heap-buffer-overflow

there is a heap-buffer-overflow on ixmlparser.c:2045:6. It happened CheckXML -> ixmlLoadDocumentEx -> Parser_LoadDocument -> Parser_parseDocument -> Parser_getNextNode 

Here is asan report:
==75284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000003bd at pc 0x559301aa5a4d bp 0x7ffed70ab630 sp 0x7ffed70ab628
READ of size 1 at 0x6110000003bd thread T0
    #0 0x559301aa5a4c in Parser_getNextNode /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2045:6
    #1 0x559301aa5a4c in Parser_parseDocument /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2572:7
    #2 0x559301aa5a4c in Parser_LoadDocument /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2810:7
    #3 0x559301a9e2bf in ixmlLoadDocumentEx /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixml.c:333:9
    #4 0x559301a99b4d in CheckXML /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:17:10
    #5 0x559301a99b4d in LLVMFuzzerTestOneInput /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:52:11
    #6 0x5593019c23b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x4b3b3) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #7 0x5593019ac12f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3512f) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #8 0x5593019b1e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3ae86) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #9 0x5593019dbca2 in main (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x64ca2) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #10 0x7feda1129d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #11 0x7feda1129e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #12 0x5593019a69f4 in _start (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x2f9f4) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)

0x6110000003bd is located 0 bytes to the right of 253-byte region [0x6110000002c0,0x6110000003bd)
allocated by thread T0 here:
    #0 0x559301a5ea2e in malloc (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0xe7a2e) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #1 0x559301aa0ec4 in Parser_readFileOrBuffer /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2757:13
    #2 0x559301aa0ec4 in Parser_LoadDocument /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2803:7
    #3 0x559301a9e2bf in ixmlLoadDocumentEx /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixml.c:333:9
    #4 0x559301a99b4d in CheckXML /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:17:10
    #5 0x559301a99b4d in LLVMFuzzerTestOneInput /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:52:11
    #6 0x5593019c23b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x4b3b3) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #7 0x5593019ac12f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3512f) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #8 0x5593019b1e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3ae86) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #9 0x5593019dbca2 in main (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x64ca2) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
    #10 0x7feda1129d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2045:6 in Parser_getNextNode
Shadow bytes around the buggy address:
  0x0c227fff8020: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
  0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
  0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8070: 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa fa
  0x0c227fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8090: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff80c0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==75284==ABORTING



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow #425

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development