GNOME Bugzilla – Bug 765661
timeouts in xmlRegexpCompile()
Last modified: 2021-07-05 13:23:41 UTC
Created attachment 326843 [details] testcase to reproduce timeout libxml_xml_regexp_compile_fuzzer (https://code.google.com/p/chromium/codesearch#chromium/src/testing/libfuzzer/fuzzers/libxml_xml_regexp_compile_fuzzer.cc) always hits timeout in xmlRegexpCompile() function and fuzzing becomes useless. Reproduction steps: 1) Build 'libxml_xml_regexp_compile_fuzzer' target using this instruction https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer 2) Run it with the following parameter (file is attached): ./libxml_xml_regexp_compile_fuzzer -test_single_input=./timeout-946f09e885b1388ea98f19edff18cb87cd828d72 -timeout=10 The output will be like: ALARM: working on the last Unit for 1457361450 seconds and the timeout value is 10 (use -timeout=N to change) 0x5f,0x6f,0x5b,0x54,0x3c,0x6e,0x3e,0x6d,0x3c,0x3c,0x3f,0x78,0x6d,0x6c,0xee,0x76,0x65,0x72,0x6e,0x6f,0x74, _o[T<n>m<<?xml\xeevernot ==42534== ERROR: libFuzzer: timeout after 1457361450 seconds #0 0x4ba18e in __sanitizer_print_stack_trace (<...>/out/Release/libxml_xml_regexp_compile_fuzzer+0x4ba18e) #1 0x7cd59d in fuzzer::Fuzzer::AlarmCallback() third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:123:7 #2 0x7f6aa4b8133f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1033f) #3 0x8c33e9 in xmlFAParseCharRange third_party/libxml/src/xmlregexp.c:5060:9 #4 0x8c33e9 in xmlFAParsePosCharGroup third_party/libxml/src/xmlregexp.c:5078 #5 0x8c03f2 in xmlFAParseCharGroup third_party/libxml/src/xmlregexp.c:5119:6 #6 0x8bdd55 in xmlFAParseCharClass third_party/libxml/src/xmlregexp.c:5139:2 #7 0x8bdd55 in xmlFAParseAtom third_party/libxml/src/xmlregexp.c:5293 #8 0x8bdd55 in xmlFAParsePiece third_party/libxml/src/xmlregexp.c:5310 #9 0x8bd20e in xmlFAParseBranch third_party/libxml/src/xmlregexp.c:5345:8 #10 0x8a2e80 in xmlFAParseRegExp third_party/libxml/src/xmlregexp.c:5371:5 #11 0x8a216a in xmlRegexpCompile third_party/libxml/src/xmlregexp.c:5467:5 #12 0x4db800 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_regexp_compile_fuzzer.cc:29:20 #13 0x7d1708 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:266:13 #14 0x7be6d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:232:3 #15 0x7c28ad in FuzzerDriver third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:326:5 #16 0x7c28ad in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:378 #17 0x7be4b2 in main third_party/llvm/lib/Fuzzer/FuzzerMain.cpp:25:10 #18 0x7f6aa45b7ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287 SUMMARY: libFuzzer: timeout
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/libxml2/-/issues/ Thank you for your understanding and your help.