Null pointer dereference in function agroot() (#1517) · Issues · graphviz / graphviz

Null pointer dereference in function agroot()

Description : Null pointer dereference in the graphml2gv binary of graphviz. The issues triggered in cgraph\obj.c at function agroot() can leads to denial of service.

Tested Environment : Windows 7/10 (32 bit/64 bit)

Command : graphml2gv.exe -g cooldude –o test.gv POC

POC : REPRODUCER

DEBUG :

0:000> kp
# ChildEBP RetAddr  
00 00b8a1f8 6e1ecce7 cgraph!agroot(void * obj = 0x00000000)+0x21 [graphviz\lib\cgraph\obj.c @ 171]
01 00b8a2f8 01151973 cgraph!agnode(struct Agraph_s * g = 0x00000000, char * name = 0x00c31775 "n2", int cflag = 0n1)+0x27 [graphviz\lib\cgraph\node.c @ 148] 
02 00b8a3d8 011542a1 graphml2gv!bind_node(char * name = 0x00c31775 "n2")+0x33 [graphviz\cmd\tools\graphml2gv.c @ 240] 
03 00b8a5b4 6e1b3eeb graphml2gv!startElementHandler(void * userData = 0x00c251a0, char * name = 0x00c31770 "node", char ** atts = 0x00c2fe18)+0x2a1 [graphviz\cmd\tools\graphml2gv.c @ 472] 
04 00b8a5f8 6e1c84af expat!XML_SetXmlDeclHandler+0x2bf3
05 00b8a60c 6e1b340e expat!XML_SetXmlDeclHandler+0x171b7
06 00b8a6a0 6e1b9b2e expat!XML_SetXmlDeclHandler+0x2116
07 00b8a6b8 6e1b2035 expat!XML_SetXmlDeclHandler+0x8836
08 00b8a6d8 6e1b1f4a expat!XML_SetXmlDeclHandler+0xd3d
09 00b8a6fc 01152870 expat!XML_SetXmlDeclHandler+0xc52
0a 00b8a714 0115122b graphml2gv!graphml_to_gv(char * gname = 0x008ca000 "", struct _iobuf * graphmlFile = 0x00000001, int * rv = 0xcccccccc)+0x160 [graphviz\cmd\tools\graphml2gv.c @ 623] 
0:000> u
cgraph!agroot+0x21 [graphviz\lib\cgraph\obj.c @ 171]:
6e1ee5b1 8b08            mov     ecx,dword ptr [eax]
6e1ee5b3 83e103          and     ecx,3
6e1ee5b6 898d3cffffff    mov     dword ptr [ebp-0C4h],ecx
6e1ee5bc 83bd3cffffff03  cmp     dword ptr [ebp-0C4h],3
6e1ee5c3 7728            ja      cgraph!agroot+0x5d (6e1ee5ed)
6e1ee5c5 8b953cffffff    mov     edx,dword ptr [ebp-0C4h]
6e1ee5cb ff249514e61e6e  jmp     dword ptr cgraph!agroot+0x84 (6e1ee614)[edx*4]
6e1ee5d2 8b4508          mov     eax,dword ptr [ebp+8]
0:000> g
(23a8.6cc): Access violation - code c0000005 (!!! second chance !!!)
Registers: 
eax=00000000 ebx=00c2fd01 ecx=00000000 edx=00c31775 esi=00b8a30c edi=00b8a1f8

**Description** : Null pointer dereference in the graphml2gv binary of graphviz. The issues triggered in cgraph\obj.c at function agroot() can leads to denial of service.

**Tested Environment** : Windows 7/10 (32 bit/64 bit)

**Command** : graphml2gv.exe -g cooldude –o test.gv POC

**POC** : [REPRODUCER](https://raw.githubusercontent.com/SegfaultMasters/covering360/master/Graphviz/NP)

**DEBUG** :

```
0:000> kp
# ChildEBP RetAddr  
00 00b8a1f8 6e1ecce7 cgraph!agroot(void * obj = 0x00000000)+0x21 [graphviz\lib\cgraph\obj.c @ 171]
01 00b8a2f8 01151973 cgraph!agnode(struct Agraph_s * g = 0x00000000, char * name = 0x00c31775 "n2", int cflag = 0n1)+0x27 [graphviz\lib\cgraph\node.c @ 148] 
02 00b8a3d8 011542a1 graphml2gv!bind_node(char * name = 0x00c31775 "n2")+0x33 [graphviz\cmd\tools\graphml2gv.c @ 240] 
03 00b8a5b4 6e1b3eeb graphml2gv!startElementHandler(void * userData = 0x00c251a0, char * name = 0x00c31770 "node", char ** atts = 0x00c2fe18)+0x2a1 [graphviz\cmd\tools\graphml2gv.c @ 472] 
04 00b8a5f8 6e1c84af expat!XML_SetXmlDeclHandler+0x2bf3
05 00b8a60c 6e1b340e expat!XML_SetXmlDeclHandler+0x171b7
06 00b8a6a0 6e1b9b2e expat!XML_SetXmlDeclHandler+0x2116
07 00b8a6b8 6e1b2035 expat!XML_SetXmlDeclHandler+0x8836
08 00b8a6d8 6e1b1f4a expat!XML_SetXmlDeclHandler+0xd3d
09 00b8a6fc 01152870 expat!XML_SetXmlDeclHandler+0xc52
0a 00b8a714 0115122b graphml2gv!graphml_to_gv(char * gname = 0x008ca000 "", struct _iobuf * graphmlFile = 0x00000001, int * rv = 0xcccccccc)+0x160 [graphviz\cmd\tools\graphml2gv.c @ 623] 
0:000> u
cgraph!agroot+0x21 [graphviz\lib\cgraph\obj.c @ 171]:
6e1ee5b1 8b08            mov     ecx,dword ptr [eax]
6e1ee5b3 83e103          and     ecx,3
6e1ee5b6 898d3cffffff    mov     dword ptr [ebp-0C4h],ecx
6e1ee5bc 83bd3cffffff03  cmp     dword ptr [ebp-0C4h],3
6e1ee5c3 7728            ja      cgraph!agroot+0x5d (6e1ee5ed)
6e1ee5c5 8b953cffffff    mov     edx,dword ptr [ebp-0C4h]
6e1ee5cb ff249514e61e6e  jmp     dword ptr cgraph!agroot+0x84 (6e1ee614)[edx*4]
6e1ee5d2 8b4508          mov     eax,dword ptr [ebp+8]
0:000> g
(23a8.6cc): Access violation - code c0000005 (!!! second chance !!!)
Registers: 
eax=00000000 ebx=00c2fd01 ecx=00000000 edx=00c31775 esi=00b8a30c edi=00b8a1f8
```

Edited Mar 27, 2019 by Loginsoft Security Research

Null pointer dereference in function agroot()

Linked issues