Bug 712803 – Out-of-bounds read on a corrupted XHTML file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 712803 - Out-of-bounds read on a corrupted XHTML file


Summary:	Out-of-bounds read on a corrupted XHTML file


Status:	RESOLVED OBSOLETE

Product:	libxml2
Classification:	Platform
Component:	general
Version:	2.7.8
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-11-21 12:53 UTC by jutaky
Modified:	2021-07-05 13:24 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2013-11-21 12:53:17 UTC

Out-of-bounds read on a corrupted XHTML file.

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_11510_28124.html

I'm not sure, if this is a libxml2 bug or Gnumeric's?

==20881== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606200083aff at pc 0x7f58d0c3d540 bp 0x7fff1d254fa0 sp 0x7fff1d254f98
READ of size 1 at 0x606200083aff thread T0
    #0 0x7f58d0c3d53f in xmlDictComputeFastKey /libxml2/dict.c:448
    #1 0x7f58d0c3f8c0 in xmlDictLookup__internal_alias /libxml2/dict.c:848 (discriminator 1)
    #2 0x7f58d0a4f420 in htmlParseNameComplex /libxml2/HTMLparser.c:2517
    #3 0x7f58d0a4eb54 in htmlParseName /libxml2/HTMLparser.c:2483
    #4 0x7f58d0a59239 in htmlParseDocTypeDecl /libxml2/HTMLparser.c:3398
    #5 0x7f58d0a67644 in htmlParseTryOrFinish /libxml2/HTMLparser.c:5370
    #6 0x7f58d0a6c0ab in htmlParseChunk__internal_alias /libxml2/HTMLparser.c:6070
    #7 0x7f58b031387c in html_file_open /gnumeric/plugins/html/html_read.c:553
    #8 0x7f58d19fd00e in go_plugin_loader_module_func_file_open /goffice/goffice/app/go-plugin-loader-module.c:282
    #9 0x7f58d1a05f70 in go_plugin_file_opener_open /goffice/goffice/app/go-plugin-service.c:685 (discriminator 1)
    #10 0x7f58d1a128bf in go_file_opener_open /goffice/goffice/app/file.c:417
    #11 0x7f58d2b68684 in workbook_view_new_from_input /gnumeric/src/workbook-view.c:1281
    #12 0x7f58d2b68e73 in workbook_view_new_from_uri /gnumeric/src/workbook-view.c:1341
    #13 0x40a6e0 in main /gnumeric/src/main-application.c:322
    #14 0x7f58cd2f0bc4 in __libc_start_main ??:?
    #15 0x403de8 in _start ??:?
0x606200083aff is located 1 bytes to the left of 4096-byte region [0x606200083b00,0x606200084b00)

--
Juha Kylmänen
Research Assistant, OUSPG

Comment 1 Morten Welinder 2013-11-21 14:50:59 UTC

Can you please check if you see the same issue with

    xmllint --html gnumeric_case_11510_28124.html

in which case it isn't our fault.

Comment 2 jutaky 2013-11-21 15:02:26 UTC

Not a Gnumeric issue apparently. Using xmllint:

==18646== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60620000d8ff at pc 0x7fd44cbd1540 bp 0x7ffff23c2140 sp 0x7ffff23c2138
READ of size 1 at 0x60620000d8ff thread T0
    #0 0x7fd44cbd153f in xmlDictComputeFastKey /libxml2/dict.c:448
    #1 0x7fd44cbd38c0 in xmlDictLookup__internal_alias /libxml2/dict.c:848 (discriminator 1)
    #2 0x7fd44c9e3420 in htmlParseNameComplex /libxml2/HTMLparser.c:2517
    #3 0x7fd44c9e2b54 in htmlParseName /libxml2/HTMLparser.c:2483
    #4 0x7fd44c9ed239 in htmlParseDocTypeDecl /libxml2/HTMLparser.c:3398
    #5 0x7fd44c9f7ade in htmlParseDocument__internal_alias /libxml2/HTMLparser.c:4717
    #6 0x7fd44ca03006 in htmlDoRead /libxml2/HTMLparser.c:6703
    #7 0x7fd44ca031f8 in htmlReadFile__internal_alias /libxml2/HTMLparser.c:6761
    #8 0x40a82c in parseAndPrintFile /libxml2/xmllint.c:2245
    #9 0x411bc7 in main /libxml2/xmllint.c:3752
    #10 0x7fd44bba4bc4 in __libc_start_main ??:?
    #11 0x404908 in _start ??:?
0x60620000d8ff is located 1 bytes to the left of 4096-byte region [0x60620000d900,0x60620000e900)

Comment 3 Morten Welinder 2013-11-21 15:25:09 UTC

Tossing to libxml2

Comment 4 Gaurav 2014-01-22 02:22:19 UTC

Can you share the example code.
I cannot see : http://jutaky.com/fuzzing/gnumeric_case_11510_28124.html

Comment 5 Gaurav 2014-01-22 02:29:22 UTC

+ Trace 233070

#0 xmlDictComputeFastKey /libxml2/dict.c:448
#1 xmlDictLookup__internal_alias /libxml2/dict.c:848 And I checked version 2.7.8 :


=======================================
 440 xmlDictPtr
 441 xmlDictCreate(void) {
 442     xmlDictPtr dict;
 443
 444     if (!xmlDictInitialized)
 445         if (!xmlInitializeDict())
 446             return(NULL);
 447
 448 #ifdef DICT_DEBUG_PATTERNS
 449     fprintf(stderr, "C");
 450 #endif
=======================================
 841     /* Note that entry may have been freed at this point by xmlDictGrow */
 842
 843     return(ret);
 844 }
 845
 846 /**
 847  * xmlDictExists:
 848  * @dict: the dictionnary
 849  * @name: the name of the userdata
 850  * @len: the length of the name, if -1 it is recomputed
========================================
Are you using some other version, or have you done some changes at your end?

Comment 6 GNOME Infrastructure Team 2021-07-05 13:24:28 UTC

GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/

Thank you for your understanding and your help.