11 00c045cc 69e19db9 012548b0 00c0483c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
12 00c04704 69e19db9 012540d8 00c04974 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
13 00c0483c 69e19db9 01253900 00c04aac 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
14 00c04974 69e19db9 01253128 00c04be4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
15 00c04aac 69e19db9 01252950 00c04d1c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
16 00c04be4 69e19db9 01252178 00c04e54 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
17 00c04d1c 69e19db9 012519a0 00c04f8c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
18 00c04e54 69e19db9 012511c8 00c050c4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
19 00c04f8c 69e19db9 012509e8 00c051fc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
1a 00c050c4 69e19db9 01250210 00c05334 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
1b 00c051fc 69e19db9 0124fa38 00c0546c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
1c 00c05334 69e19db9 0124f260 00c055a4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
1d 00c0546c 69e19db9 0124ea88 00c056dc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
1e 00c055a4 69e19db9 0124e2b0 00c05814 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
1f 00c056dc 69e19db9 0124dad8 00c0594c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
20 00c05814 69e19db9 0124d300 00c05a84 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109]
0:000> u
cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12]:
69df5589 53 push ebx
69df558a 56 push esi
69df558b 57 push edi
69df558c 8dbde4fdffff lea edi,[ebp-21Ch]
69df5592 b987000000 mov ecx,87h
69df5597 b8cccccccc mov eax,0CCCCCCCCh
69df559c f3ab rep stos dword ptr es:[edi]
69df559e a1a0f0df69 mov eax,dword ptr [cdt!__security_cookie (69dff0a0)]
0:000> .exr -1
ExceptionAddress: 69df5589 (cdt!dttree+0x00000009)
ExceptionCode: c00000fd (Stack overflow)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00c02f4c
FAULTING_SOURCE_FILE: graphviz\cmd\tools\bcomps.c
FAILURE_SYMBOL_NAME: bcomps.exe!main
FAILURE_BUCKET_ID: STACK_OVERFLOW_c00000fd_bcomps.exe!main
0:000> g
(834.1350): Stack overflow - code c00000fd (!!! second chance !!!)
Registers:
eax=0125c1e0 ebx=00a69000 ecx=69df5580 edx=0125be58 esi=00c03180 edi=00c0324c
eip=69df5589 esp=00c02f50 ebp=00c0316c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
cdt!dttree+0x9:
69df5589 53 push ebx
Edited by Loginsoft Security Research