michaelrsweet/mxml

mxml-V4.0.2 stack-overflow in Function mxmlLoadString

ypcd opened this issue · 2 comments

ypcd commented

mxml-V4.0.2 stack-overflow in Function mxmlLoadString

mxml version: V4.0.2, master(2024-4-13)

clang version: V17.0.6

Computer model: apple macbook air M1 (arm64)

Operating system version: centos steam 9 (kernel 5.14.0-435.el9.aarch64)

I'm building mxml 4.0.2 using clang 17 and AddressSanitizer.
Performing the following operations results in a "stack-overflow" error in the mxmlLoadString function in the "mxml-file.c" file.

error message:

AddressSanitizer:DEADLYSIGNAL
================================================== ===============
==25150==ERROR: AddressSanitizer: stack-overflow on address 0xffffe4b7d1e5 (pc 0xffffe4b7d1e5 bp 0xffffe4b7c000 sp 0xffffe4b7bee0 T0)
/usr/bin/llvm-symbolizer: error: '[stack]': No such file or directory
     #0 0xffffe4b7d1e5 ([stack]+0x201e5)
     #1 0xffffb3c2aeec in mxmlLoadString /home/user2/mxml-master/mxml-file.c:242:11
     #2 0x50cf88 in main /home/user2/mxml-master/./mxml--V4_test_input--.cpp:19:8
     #3 0xffffb36692fc in __libc_start_call_main (/lib64/libc.so.6+0x272fc) (BuildId: ac204fa2b2a4b439262841496e92461f72f00fcb)
     #4 0xffffb36693d4 in __libc_start_main@GLIBC_2.17 (/lib64/libc.so.6+0x273d4) (BuildId: ac204fa2b2a4b439262841496e92461f72f00fcb)
     #5 0x4304ac in _start (/home/user2/mxml-master/mxml_input+0x4304ac) (BuildId: 908a0efe4e2999feab4c16425ebf978ed47bf77f)

SUMMARY: AddressSanitizer: stack-overflow ([stack]+0x201e5)
==25150==ABORTING

Reproduction steps:
mxml--V4.0.2--stack-overflow.zip

Install clang 17.
Unzip the "mxml-4.0.2.tar.gz" file and obtain the "mxml-4.0.2" folder.


The files in the mxml--V4.0.2--stack-overflow.zip compressed package are "mxml--V4_test_input--.cpp", "mxml-V4.0.2--crash--stack-overflow.txt", "run .mxml-V4.input--single-file--.sh", copy to the "mxml-4.0.2" folder.

Under the "mxml-4.0.2" folder, execute the following command:

source run.mxml-V4.input--single-file--.sh or ./run.mxml-V4.input--single-file--.sh
(Be careful not to use sh run.mxml-V4.input--single-file--.sh, the script file will set environment variables)

./mxml_input < ./mxml-V4.0.2--crash--stack-overflow.txt
(Note: The error will not be triggered every time. You will need to run it a few times.)

OK, so your test code passes an uninitialized mxml_options_t pointer. I'm not able to reproduce when it is initialized to NULL.

I will also advise you not to include the Mini-XML private header since that isn't something you normally will have access to since it is private to the library, subject to change at any time, and not public API...

ypcd commented

Hello, thank you for your reply.
The source code for the example I wrote is wrong.
My example cannot prove that mxml has security vulnerabilities.