Bug 774590 – testapi: global-buffer-overflow in xmlBufAdd (buf.c:908)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 774590 - testapi: global-buffer-overflow in xmlBufAdd (buf.c:908)


Summary:	testapi: global-buffer-overflow in xmlBufAdd (buf.c:908)


Status:	RESOLVED DUPLICATE of bug 767154

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-11-16 19:28 UTC by Brian 'geeknik' Carpenter
Modified:	2016-11-23 12:47 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Brian 'geeknik' Carpenter 2016-11-16 19:28:47 UTC

Compiled libxml2 with ASAN for fuzzing with AFL.

./testapi
Testing HTMLparser : 32 of 38 functions ...
=================================================================
==8553==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000c9ee20 at pc 0x92cfbf bp 0x7fff3e661060 sp 0x7fff3e661058
READ of size 122 at 0x000000c9ee20 thread T0
    #0 0x92cfbe in xmlBufAdd /home/geeknik/libxml2/buf.c:908
    #1 0x6bb842 in xmlParserInputBufferCreateMem /home/geeknik/libxml2/xmlIO.c:3038
    #2 0x769440 in htmlCreateMemoryParserCtxt /home/geeknik/libxml2/HTMLparser.c:5022
    #3 0x49490e in test_htmlCreateMemoryParserCtxt /home/geeknik/libxml2/testapi.c:1484
    #4 0x49490e in test_HTMLparser /home/geeknik/libxml2/testapi.c:2784
    #5 0x4dd83d in testlibxml2 /home/geeknik/libxml2/testapi.c:1249
    #6 0x407432 in main /home/geeknik/libxml2/testapi.c:154
    #7 0x7fe7f5633b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #8 0x408505 (/home/geeknik/libxml2/testapi+0x408505)

0x000000c9ee24 is located 0 bytes to the right of global variable '*.LC56' from 'testapi.c' (0xc9ee20) of size 4
  '*.LC56' is ascii string 'foo'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/geeknik/libxml2/buf.c:908 xmlBufAdd
Shadow bytes around the buggy address:
  0x00008018bd70: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
  0x00008018bd80: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 01 f9
  0x00008018bd90: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x00008018bda0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 01
  0x00008018bdb0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x00008018bdc0: f9 f9 f9 f9[04]f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x00008018bdd0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008018bde0: 00 00 00 00 00 00 00 01 f9 f9 f9 f9 00 06 f9 f9
  0x00008018bdf0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x00008018be00: f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9
  0x00008018be10: 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==8553==ABORTING

Comment 1 Nick Wellnhofer 2016-11-23 12:47:19 UTC


*** This bug has been marked as a duplicate of bug 767154 ***