#516 Crash during fuzz testing with Expat 2.1.0 and 1.95.0

Feature Request
open
nobody
None
5
2013-12-11
2013-12-11
pjl
No

I've been testing two versions (1.95.0 and 2.1.0) of Expat using the Radamsa fuzz testing tool (https://code.google.com/p/ouspg/wiki/Radamsa). This tool generates a ton of malformed input from a sample file. I used the XML specification as an input since it has tons of encoding edge cases.

I see a crash inside lookup() in 1.95.0 with the following stacktrace:

#0  0x00007fff884847bb in lookup ()
(gdb) bt
#0  0x00007fff884847bb in lookup ()
#1  0x00007fff8848997f in storeAtts ()
#2  0x00007fff88488f67 in doContent ()
#3  0x00007fff884875ab in contentProcessor ()
#4  0x00007fff88483f42 in XML_ParseBuffer ()
#5 0x000000010f711d13 in main (argc=<value temporarily unavailable, due to         optimizations>, argv=<value temporarily unavailable, due to optimizations>) at     outline.c:75

And in 2.1.0:
#0 lookup (parser=0x7fff5d3f7820, table=0xe812bb37c0988700, name=0x7fff5d3f7820 "?x?]?", createSize=140734757828640) at xmlparse.c:5995
5995 if (keyeq(name, table->v[i]->name))
(gdb) bt
#0 lookup (parser=0x7fff5d3f7820, table=0xe812bb37c0988700, name=0x7fff5d3f7820 "?x?]?", createSize=140734757828640) at xmlparse.c:5995
#1 0x00000001028173b6 in storeAtts (parser=0x7ff2dbc039c0, enc=0x7fff5d3f78e0, attStr=0x7fff5d3f78e0 "?y?]?", tagNamePtr=0x7fff5d3f78e0, bindingsPtr=0x7fff5d3f78e0) at xmlparse.c:2716
#2 0x0000000102818fcf in doContent (s=0x7ff2dc016c0c "<lhs>CDSect</lhs>\r\n\t\t\t\t\t\t<rhs>\r\n\t\t\t\t\t\t\t<nt def="\\"NT-CDStart\\"">CDStart</nt>\r\n\t\t\t\t\t\t\t<nt def="\\"NT-CData\\"">CData</nt>\r\n\t\t\t\t\t\t\t<nt def="\\"NT-CDEnd\\"">CDEnd</nt>\r\n\t\t\t\t\t\t</rhs>\r\n\t\t\t\t\t</prod>\r\n\t\t\t\t\t<prod id=\"NT-CDSt"..., parser=0x7ff2dbc039c0, startTagLevel=1564441072, enc=0x7ff2dc016c0c, end=0x7fff5d3f79f0 " z?]?", nextPtr=0x7fff5d3f79f0, haveMore=1 '\001') at xmlparse.c:2439
#3 0x0000000102819d88 in contentProcessor (parser=Cannot access memory at address 0x0
) at xmlparse.c:2106
#4 0x0000000102814757 in XML_ParseBuffer (parser=0x7ff2dbc039c0, len=8192, isFinal=0) at xmlparse.c:1651
#5 0x0000000102808c23 in main (argc=-608159296, argv=0xdbc0401000000000) at outline.c:94

The following are attached, hopefully they'll be enough to reproduce the bug:
--The XML spec used as input to Radamsa
--The shell script used to run Radamsa against the Expat example code
--The malformed XML that Radamsa produced
--The OSX binary of the Expat example code

I also have the core files but there's a little big to upload here. Ping me if you'd like them in DropBox or elsewhere.

6 Attachments

Discussion