Stack buffer overflow in function agclose() (#1512) · Issues · graphviz / graphviz

Stack buffer overflow in function agclose()

Tested Environment : Windows 7/10 (32 bit)

Command : bcomps.exe -s -t -v -x -o OUT.ps POC

DEBUG :

Debug: 0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 00c0316c 69e24c98 0125c1e0 00000000 00000080 cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12] 
01 00c0324c 69e19d8d 0125be58 00c034bc 00cffbb8 cgraph!agfstsubg+0x38 [graphviz\lib\cgraph\subg.c @ 74] 
02 00c03384 69e19db9 0125be58 00c035f4 00cffbb8 cgraph!agclose+0x9d [graphviz\lib\cgraph\graph.c @ 107] 
03 00c034bc 69e19db9 0125b680 00c0372c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
04 00c035f4 69e19db9 0125aea8 00c03864 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
05 00c0372c 69e19db9 0125a6d0 00c0399c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
06 00c03864 69e19db9 01259ef8 00c03ad4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
07 00c0399c 69e19db9 01259720 00c03c0c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
08 00c03ad4 69e19db9 01258f48 00c03d44 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
09 00c03c0c 69e19db9 01258770 00c03e7c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0a 00c03d44 69e19db9 01257f98 00c03fb4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0b 00c03e7c 69e19db9 012577c0 00c040ec 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0c 00c03fb4 69e19db9 01256fe8 00c04224 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0d 00c040ec 69e19db9 01256810 00c0435c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0e 00c04224 69e19db9 01256038 00c04494 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0f 00c0435c 69e19db9 01255860 00c045cc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
10 00c04494 69e19db9 01255088 00c04704 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
11 00c045cc 69e19db9 012548b0 00c0483c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
12 00c04704 69e19db9 012540d8 00c04974 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
13 00c0483c 69e19db9 01253900 00c04aac 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
14 00c04974 69e19db9 01253128 00c04be4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
15 00c04aac 69e19db9 01252950 00c04d1c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
16 00c04be4 69e19db9 01252178 00c04e54 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
17 00c04d1c 69e19db9 012519a0 00c04f8c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
18 00c04e54 69e19db9 012511c8 00c050c4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
19 00c04f8c 69e19db9 012509e8 00c051fc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1a 00c050c4 69e19db9 01250210 00c05334 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1b 00c051fc 69e19db9 0124fa38 00c0546c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1c 00c05334 69e19db9 0124f260 00c055a4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1d 00c0546c 69e19db9 0124ea88 00c056dc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1e 00c055a4 69e19db9 0124e2b0 00c05814 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1f 00c056dc 69e19db9 0124dad8 00c0594c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
20 00c05814 69e19db9 0124d300 00c05a84 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0:000> u
cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12]:
69df5589 53              push    ebx
69df558a 56              push    esi
69df558b 57              push    edi
69df558c 8dbde4fdffff    lea     edi,[ebp-21Ch]
69df5592 b987000000      mov     ecx,87h
69df5597 b8cccccccc      mov     eax,0CCCCCCCCh
69df559c f3ab            rep stos dword ptr es:[edi]
69df559e a1a0f0df69      mov     eax,dword ptr [cdt!__security_cookie (69dff0a0)]
0:000> .exr -1
ExceptionAddress: 69df5589 (cdt!dttree+0x00000009)
   ExceptionCode: c00000fd (Stack overflow)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00c02f4c
FAULTING_SOURCE_FILE:  graphviz\cmd\tools\bcomps.c
FAILURE_SYMBOL_NAME:  bcomps.exe!main
FAILURE_BUCKET_ID:  STACK_OVERFLOW_c00000fd_bcomps.exe!main
0:000> g
(834.1350): Stack overflow - code c00000fd (!!! second chance !!!)
Registers:
eax=0125c1e0 ebx=00a69000 ecx=69df5580 edx=0125be58 esi=00c03180 edi=00c0324c
eip=69df5589 esp=00c02f50 ebp=00c0316c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
cdt!dttree+0x9:
69df5589 53              push    ebx

