Bug 751633 – Stack overflow (probably endless recursion) in xsltResolveSASCallback

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 751633 - Stack overflow (probably endless recursion) in xsltResolveSASCallback


Summary:	Stack overflow (probably endless recursion) in xsltResolveSASCallback


Status:	RESOLVED FIXED

Product:	libxslt
Classification:	Platform
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-29 08:21 UTC by Hanno Böck
Modified:	2015-06-29 12:05 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Sample input triggering segfault (223 bytes, text/plain) 2015-06-29 08:21 UTC, Hanno Böck	Details
variant with non-empty name tag (224 bytes, application/xslt+xml) 2015-06-29 10:54 UTC, Hanno Böck	Details

Description Hanno Böck 2015-06-29 08:21:38 UTC

Created attachment 306266 [details]
Sample input triggering segfault

The attached file will segfault xsltproc and cause a stack overflow. Judging from the stack trace this looks like a never ending recursion.

Found with american fuzzy lop.

Address Sanitizer trace:
==19450==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe15b1dfb8 (pc 0x0000004fedd1 bp 0x7ffe15b1e0e0 sp 0x7ffe15b1df80 T0)
    #0 0x4fedd0 in xsltGenericDebugDefaultFunc /f/libxslt-1.1.28/libxslt/xsltutils.c:569
    #1 0x5448fc in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:509:3
    #2 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7
    #3 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7
    #4 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7
    #5 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7
    #6 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7
    #7 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7
[continuing over many lines]
    #251 0x544a72 in xsltResolveSASCallback /f/libxslt-1.1.28/libxslt/attributes.c:522:7

SUMMARY: AddressSanitizer: stack-overflow /f/libxslt-1.1.28/libxslt/xsltutils.c:569 xsltGenericDebugDefaultFunc
==19450==ABORTING

Comment 1 Daniel Veillard 2015-06-29 10:25:43 UTC

Gahh, indeed a nissing check on attribute-set definitions
fix pushed to git:

https://git.gnome.org/browse/libxslt/commit/?id=71691d7b991db8a88824ddeb71a7edc28ecc0cb0

 thanks,

Daniel

Comment 2 Hanno Böck 2015-06-29 10:54:20 UTC

While this fixes the original instance a small variant still causes a segfault. Will attach.

Comment 3 Hanno Böck 2015-06-29 10:54:43 UTC

Created attachment 306274 [details]
variant with non-empty name tag

Comment 4 Daniel Veillard 2015-06-29 12:05:28 UTC

Okay, okay, that one is different but fix should be robust now:

https://git.gnome.org/browse/libxslt/commit/?id=8ad27070672b8e221eda5700bcb64fbd9c4ec0a7

  thanks

Daniel