Recently I got interested into a html parsing library called tidy, which is also used in Apple products apparently.
Sometimes when developers doesn’t usually run stuff on asan or valgrind, you just hit bugs by running binaries.
Which is exactly what happened. So I just reported the bug as non security one, to being able to run the lib with asan.
Turns out that mitre think that maybe there is the possibility that this global bof can be reached from applications using this code as a library (libtidy).
I still have to check this because I’m in Vegas for BH/Defcon so I cannot actually check it right now, but anyway, here’s the asan report, triggered in master and latest stable, and github issue.
potential fix (to test)