Expat XML Parser / Bugs / #516 Crash during fuzz testing with Expat 2.1.0 and 1.95.0: lookup

#516 Crash during fuzz testing with Expat 2.1.0 and 1.95.0: lookup

Milestone: Feature Request

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2017-09-03

Created: 2013-12-11

Creator: pjl

Private: No

I've been testing two versions (1.95.0 and 2.1.0) of Expat using the Radamsa fuzz testing tool (https://code.google.com/p/ouspg/wiki/Radamsa). This tool generates a ton of malformed input from a sample file. I used the XML specification as an input since it has tons of encoding edge cases.

I see a crash inside lookup() in 1.95.0 with the following stacktrace:

#0  0x00007fff884847bb in lookup ()
(gdb) bt
#0  0x00007fff884847bb in lookup ()
#1  0x00007fff8848997f in storeAtts ()
#2  0x00007fff88488f67 in doContent ()
#3  0x00007fff884875ab in contentProcessor ()
#4  0x00007fff88483f42 in XML_ParseBuffer ()
#5 0x000000010f711d13 in main (argc=<value temporarily unavailable, due to         optimizations>, argv=<value temporarily unavailable, due to optimizations>) at     outline.c:75

And in 2.1.0:

    #0  lookup (parser=0x7fff5d3f7820, table=0xe812bb37c0988700,         name=0x7fff5d3f7820 "?x?]?", createSize=140734757828640) at xmlparse.c:5995
    5995          if (keyeq(name, table->v[i]->name))
    (gdb) bt
    #0  lookup (parser=0x7fff5d3f7820, table=0xe812bb37c0988700,     name=0x7fff5d3f7820 "?x?]?", createSize=140734757828640) at xmlparse.c:5995
    #1  0x00000001028173b6 in storeAtts (parser=0x7ff2dbc039c0, enc=0x7fff5d3f78e0,     attStr=0x7fff5d3f78e0 "?y?]?", tagNamePtr=0x7fff5d3f78e0,     bindingsPtr=0x7fff5d3f78e0) at xmlparse.c:2716
    #2  0x0000000102818fcf in doContent (s=0x7ff2dc016c0c "<lhs>CDSect</lhs>\r\n\t\t\t\t\t\t<rhs>\r\n\t\t\t\t\t\t\t<nt def=\"NT-CDStart\">CDStart</nt>\r\n\t\t\t\t\t\t\t<nt def=\"NT-CData\">CData</nt>\r\n\t\t\t\t\t\t\t<nt def=\"NT-CDEnd\">CDEnd</nt>\r\n\t\t\t\t\t\t</rhs>\r\n\t\t\t\t\t</prod>\r\n\t\t\t\t\t<prod id=\"NT-CDSt"..., parser=0x7ff2dbc039c0, startTagLevel=1564441072, enc=0x7ff2dc016c0c, end=0x7fff5d3f79f0 " z?]?", nextPtr=0x7fff5d3f79f0, haveMore=1 '\001') at xmlparse.c:2439
    #3  0x0000000102819d88 in contentProcessor (parser=Cannot access memory at address 0x0
    ) at xmlparse.c:2106
    #4  0x0000000102814757 in XML_ParseBuffer (parser=0x7ff2dbc039c0, len=8192,     isFinal=0) at xmlparse.c:1651
    #5  0x0000000102808c23 in main (argc=-608159296, argv=0xdbc0401000000000) at     outline.c:94

The following are attached, hopefully they'll be enough to reproduce the bug:

The XML spec used as input to Radamsa
The shell script used to run Radamsa against the Expat example code
The malformed XML that Radamsa produced
The OSX binary of the Expat example code

I also have the core files but there's a little big to upload here. Ping me if you'd like them in DropBox or elsewhere.

6 Attachments

REC-xml-20081126.xml

expat_new.core3.xml

expat_old.core3.xml

outline

radamsa_expat_new.sh

radamsa_expat_old.sh

Discussion

summary: Crash during fuzz testing with Expat 2.1.0 and 1.95.0 --> Crash during fuzz testing with Expat 2.1.0 and 1.95.0: lookup
Description has changed:

Diff:

--- old
+++ new
@@ -12,6 +12,7 @@
     #5 0x000000010f711d13 in main (argc=<value temporarily unavailable, due to         optimizations>, argv=<value temporarily unavailable, due to optimizations>) at     outline.c:75

 And in 2.1.0:
+~~~~
     #0  lookup (parser=0x7fff5d3f7820, table=0xe812bb37c0988700,         name=0x7fff5d3f7820 "?x?]?", createSize=140734757828640) at xmlparse.c:5995
     5995         if (keyeq(name, table->v[i]->name))
     (gdb) bt
@@ -22,12 +23,13 @@
     ) at xmlparse.c:2106
     #4  0x0000000102814757 in XML_ParseBuffer (parser=0x7ff2dbc039c0, len=8192,     isFinal=0) at xmlparse.c:1651
     #5  0x0000000102808c23 in main (argc=-608159296, argv=0xdbc0401000000000) at     outline.c:94
-
+~~~~

 The following are attached, hopefully they'll be enough to reproduce the bug:
---The XML spec used as input to Radamsa
---The shell script used to run Radamsa against the Expat example code
---The malformed XML that Radamsa produced
---The OSX binary of the Expat example code
+
+* The XML spec used as input to Radamsa
+* The shell script used to run Radamsa against the Expat example code
+* The malformed XML that Radamsa produced
+* The OSX binary of the Expat example code

 I also have the core files but there's a little big to upload here.  Ping me if you'd like them in DropBox or elsewhere.

Crash during fuzz testing with Expat 2.1.0 and 1.95.0: lookup

Fast XML parser library in C

Group

Searches

Help

#516 Crash during fuzz testing with Expat 2.1.0 and 1.95.0: lookup

Discussion