After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 680920 - Read previously free'd memory when using func:result
Read previously free'd memory when using func:result
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other All
: Normal major
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2012-07-31 16:15 UTC by Nicolas Gregoire
Modified: 2012-09-04 06:58 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Minimized test case (337 bytes, application/xml)
2012-07-31 16:15 UTC, Nicolas Gregoire
  Details
Proposed fix (3.34 KB, patch)
2012-08-15 19:35 UTC, Nick Wellnhofer
none Details | Review

Description Nicolas Gregoire 2012-07-31 16:15:12 UTC
Created attachment 219998 [details]
Minimized test case

The attached test case will crash libxslt 1.1.26 if extensions are available. The offending function is the following:

<func:function name="func:uaf">
	<xsl:text/>
	<func:result/>
</func:function>

Valgrind output log:

==2600== Invalid read of size 4
==2600==    at 0x40FE2A4: exsltFuncFunctionFunction (functions.c:316)
==2600==    by 0x418CBEF: xmlXPathCompOpEval (xpath.c:13478)
==2600==    by 0x418C681: xmlXPathCompOpEval (xpath.c:13862)
==2600==    by 0x418EE11: xmlXPathRunEval (xpath.c:14432)
==2600==    by 0x418F438: xmlXPathCompiledEvalInternal (xpath.c:14792)
==2600==    by 0x418F655: xmlXPathCompiledEval (xpath.c:14855)
==2600==    by 0x40E90F1: xsltValueOf (transform.c:4418)
==2600==    by 0x40E5FA6: xsltApplySequenceConstructor (transform.c:2595)
==2600==    by 0x40E75E1: xsltApplyXSLTTemplate (transform.c:3044)
==2600==    by 0x40E7E41: xsltProcessOneNode (transform.c:2045)
==2600==    by 0x40EB8D9: xsltApplyStylesheetInternal (transform.c:6049)
==2600==    by 0x8049E11: xsltProcess (xsltproc.c:404)
==2600==  Address 0x43e43dc is 28 bytes inside a block of size 60 free'd
==2600==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==2600==    by 0x415261C: xmlFreeNode (tree.c:3716)
==2600==    by 0x40C8400: xsltParseTemplateContent (xslt.c:4846)
==2600==    by 0x40FDDA4: exsltFuncFunctionComp (functions.c:503)
==2600==    by 0x40C9875: xsltParseStylesheetTop (xslt.c:6109)
==2600==    by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414)
==2600==    by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627)
==2600==    by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666)
==2600==    by 0x804A7F3: main (xsltproc.c:830)
==2600== 
==2600== Invalid read of size 4
==2600==    at 0x40E5F2F: xsltApplySequenceConstructor (transform.c:2564)
==2600==    by 0x40FE624: exsltFuncFunctionFunction (functions.c:408)
==2600==    by 0x418CBEF: xmlXPathCompOpEval (xpath.c:13478)
==2600==    by 0x418C681: xmlXPathCompOpEval (xpath.c:13862)
==2600==    by 0x418EE11: xmlXPathRunEval (xpath.c:14432)
==2600==    by 0x418F438: xmlXPathCompiledEvalInternal (xpath.c:14792)
==2600==    by 0x418F655: xmlXPathCompiledEval (xpath.c:14855)
==2600==    by 0x40E90F1: xsltValueOf (transform.c:4418)
==2600==    by 0x40E5FA6: xsltApplySequenceConstructor (transform.c:2595)
==2600==    by 0x40E75E1: xsltApplyXSLTTemplate (transform.c:3044)
==2600==    by 0x40E7E41: xsltProcessOneNode (transform.c:2045)
==2600==    by 0x40EB8D9: xsltApplyStylesheetInternal (transform.c:6049)
==2600==  Address 0x43e43e4 is 36 bytes inside a block of size 60 free'd
==2600==    at 0x4024B3A: free (vg_replace_malloc.c:366)
==2600==    by 0x415261C: xmlFreeNode (tree.c:3716)
==2600==    by 0x40C8400: xsltParseTemplateContent (xslt.c:4846)
==2600==    by 0x40FDDA4: exsltFuncFunctionComp (functions.c:503)
==2600==    by 0x40C9875: xsltParseStylesheetTop (xslt.c:6109)
==2600==    by 0x40CA868: xsltParseStylesheetProcess (xslt.c:6414)
==2600==    by 0x40CAD2B: xsltParseStylesheetImportedDoc (xslt.c:6627)
==2600==    by 0x40CADDE: xsltParseStylesheetDoc (xslt.c:6666)
==2600==    by 0x804A7F3: main (xsltproc.c:830)
==2600==    [...]
Comment 2 Nicolas Gregoire 2012-08-02 15:03:13 UTC
The proposed fix will indeed resolve the given test case. But it seems that there's more bugs around func:result. The latest version of libxslt (including fix 138d9427336261cc0e3d1d8047879e65f5b8c48a) will crash when processing the following function:

<func:function name="func:uaf">
        <func:result/>
        <func:result/>
</func:function>
Comment 3 Nick Wellnhofer 2012-08-15 19:35:33 UTC
Created attachment 221304 [details] [review]
Proposed fix

Proposed fix for the double func:result crash.
Comment 4 Daniel Veillard 2012-09-04 06:58:01 UTC
Github is such a pain, there is no way to download the raw diff there:

https://github.com/nwellnhof/libxslt/commit/138d9427336261cc0e3d1d8047879e65f5b8c48a

Second patch applied in an easier way :-) all pushed

 thanks a lot !

Daniel