GNOME Bugzilla – Bug 680920
Read previously free'd memory when using func:result
Last modified: 2012-09-04 06:58:01 UTC
Created attachment 219998 [details] Minimized test case The attached test case will crash libxslt 1.1.26 if extensions are available. The offending function is the following: <func:function name="func:uaf"> <xsl:text/> <func:result/> </func:function> Valgrind output log: ==2600== Invalid read of size 4 ==2600== at 0x40FE2A4: exsltFuncFunctionFunction (functions.c:316) ==2600== by 0x418CBEF: xmlXPathCompOpEval (xpath.c:13478) ==2600== by 0x418C681: xmlXPathCompOpEval (xpath.c:13862) ==2600== by 0x418EE11: xmlXPathRunEval (xpath.c:14432) ==2600== by 0x418F438: xmlXPathCompiledEvalInternal (xpath.c:14792) ==2600== by 0x418F655: xmlXPathCompiledEval (xpath.c:14855) ==2600== by 0x40E90F1: xsltValueOf (transform.c:4418) ==2600== by 0x40E5FA6: xsltApplySequenceConstructor (transform.c:2595) ==2600== by 0x40E75E1: xsltApplyXSLTTemplate (transform.c:3044) ==2600== by 0x40E7E41: xsltProcessOneNode (transform.c:2045) ==2600== by 0x40EB8D9: xsltApplyStylesheetInternal (transform.c:6049) ==2600== by 0x8049E11: xsltProcess (xsltproc.c:404) ==2600== Address 0x43e43dc is 28 bytes inside a block of size 60 free'd ==2600== at 0x4024B3A: free (vg_replace_malloc.c:366) ==2600== by 0x415261C: xmlFreeNode (tree.c:3716) ==2600== by 0x40C8400: xsltParseTemplateContent (xslt.c:4846) ==2600== by 0x40FDDA4: exsltFuncFunctionComp (functions.c:503) ==2600== by 0x40C9875: xsltParseStylesheetTop (xslt.c:6109) ==2600== by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414) ==2600== by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627) ==2600== by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666) ==2600== by 0x804A7F3: main (xsltproc.c:830) ==2600== ==2600== Invalid read of size 4 ==2600== at 0x40E5F2F: xsltApplySequenceConstructor (transform.c:2564) ==2600== by 0x40FE624: exsltFuncFunctionFunction (functions.c:408) ==2600== by 0x418CBEF: xmlXPathCompOpEval (xpath.c:13478) ==2600== by 0x418C681: xmlXPathCompOpEval (xpath.c:13862) ==2600== by 0x418EE11: xmlXPathRunEval (xpath.c:14432) ==2600== by 0x418F438: xmlXPathCompiledEvalInternal (xpath.c:14792) ==2600== by 0x418F655: xmlXPathCompiledEval (xpath.c:14855) ==2600== by 0x40E90F1: xsltValueOf (transform.c:4418) ==2600== by 0x40E5FA6: xsltApplySequenceConstructor (transform.c:2595) ==2600== by 0x40E75E1: xsltApplyXSLTTemplate (transform.c:3044) ==2600== by 0x40E7E41: xsltProcessOneNode (transform.c:2045) ==2600== by 0x40EB8D9: xsltApplyStylesheetInternal (transform.c:6049) ==2600== Address 0x43e43e4 is 36 bytes inside a block of size 60 free'd ==2600== at 0x4024B3A: free (vg_replace_malloc.c:366) ==2600== by 0x415261C: xmlFreeNode (tree.c:3716) ==2600== by 0x40C8400: xsltParseTemplateContent (xslt.c:4846) ==2600== by 0x40FDDA4: exsltFuncFunctionComp (functions.c:503) ==2600== by 0x40C9875: xsltParseStylesheetTop (xslt.c:6109) ==2600== by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414) ==2600== by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627) ==2600== by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666) ==2600== by 0x804A7F3: main (xsltproc.c:830) ==2600== [...]
Proposed fix: https://github.com/nwellnhof/libxslt/commit/138d9427336261cc0e3d1d8047879e65f5b8c48a
The proposed fix will indeed resolve the given test case. But it seems that there's more bugs around func:result. The latest version of libxslt (including fix 138d9427336261cc0e3d1d8047879e65f5b8c48a) will crash when processing the following function: <func:function name="func:uaf"> <func:result/> <func:result/> </func:function>
Created attachment 221304 [details] [review] Proposed fix Proposed fix for the double func:result crash.
Github is such a pain, there is no way to download the raw diff there: https://github.com/nwellnhof/libxslt/commit/138d9427336261cc0e3d1d8047879e65f5b8c48a Second patch applied in an easier way :-) all pushed thanks a lot ! Daniel