Multiple Crashes in XML Verification Due to Invalid Node Name Processing
Closed this issue · 1 comments
cktii commented
Description
Two related issues in BehaviorTreeFactory's XML verification can lead to crashes when processing XML nodes:
- Incorrect Child Name Access: The code always gets the name of the first child instead of the current child in the loop
- Invalid Iterator Access: The code attempts to dereference an iterator without checking if the node type was found
BehaviorTree.CPP/src/xml_parsing.cpp
Lines 547 to 553 in 48f6c5b
Found in commit: 48f6c5b
Bug Class
Memory Safety - Null Pointer Dereference
Crash Details
The crash occurs in VerifyXML() at line 553:
const std::string child_name = node->FirstChildElement()->Name(); // Wrong!
const auto child_search = registered_nodes.find(child_name);
const auto child_type = child_search->second; // Crashes hereRoot Cause
In the loop processing children, the code incorrectly uses node->FirstChildElement() instead of child->Name(). When an unknown node type (":eq") is encountered, the code doesn't check if it was found in registered_nodes before accessing.
Impact
- Memory access violation/segfault when processing XML with unknown node types
- Logic error: validation only checks the first child repeatedly, missing issues with other children
Proposed Fix
for(auto child = node->FirstChildElement(); child != nullptr; child = child->NextSiblingElement())
{
const std::string child_name = child->Name(); // Fix 1: Use current child
const auto child_search = registered_nodes.find(child_name);
if(child_search == registered_nodes.end()) { // Fix 2: Check iterator
ThrowError(child->GetLineNum(),
std::string("Unknown node type: ") + child_name);
}
const auto child_type = child_search->second;
// ... rest of the code ...
}Additional Notes
- Found via fuzzing with AFL++ and AddressSanitizer
- The bug affects XML validation, which is a critical security boundary for the library
- Both issues appear in the same code block but are independent problems
facontidavide commented