Security Issue: Use of Uninitialized Memory in tidy-html5 #1165
Description
Security Issue: Use of Uninitialized Memory in tidy-html5
Summary
While fuzzing tidy_fuzzer, Valgrind reports a conditional branch depending on uninitialized data inside strlen(). This indicates a use of uninitialized memory (CWE-457). The issue is reproducible with the current OSS-Fuzz harness and a single-file PoC.
Details
Environment:
- Tooling:
valgrind --tool=memcheck --track-origins=yes - Target:
tidy_fuzzer - OS: Ubuntu 20.04.6 LTS focal x86_64
- tidy-html5 version and Git-commit hash:
tidy-html5 5.9.20 | commit d08ddc2860aa95ba8e301343a30837f157977cba (HEAD -> next, origin/next, origin/HEAD)
Function: strlen()
Possible root cause (based on observed symptoms):
- Valgrind: “Uninitialised value was created by a stack allocation at prvTidystrrep,” and the first consumers are
strlen()/strcat()called from insideprvTidystrrep. - Call chains include both
tidyMessageCreateInitV → ...CreateWithNode/...Create → formatStandard/formatStandardDynamic → vReportand also the main diagnostics path. - A local stack buffer used as a C-string is never initialized before the first strlen/strcat, or a temporary string built by incremental concatenation loses its NUL terminator along some branch, so a later strlen() walks uninitialized bytes, or one of the local replacement pointers is conditionally assigned and read via strlen() on the uninitialized branch.
Valgrind Trace (top frames):
==463== Conditional jump or move depends on uninitialised value(s)
==463== at 0x483EF49: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==463== by 0x2B07E7: prvTidystrrep (in /out/tidy_fuzzer)
==463== by 0x260273: tidyMessageCreateInitV (in /out/tidy_fuzzer)
==463== by 0x2609D4: prvTidytidyMessageCreateWithNode (in /out/tidy_fuzzer)
==463== by 0x2A5EAD: formatStandard (in /out/tidy_fuzzer)
==463== by 0x2A3859: vReport (in /out/tidy_fuzzer)
==463== by 0x2A375F: prvTidyReport (in /out/tidy_fuzzer)
==463== by 0x26FB95: prvTidyParseHead (in /out/tidy_fuzzer)
==463== by 0x2696FF: ParseHTMLWithNode (in /out/tidy_fuzzer)
==463== by 0x27977C: prvTidyParseDocument (in /out/tidy_fuzzer)
==463== by 0x25D210: prvTidyDocParseStream (in /out/tidy_fuzzer)
==463== by 0x25B5C0: tidyParseBuffer (in /out/tidy_fuzzer)
==463== Uninitialised value was created by a stack allocation at 0x2B079D: prvTidystrrep (in /out/tidy_fuzzer)PoC
In the attached archive, you will find:
- The executable used for our tests.
- The testcase used to trigger the bug.
To observe the bug, simply run the OSS-Fuzz helper script:
git clone https://github.com/google/oss-fuzz.git
cd oss-fuzz
python3 infra/helper.py build_image tidy-html5
python3 infra/helper.py build_fuzzers --sanitizer=none tidy-html5
python3 infra/helper.py shell tidy-html5
apt update && apt install -y valgrind
ulimit -n 65535
valgrind --tool=memcheck --track-origins=yes /out/tidy_fuzzer /path/to/pocImpact
- Undefined Behavior
- Potential crash
- Denial of Service