matthieu-labas/sxmlc

SEGV in DOMXMLDoc_node_end at sxmlc.c:1600

Closed this issue · 1 comments

bladchan commented

Describe the bug
A bad xml file which can lead XMLDoc_parse_file_DOM to segmentation fault.

Poc here :
segv1.zip

To Reproduce

  1. Build the whole project with ASAN
  2. Drive programs (compile it with ASAN too):
// driver.c
#include "sxmlc.h"
#include "sxmlsearch.h"

int main(int argc, char** argv){
	
	if(argc!=2) return 0;
	
	XMLDoc doc;
	XMLDoc_init(&doc);
	XMLDoc_parse_file_DOM(argv[1], &doc);
	XMLDoc_free(&doc);
	return 0;
}
  1. Run Poc:
$ ./driver ./segv1

Expected behavior
Parse the xml file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).

Environment (please complete the following information):

  • System and Version : Ubuntu 18.04 + gcc 7.5.0
  • commit version: 87bb134

Additional context
ASAN says:

$ ./driver segv1
ASAN:DEADLYSIGNAL
=================================================================
==127014==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f568dd6ee1a bp 0x7ffd78b77380 sp 0x7ffd78b76ae0 T0)
==127014==The signal is caused by a READ memory access.
==127014==Hint: address points to the zero page.
    #0 0x7f568dd6ee19  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19)
    #1 0x7f568daf602b in DOMXMLDoc_node_end /home/ubuntu/some_c_test/sxmlc/src/sxmlc.c:1600
    #2 0x7f568dafbb45 in _parse_data_SAX /home/ubuntu/some_c_test/sxmlc/src/sxmlc.c:1515
    #3 0x7f568daf85cd in XMLDoc_parse_file_SAX /home/ubuntu/some_c_test/sxmlc/src/sxmlc.c:1780
    #4 0x7f568dafe74c in XMLDoc_parse_file_DOM_text_as_nodes /home/ubuntu/some_c_test/sxmlc/src/sxmlc.c:1831
    #5 0x55ce76aa2d99 in main /home/ubuntu/some_c_test/sxmlc/fuzz/driver.cpp:10
    #6 0x7f568d70bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #7 0x55ce76aa2e89 in _start (/home/ubuntu/some_c_test/sxmlc/fuzz/driver+0xe89)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x59e19) 
==127014==ABORTING
matthieu-labas commented

Indeed, that file is not an XML (from what I can see) and node tag is NULL.
I fixed it in v4.5.3.

  • 👍1