Bug 754947 – Heap-buffer overread in push mode, parser.c xmlParseTryOrFinish

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 754947 - Heap-buffer overread in push mode, parser.c xmlParseTryOrFinish


Summary:	Heap-buffer overread in push mode, parser.c xmlParseTryOrFinish


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other All

Importance:	Normal minor
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:	760183

Reported:	2015-09-13 09:29 UTC by Wei Lei
Modified:	2016-03-31 20:51 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Minimized crasher xml for git version. (29 bytes, text/xml) 2015-09-13 09:29 UTC, Wei Lei	Details

Description Wei Lei 2015-09-13 09:29:38 UTC

Created attachment 311228 [details]
Minimized crasher xml for git version.

Hi,

The following out-of-bound read in heap buffer can be observed in an ASAN build of the latest git version libxml2, in push mode:

$ ./xmllint --push min_9_28.xml

==30572== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4e000ff at pc 0xb5e4f084 bp 0xbf96a3c8 sp 0xbf96a3bc
READ of size 1 at 0xb4e000ff thread T0
    #0 0xb5e4f083 in xmlParseTryOrFinish /home/weilei/libxml2/parser.c:12217
    #1 0xb5e503f2 in xmlParseChunk__internal_alias /home/weilei/libxml2/parser.c:12399
    #2 0x8051dc7 in parseAndPrintFile /home/weilei/libxml2/xmllint.c:2284
    #3 0x804d2a2 in main /home/weilei/libxml2/xmllint.c:3759
    #4 0xb5c0da82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #5 0x804ed51 in _start (/home/weilei/libxml2/.libs/lt-xmllint+0x804ed51)
0xb4e000ff is located 1 bytes to the left of 8194-byte region [0xb4e00100,0xb4e02102)
allocated by thread T0 here:
    #0 0xb6188854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0xb5f6fe79 in xmlBufCreateSize /home/weilei/libxml2/buf.c:172
    #2 0xb5e883c9 in xmlAllocParserInputBuffer__internal_alias /home/weilei/libxml2/xmlIO.c:2432
    #3 0xb5e369f0 in xmlCreatePushParserCtxt__internal_alias /home/weilei/libxml2/parser.c:12504
    #4 0x8051d8e in parseAndPrintFile /home/weilei/libxml2/xmllint.c:2280
    #5 0x804d2a2 in main /home/weilei/libxml2/xmllint.c:3759
    #6 0xb5c0da82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/weilei/libxml2/parser.c:12217 xmlParseTryOrFinish
Shadow bytes around the buggy address:

  0x369bfff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369c0000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x369c0010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x369c0020:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

$ xxd -g 1 min_9_28.xml 
0000000: 3c 64 3e 3c 21 5b 43 44 41 54 41 5b 30 30 30 30  <d><![CDATA[0000
0000010: 30 30 30 30 30 30 30 30 30 ee 5d 5d 3e           000000000.]]>

Comment 1 Daniel Veillard 2015-09-18 07:09:58 UTC

okay found that one, another error in the parser itself, this is now fixed
in the git main branch:

  https://git.gnome.org/browse/libxml2/commit/?id=4a5d80aded1da94cd55294e7207109712201b75b

 thanks for the report !

Daniel

Comment 2 David Kilzer 2016-01-05 21:37:37 UTC

This fixed caused the following regression in libxml2 v2.9.3:

REGRESSION (v2.9.3): XML push parser fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer
<https://bugzilla.gnome.org/show_bug.cgi?id=760183>