Null pointer dereference in function agroot()
Description : Null pointer dereference in the graphml2gv binary of graphviz. The issues triggered in cgraph\obj.c at function agroot() can leads to denial of service.
Tested Environment : Windows 7/10 (32 bit/64 bit)
Command : graphml2gv.exe -g cooldude –o test.gv POC
POC : REPRODUCER
DEBUG :
0:000> kp
# ChildEBP RetAddr
00 00b8a1f8 6e1ecce7 cgraph!agroot(void * obj = 0x00000000)+0x21 [graphviz\lib\cgraph\obj.c @ 171]
01 00b8a2f8 01151973 cgraph!agnode(struct Agraph_s * g = 0x00000000, char * name = 0x00c31775 "n2", int cflag = 0n1)+0x27 [graphviz\lib\cgraph\node.c @ 148]
02 00b8a3d8 011542a1 graphml2gv!bind_node(char * name = 0x00c31775 "n2")+0x33 [graphviz\cmd\tools\graphml2gv.c @ 240]
03 00b8a5b4 6e1b3eeb graphml2gv!startElementHandler(void * userData = 0x00c251a0, char * name = 0x00c31770 "node", char ** atts = 0x00c2fe18)+0x2a1 [graphviz\cmd\tools\graphml2gv.c @ 472]
04 00b8a5f8 6e1c84af expat!XML_SetXmlDeclHandler+0x2bf3
05 00b8a60c 6e1b340e expat!XML_SetXmlDeclHandler+0x171b7
06 00b8a6a0 6e1b9b2e expat!XML_SetXmlDeclHandler+0x2116
07 00b8a6b8 6e1b2035 expat!XML_SetXmlDeclHandler+0x8836
08 00b8a6d8 6e1b1f4a expat!XML_SetXmlDeclHandler+0xd3d
09 00b8a6fc 01152870 expat!XML_SetXmlDeclHandler+0xc52
0a 00b8a714 0115122b graphml2gv!graphml_to_gv(char * gname = 0x008ca000 "", struct _iobuf * graphmlFile = 0x00000001, int * rv = 0xcccccccc)+0x160 [graphviz\cmd\tools\graphml2gv.c @ 623]
0:000> u
cgraph!agroot+0x21 [graphviz\lib\cgraph\obj.c @ 171]:
6e1ee5b1 8b08 mov ecx,dword ptr [eax]
6e1ee5b3 83e103 and ecx,3
6e1ee5b6 898d3cffffff mov dword ptr [ebp-0C4h],ecx
6e1ee5bc 83bd3cffffff03 cmp dword ptr [ebp-0C4h],3
6e1ee5c3 7728 ja cgraph!agroot+0x5d (6e1ee5ed)
6e1ee5c5 8b953cffffff mov edx,dword ptr [ebp-0C4h]
6e1ee5cb ff249514e61e6e jmp dword ptr cgraph!agroot+0x84 (6e1ee614)[edx*4]
6e1ee5d2 8b4508 mov eax,dword ptr [ebp+8]
0:000> g
(23a8.6cc): Access violation - code c0000005 (!!! second chance !!!)
Registers:
eax=00000000 ebx=00c2fd01 ecx=00000000 edx=00c31775 esi=00b8a30c edi=00b8a1f8
Edited by Loginsoft Security Research