After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 754947 - Heap-buffer overread in push mode, parser.c xmlParseTryOrFinish
Heap-buffer overread in push mode, parser.c xmlParseTryOrFinish
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other All
: Normal minor
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks: 760183
 
 
Reported: 2015-09-13 09:29 UTC by Wei Lei
Modified: 2016-03-31 20:51 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Minimized crasher xml for git version. (29 bytes, text/xml)
2015-09-13 09:29 UTC, Wei Lei
Details

Description Wei Lei 2015-09-13 09:29:38 UTC
Created attachment 311228 [details]
Minimized crasher xml for git version.

Hi,

The following out-of-bound read in heap buffer can be observed in an ASAN build of the latest git version libxml2, in push mode:

$ ./xmllint --push min_9_28.xml

==30572== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4e000ff at pc 0xb5e4f084 bp 0xbf96a3c8 sp 0xbf96a3bc
READ of size 1 at 0xb4e000ff thread T0
    #0 0xb5e4f083 in xmlParseTryOrFinish /home/weilei/libxml2/parser.c:12217
    #1 0xb5e503f2 in xmlParseChunk__internal_alias /home/weilei/libxml2/parser.c:12399
    #2 0x8051dc7 in parseAndPrintFile /home/weilei/libxml2/xmllint.c:2284
    #3 0x804d2a2 in main /home/weilei/libxml2/xmllint.c:3759
    #4 0xb5c0da82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #5 0x804ed51 in _start (/home/weilei/libxml2/.libs/lt-xmllint+0x804ed51)
0xb4e000ff is located 1 bytes to the left of 8194-byte region [0xb4e00100,0xb4e02102)
allocated by thread T0 here:
    #0 0xb6188854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0xb5f6fe79 in xmlBufCreateSize /home/weilei/libxml2/buf.c:172
    #2 0xb5e883c9 in xmlAllocParserInputBuffer__internal_alias /home/weilei/libxml2/xmlIO.c:2432
    #3 0xb5e369f0 in xmlCreatePushParserCtxt__internal_alias /home/weilei/libxml2/parser.c:12504
    #4 0x8051d8e in parseAndPrintFile /home/weilei/libxml2/xmllint.c:2280
    #5 0x804d2a2 in main /home/weilei/libxml2/xmllint.c:3759
    #6 0xb5c0da82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/weilei/libxml2/parser.c:12217 xmlParseTryOrFinish
Shadow bytes around the buggy address:

  0x369bfff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369c0000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x369c0010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x369c0020:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

$ xxd -g 1 min_9_28.xml 
0000000: 3c 64 3e 3c 21 5b 43 44 41 54 41 5b 30 30 30 30  <d><![CDATA[0000
0000010: 30 30 30 30 30 30 30 30 30 ee 5d 5d 3e           000000000.]]>
Comment 1 Daniel Veillard 2015-09-18 07:09:58 UTC
okay found that one, another error in the parser itself, this is now fixed
in the git main branch:

  https://git.gnome.org/browse/libxml2/commit/?id=4a5d80aded1da94cd55294e7207109712201b75b

 thanks for the report !

Daniel
Comment 2 David Kilzer 2016-01-05 21:37:37 UTC
This fixed caused the following regression in libxml2 v2.9.3:

REGRESSION (v2.9.3): XML push parser fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer
<https://bugzilla.gnome.org/show_bug.cgi?id=760183>