Memory corruption in mxml_error, SIGSEGV #2
Description
Parsing the following XML file results in a crash of microxml.
XML file hexdump:
00000000 ef bb bf 20 3f 78 6d 6c 30 22 20 65 6e 63 6f 64 |... ?xml0" encod|
00000010 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 |ing="UTF-8"?>.<!|
00000020 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 |DOCTYPE html PUB|
00000030 4c 49 43 3e 0a |LIC>.|
00000035
How to reproduce:
#include <stdio.h>
#include "microxml.h"
int main(int argc, char** argv) {
FILE *fp = fopen(argv[1], "r");
mxml_node_t *tree = mxmlLoadFile(NULL, fp, MXML_NO_CALLBACK);
fclose(fp);
return 0;
}gdb:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79552c1 in __strlen_avx2 () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff79552c1 in __strlen_avx2 () from /lib64/libc.so.6
#1 0x00007ffff7826a26 in vfprintf () from /lib64/libc.so.6
#2 0x00007ffff7851d80 in vsnprintf () from /lib64/libc.so.6
#3 0x000000000040cecc in mxml_error (format=0x40ecc8 "<%s> cannot be a second root node after <%s>")
at mxml-private.c:85
#4 0x0000000000403d04 in mxml_load_data (top=<optimized out>, p=<optimized out>, cb=<optimized out>,
getc_cb=<optimized out>, sax_cb=<optimized out>, sax_data=<optimized out>) at mxml-file.c:1541
#5 0x00000000004012c1 in main (argc=<optimized out>, argv=<optimized out>) at foo.c:7
valgrind:
==26448== Memcheck, a memory error detector
==26448== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==26448== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==26448== Command: ./foo vuln.xml
==26448==
==26448== Invalid read of size 1
==26448== at 0x4C32B82: strlen (vg_replace_strmem.c:458)
==26448== by 0x50B0A25: vfprintf (in /usr/lib64/libc-2.26.so)
==26448== by 0x50DBD7F: vsnprintf (in /usr/lib64/libc-2.26.so)
==26448== by 0x40CECB: mxml_error (mxml-private.c:85)
==26448== by 0x403D03: mxml_load_data (mxml-file.c:0)
==26448== by 0x4012C0: main (foo.c:7)
==26448== Address 0x1 is not stack'd, malloc'd or (recently) free'd
==26448==
==26448==
==26448== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==26448== Access not within mapped region at address 0x1
==26448== at 0x4C32B82: strlen (vg_replace_strmem.c:458)
==26448== by 0x50B0A25: vfprintf (in /usr/lib64/libc-2.26.so)
==26448== by 0x50DBD7F: vsnprintf (in /usr/lib64/libc-2.26.so)
==26448== by 0x40CECB: mxml_error (mxml-private.c:85)
==26448== by 0x403D03: mxml_load_data (mxml-file.c:0)
==26448== by 0x4012C0: main (foo.c:7)
==26448== If you believe this happened as a result of a stack
==26448== overflow in your program's main thread (unlikely but
==26448== possible), you can try to increase the size of the
==26448== main thread stack using the --main-stacksize= flag.
==26448== The main thread stack size used in this run was 8388608.
==26448==
==26448== HEAP SUMMARY:
==26448== in use at exit: 1,658 bytes in 7 blocks
==26448== total heap usage: 8 allocs, 1 frees, 5,754 bytes allocated
==26448==
==26448== LEAK SUMMARY:
==26448== definitely lost: 88 bytes in 1 blocks
==26448== indirectly lost: 19 bytes in 1 blocks
==26448== possibly lost: 0 bytes in 0 blocks
==26448== still reachable: 1,551 bytes in 5 blocks
==26448== suppressed: 0 bytes in 0 blocks
==26448== Rerun with --leak-check=full to see details of leaked memory
==26448==
==26448== For counts of detected and suppressed errors, rerun with: -v
==26448== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
Best regards,
Stephan Zeisberg