**Tested Environment** : Windows 7/10 (32 bit)

**Command** : bcomps.exe -s -t -v -x -o OUT.ps POC

**POC** : [REPRODUCER](https://raw.githubusercontent.com/SegfaultMasters/covering360/master/Graphviz/SOFGFV)

**DEBUG** :

```
Debug: 0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 00c0316c 69e24c98 0125c1e0 00000000 00000080 cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12] 
01 00c0324c 69e19d8d 0125be58 00c034bc 00cffbb8 cgraph!agfstsubg+0x38 [graphviz\lib\cgraph\subg.c @ 74] 
02 00c03384 69e19db9 0125be58 00c035f4 00cffbb8 cgraph!agclose+0x9d [graphviz\lib\cgraph\graph.c @ 107] 
03 00c034bc 69e19db9 0125b680 00c0372c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
04 00c035f4 69e19db9 0125aea8 00c03864 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
05 00c0372c 69e19db9 0125a6d0 00c0399c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
06 00c03864 69e19db9 01259ef8 00c03ad4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
07 00c0399c 69e19db9 01259720 00c03c0c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
08 00c03ad4 69e19db9 01258f48 00c03d44 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
09 00c03c0c 69e19db9 01258770 00c03e7c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0a 00c03d44 69e19db9 01257f98 00c03fb4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0b 00c03e7c 69e19db9 012577c0 00c040ec 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0c 00c03fb4 69e19db9 01256fe8 00c04224 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0d 00c040ec 69e19db9 01256810 00c0435c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0e 00c04224 69e19db9 01256038 00c04494 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0f 00c0435c 69e19db9 01255860 00c045cc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
10 00c04494 69e19db9 01255088 00c04704 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
11 00c045cc 69e19db9 012548b0 00c0483c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
12 00c04704 69e19db9 012540d8 00c04974 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
13 00c0483c 69e19db9 01253900 00c04aac 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
14 00c04974 69e19db9 01253128 00c04be4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
15 00c04aac 69e19db9 01252950 00c04d1c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
16 00c04be4 69e19db9 01252178 00c04e54 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
17 00c04d1c 69e19db9 012519a0 00c04f8c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
18 00c04e54 69e19db9 012511c8 00c050c4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
19 00c04f8c 69e19db9 012509e8 00c051fc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1a 00c050c4 69e19db9 01250210 00c05334 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1b 00c051fc 69e19db9 0124fa38 00c0546c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1c 00c05334 69e19db9 0124f260 00c055a4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1d 00c0546c 69e19db9 0124ea88 00c056dc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1e 00c055a4 69e19db9 0124e2b0 00c05814 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
1f 00c056dc 69e19db9 0124dad8 00c0594c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
20 00c05814 69e19db9 0124d300 00c05a84 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 
0:000> u
cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12]:
69df5589 53              push    ebx
69df558a 56              push    esi
69df558b 57              push    edi
69df558c 8dbde4fdffff    lea     edi,[ebp-21Ch]
69df5592 b987000000      mov     ecx,87h
69df5597 b8cccccccc      mov     eax,0CCCCCCCCh
69df559c f3ab            rep stos dword ptr es:[edi]
69df559e a1a0f0df69      mov     eax,dword ptr [cdt!__security_cookie (69dff0a0)]
0:000> .exr -1
ExceptionAddress: 69df5589 (cdt!dttree+0x00000009)
   ExceptionCode: c00000fd (Stack overflow)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00c02f4c
FAULTING_SOURCE_FILE:  graphviz\cmd\tools\bcomps.c
FAILURE_SYMBOL_NAME:  bcomps.exe!main
FAILURE_BUCKET_ID:  STACK_OVERFLOW_c00000fd_bcomps.exe!main
0:000> g
(834.1350): Stack overflow - code c00000fd (!!! second chance !!!)
Registers:
eax=0125c1e0 ebx=00a69000 ecx=69df5580 edx=0125be58 esi=00c03180 edi=00c0324c
eip=69df5589 esp=00c02f50 ebp=00c0316c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
cdt!dttree+0x9:
69df5589 53              push    ebx

```

Edited Mar 20, 2019 by Loginsoft Security Research

Discussion
Designs

Stack buffer overflow in function agclose()

Linked issues