Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
  • Sign in / Register
  • G graphviz
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 531
    • Issues 531
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 20
    • Merge requests 20
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • graphvizgraphviz
  • graphviz
  • Issues
  • #1517
Closed
Open
Issue created Mar 26, 2019 by Loginsoft Security Research@Research-Loginsoft

Null pointer dereference in function agroot()

Description : Null pointer dereference in the graphml2gv binary of graphviz. The issues triggered in cgraph\obj.c at function agroot() can leads to denial of service.

Tested Environment : Windows 7/10 (32 bit/64 bit)

Command : graphml2gv.exe -g cooldude –o test.gv POC

POC : REPRODUCER

DEBUG :

0:000> kp
# ChildEBP RetAddr  
00 00b8a1f8 6e1ecce7 cgraph!agroot(void * obj = 0x00000000)+0x21 [graphviz\lib\cgraph\obj.c @ 171]
01 00b8a2f8 01151973 cgraph!agnode(struct Agraph_s * g = 0x00000000, char * name = 0x00c31775 "n2", int cflag = 0n1)+0x27 [graphviz\lib\cgraph\node.c @ 148] 
02 00b8a3d8 011542a1 graphml2gv!bind_node(char * name = 0x00c31775 "n2")+0x33 [graphviz\cmd\tools\graphml2gv.c @ 240] 
03 00b8a5b4 6e1b3eeb graphml2gv!startElementHandler(void * userData = 0x00c251a0, char * name = 0x00c31770 "node", char ** atts = 0x00c2fe18)+0x2a1 [graphviz\cmd\tools\graphml2gv.c @ 472] 
04 00b8a5f8 6e1c84af expat!XML_SetXmlDeclHandler+0x2bf3
05 00b8a60c 6e1b340e expat!XML_SetXmlDeclHandler+0x171b7
06 00b8a6a0 6e1b9b2e expat!XML_SetXmlDeclHandler+0x2116
07 00b8a6b8 6e1b2035 expat!XML_SetXmlDeclHandler+0x8836
08 00b8a6d8 6e1b1f4a expat!XML_SetXmlDeclHandler+0xd3d
09 00b8a6fc 01152870 expat!XML_SetXmlDeclHandler+0xc52
0a 00b8a714 0115122b graphml2gv!graphml_to_gv(char * gname = 0x008ca000 "", struct _iobuf * graphmlFile = 0x00000001, int * rv = 0xcccccccc)+0x160 [graphviz\cmd\tools\graphml2gv.c @ 623] 
0:000> u
cgraph!agroot+0x21 [graphviz\lib\cgraph\obj.c @ 171]:
6e1ee5b1 8b08            mov     ecx,dword ptr [eax]
6e1ee5b3 83e103          and     ecx,3
6e1ee5b6 898d3cffffff    mov     dword ptr [ebp-0C4h],ecx
6e1ee5bc 83bd3cffffff03  cmp     dword ptr [ebp-0C4h],3
6e1ee5c3 7728            ja      cgraph!agroot+0x5d (6e1ee5ed)
6e1ee5c5 8b953cffffff    mov     edx,dword ptr [ebp-0C4h]
6e1ee5cb ff249514e61e6e  jmp     dword ptr cgraph!agroot+0x84 (6e1ee614)[edx*4]
6e1ee5d2 8b4508          mov     eax,dword ptr [ebp+8]
0:000> g
(23a8.6cc): Access violation - code c0000005 (!!! second chance !!!)
Registers: 
eax=00000000 ebx=00c2fd01 ecx=00000000 edx=00c31775 esi=00b8a30c edi=00b8a1f8
Edited Mar 27, 2019 by Loginsoft Security Research
Assignee
Assign to
Time tracking