[heap-buffer-overflow](lou_checkyaml): Index `kk` out of bounds when accessing array `input->chars` in `doPassSearch` about liblouis HOT 4 OPEN

Hi @egli @benehalo , I was actually working on a project for creating and editing Liblouis tables. Currently I am at the stage of understanding the project Liblouis and it's functioning.

Solving issues is always a good start for getting a deeper understanding so I would like to work on this issue.

I have setup the project and was referring to the HACKING documentation, where I saw detecting memory leaks through valgrind but when I tried checking the memory leaks and errors in ./liblouis/lou_translateString.c, I am getting permission denied as the output. After given the permission through chmod a+x ./file command I further got this as the output.

./liblouis/lou_translateString.c: 1: /bin: Permission denied
./liblouis/lou_translateString.c: 3: Syntax error: "(" unexpected

Also I didn't get what is to be done with the zip file. Can you help me reproduce this issue.

from liblouis.

Hi @jriyyya , here are some tips about this issue

I have setup the project and was referring to the HACKING documentation, where I saw detecting memory leaks through valgrind but when I tried checking the memory leaks and errors in ./liblouis/lou_translateString.c

I've confirmed that the issue can indeed be replicated using valgrind. However, valgrind tends to produce a lot of unrelated information, which can be confusing. For a more focused approach to reproducing this issue, I recommend using AddressSanitizer (ASAN).

ASAN is a memory error detector for C/C++ that can help identify various memory-related issues more clearly. It's part of the LLVM project and can be easily integrated into most build systems. For more information and how to use ASAN, you can refer to LLVM's AddressSanitizer documentation.

Also I didn't get what is to be done with the zip file. Can you help me reproduce this issue.

As referred on the beginning of this issue, you should build the project with ASAN

# Any directory you want to store the compiled artifacts
cd $BUILD
# -fsanitize=address -g is the key compile option to activate address sanitizer
export FLAGS='-DFORTIFY_SOURCE -fstack-protector-all -fsanitize=address -g'
# $PROJ is the directory of the project of liblouis
CC=clang CXX=clang++ CFLAGS=$FLAGS  CXXFLAGS=$FLAGS $PROJ/configure --disable-shared --with-yaml
make -j

If you do not have clang/llvm tool chains in your development environment, maybe gcc/GNU tool chains is also OK, which provides another implementation of ASAN ( just replace CC=clang CXX=clang++ with CC=gcc CXX=g++).

After building the project with ASAN, you need to download the zip file attached in the issue and unzip it

wget https://github.com/liblouis/liblouis/files/14617322/kk-out-of-range.zip -O poc.zip 
unzip poc.zip

If all goes well, you will see a directory named kk-out-of-range, which contains the PoC file (namely "heap-buffer-overflow-0" ) to trigger the bug.

Eventually, you can run this command to trigger the bug directly (if all goes well)

# poc is the path of PoC file you just get
$BUILD/tools/lou_checkyaml [poc]

In addition, with the specific breakpoint settings, you can also reproduce this issue manually by using gdb (as shown in the "GDB says" section of this issue). GDB debugging requires more labor than ASAN, but it provides complete context foreach step of debugging, allowing you to gain a deeper understanding of this bug and even this project.

Hope this helps you in reproducing the issue and understanding the project!

from liblouis.

Hi @jriyyya, I do not think you need valgrind to reproduce the bug in this issue. You can use valgrind to find memory problems.

But to reproduce the bug at hand all you need to do is to follow the steps outlined above. Compile liblouis exactly as mentioned and then run lou_checkyaml with the attached input.

However to get started with creating liblouis tables I think it would IMHO be easier to look at existing tables and test you table using lou_translate or even lou_trace.

from liblouis.

Thanks @egli for the suggestion. While looking at the existing tables, I noticed there was a typo in the Devanagari.cti and have opened a PR for correcting it.

I will try reproducing this bug after exploring more.

Pr link

from liblouis.