HTACG Tidy-HTML5 Null Pointer Dereference Vulnerability in Version 5.8.0
Vulnerability
A null pointer dereference vulnerability has been identified in HTACG Tidy-HTML5 version 5.8.0. This issue arises in the 'InsertNodeAsParent' function within 'src/parser.c', where improper handling of input leads to a segmentation fault. The vulnerability requires local access to exploit, and its exploitation can cause a denial-of-service condition by crashing the application.
Impact
Exploitation of this vulnerability leads to a segmentation fault caused by a null pointer dereference, disrupting the application's normal operation and causing a crash.
Reproduction
The vulnerability can be reproduced using a fuzzing harness that is part of the OSS-Fuzz project. After compiling Tidy-HTML5 with AddressSanitizer enabled, the fuzzer can be run with a specially crafted input file that triggers the null pointer dereference. This process involves setting up the build environment, compiling the application with debugging information and sanitizers, and then using the fuzzer to test the application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.