GNOME Bugzilla – Bug 757711
heap-buffer-overflow in xmlFAParsePosCharGroup
Last modified: 2016-08-22 20:24:46 UTC
Found with libFuzzer+AddressSanitizer in fresh trunk ==40644==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef7 at pc 0x7ff28073d830 bp 0x7ffe05f5ec10 sp 0x7ffe05f5ec08 READ of size 1 at 0x60200000eef7 thread T0 #0 0x7ff28073d82f in xmlFAParsePosCharGroup xmlregexp.c:XXXX Are the bugs in xmlregexp.c interesting at all? Shall I attach the details now or wait until this bug is marked as "Only for libxml2 developers"?
All bugs are interesting, but indeed some more than others :) Attach details, it's now private. xmlregexp are used for DTD and schemas validation, so not directly in the parser path usually, so less critical, but ought to be fixed too ! Send them my way ! Daniel
This can be reproduced by "testapi xmlregexp" with the following patch. --- a/testapi.c +++ b/testapi.c @@ -33771,7 +33771,7 @@ static int test_xmlRegexpCompile(void) { int test_ret = 0; - + xmlRegexpCompile("[;^((-"); /* missing type support */ return(test_ret); } ==35387==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef7 at pc 0x7fa80a8da830 bp 0x7fff08c0f8f0 sp 0x7fff08c0f8e8 READ of size 1 at 0x60200000eef7 thread T0 #0 0x7fa80a8da82f in xmlFAParsePosCharGroup xmlregexp.c:5080:15 #1 0x7fa80a8d6d9b in xmlFAParseCharGroup xmlregexp.c:5102:6 #2 0x7fa80a8d4b40 in xmlFAParseCharClass xmlregexp.c:5139:2 #3 0x7fa80a8d4b40 in xmlFAParseAtom xmlregexp.c:5293 #4 0x7fa80a8d4b40 in xmlFAParsePiece xmlregexp.c:5310 #5 0x7fa80a8d3d3c in xmlFAParseBranch xmlregexp.c:5336:11 #6 0x7fa80a8a6e71 in xmlFAParseRegExp xmlregexp.c:5371:5 #7 0x7fa80a8a613d in xmlRegexpCompile__internal_alias xmlregexp.c:5467:5 #8 0x5abbb8 in test_xmlRegexpCompile testapi.c:33774:5 #9 0x5abbb8 in test_xmlregexp testapi.c:33920 #10 0x4ecdea in test_module testapi.c:52161:46 #11 0x4ebc9f in main testapi.c:147:16 0x60200000eef7 is located 0 bytes to the right of 7-byte region [0x60200000eef0,0x60200000eef7) allocated by thread T0 here: #0 0x4c330b in malloc #1 0x7fa80a88198d in xmlStrndup__internal_alias xmlstring.c:45:23 #2 0x7fa80a88198d in xmlStrdup__internal_alias xmlstring.c:71 #3 0x7fa80a8a5e36 in xmlRegNewParserCtxt xmlregexp.c:693:16 #4 0x7fa80a8a5e36 in xmlRegexpCompile__internal_alias xmlregexp.c:5457 #5 0x5abbb8 in test_xmlRegexpCompile testapi.c:33774:5 #6 0x5abbb8 in test_xmlregexp testapi.c:33920 #7 0x4ecdea in test_module testapi.c:52161:46 #8 0x4ebc9f in main testapi.c:147:16
Created attachment 319596 [details] Standalone PoC Compile this with AddressSanitizer enabled, then run with ASan-enabled libxml2 library to reproduce the crash. If you modify testapi.c itself, you will likely run into Bug 758572 first.
Created attachment 323286 [details] [review] Proposed Patch v1
Created attachment 323326 [details] [review] Patch to implement test case (supplement to Proposed Patch v1) Well that was fun. I upgraded "make Regexptests" to handle error output properly (without creating false-negative output that looks like the test failed), and then wrote a test that reproduces this crash with ASan. Note that "make check" apparently doesn't run regexp tests, so you'll need to run "make Regexptests" to test this.
Fixed by commit cbb271655cadeb8dbb258a64701d9a3a0c4835b4: <https://git.gnome.org/browse/libxml2/commit/?id=cbb271655cadeb8dbb258a64701d9a3a0c4835b4>
Removing security group as commit is public