GNOME Bugzilla – Bug 754946
Heap-buffer overread in dict.c followed from xmlParseNCNameComplex
Last modified: 2015-09-15 08:59:45 UTC
Created attachment 311227 [details] Raw crasher xml (not minimized) for git version. Hi, The following out-of-bound read in heap buffer can be observed in an ASAN build of the latest git version libxml2: $ ./xmllint id_5_00.xml ==30315== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5300684 at pc 0xb5ffbee4 bp 0xbfaf1088 sp 0xbfaf107c READ of size 1 at 0xb5300684 thread T0 #0 0xb5ffbee3 in xmlDictComputeFastKey.isra.2 /home/weilei/libxml2/dict.c:448 #1 0xb5ffe10a in xmlDictLookup__internal_alias /home/weilei/libxml2/dict.c:848 #2 0xb5db4707 in xmlParseNCNameComplex /home/weilei/libxml2/parser.c:3506 #3 0xb5db4707 in xmlParseNCName /home/weilei/libxml2/parser.c:3565 #4 0xb5db4ebd in xmlParseQName /home/weilei/libxml2/parser.c:8823 #5 0xb5db5a33 in xmlParseStartTag2 /home/weilei/libxml2/parser.c:9344 #6 0xb5dceb8c in xmlParseElement__internal_alias /home/weilei/libxml2/parser.c:10077 #7 0xb5dd0cea in xmlParseDocument__internal_alias /home/weilei/libxml2/parser.c:10857 #8 0xb5dd21f4 in xmlDoRead /home/weilei/libxml2/parser.c:15311 #9 0x8053f0b in parseAndPrintFile /home/weilei/libxml2/xmllint.c:2401 #10 0x804d2a2 in main /home/weilei/libxml2/xmllint.c:3759 #11 0xb5b9ba82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #12 0x804ed51 in _start (/home/weilei/libxml2/.libs/lt-xmllint+0x804ed51) 0xb5300684 is located 12 bytes to the left of 11-byte region [0xb5300690,0xb530069b) allocated by thread T0 here: #0 0xb6116854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854) #1 0xb5d845fb in xmlNewBlanksWrapperInputStream /home/weilei/libxml2/parser.c:2458 #2 0xb5dbdc5e in xmlParsePEReference__internal_alias.part.13 /home/weilei/libxml2/parser.c:8058 #3 0xb5dbe610 in xmlParsePEReference__internal_alias /home/weilei/libxml2/parser.c:7990 #4 0xb5dbe610 in xmlParseMarkupDecl__internal_alias /home/weilei/libxml2/parser.c:6967 #5 0xb5dc1225 in xmlParseInternalSubset /home/weilei/libxml2/parser.c:8409 #6 0xb5dd145b in xmlParseDocument__internal_alias /home/weilei/libxml2/parser.c:10825 #7 0xb5dd21f4 in xmlDoRead /home/weilei/libxml2/parser.c:15311 #8 0x8053f0b in parseAndPrintFile /home/weilei/libxml2/xmllint.c:2401 #9 0x804d2a2 in main /home/weilei/libxml2/xmllint.c:3759 #10 0xb5b9ba82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/weilei/libxml2/dict.c:461 xmlDictComputeFastKey.isra.2 Shadow bytes around the buggy address: 0x36a600c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36a600d0:[fa]fa 00 03 fa fa 02 fa fa fa 04 fa fa fa 04 fa 0x36a600e0: fa fa 05 fa fa fa 00 01 fa fa 06 fa fa fa 00 03 Found with american fuzzy lop. A minimized crasher that works for Libxml2-2.9.2 ASAN build: $ xxd -g 1 min_5_00.xml 0000000: 3c 21 44 4f 43 54 59 50 45 41 5b 3c 21 45 4e 54 <!DOCTYPEA[<!ENT 0000010: 49 54 59 20 25 0d 53 59 53 54 45 30 20 22 30 3c ITY %.SYSTE0 "0< 0000020: 6c 30 30 30 30 30 30 30 30 30 22 25 53 59 53 54 l000000000"%SYST 0000030: 45 30 3b E0;
That was an interesting one, the bug is in the parser in handling a corner-case, I commited a fix upstream with the test added https://git.gnome.org/browse/libxml2/commit/?id=51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 thanks a lot for the report, Daniel