Expat XML Parser / Bugs / #517 Crash during fuzz testing in Expat 2.1.0: poolDestroy

#517 Crash during fuzz testing in Expat 2.1.0: poolDestroy

Milestone: Feature Request

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2017-09-03

Created: 2013-12-11

Creator: pjl

Private: No

I've been testing two versions (1.95.0 and 2.1.0) of Expat using the Radamsa fuzz testing tool (https://code.google.com/p/ouspg/wiki/Radamsa). This tool generates a ton of malformed input from a sample file. I used the XML specification as an input since it has tons of encoding edge cases.

I see a crash inside XML_ParserFree in 2.1.0 with this stacktrace:

    #0  poolDestroy [inlined] () at /Users/pjl/project/test_projects/expat/expat-   2.1.0/lib/xmlparse.c:6132
    6132        BLOCK *tem = p->next;
    (gdb) bt
    #0 poolDestroy [inlined] () at /Users/pjl/project/test_projects/expat/expat-2.1.0/lib/xmlparse.c:6132
    #1  0x000000010ac03a70 in XML_ParserFree (parser=0x65646d7265742020) at xmlparse.c:1170
    #2  0x000000010abf9c34 in main (argc=1702109216, argv=0x10ac45a00) at outline.c:104

The following are attached, hopefully they'll be enough to reproduce the bug:

The XML spec used as input to Radamsa
The shell script used to run Radamsa against the Expat example code
The malformed XML that Radamsa produced
The OSX binary of the Expat example code

I also have the core files but there's a little big to upload here. Ping me if you'd like them in DropBox or elsewhere.

5 Attachments

REC-xml-20081126.xml

outline

radamsa_expat_new.sh

radamsa_expat_new_1.xml

radamsa_expat_old.sh

Discussion

summary: Crash during fuzz testing in Expat 2.1.0 --> Crash during fuzz testing in Expat 2.1.0: poolDestroy
Description has changed:

Diff:

--- old
+++ new
@@ -1,17 +1,20 @@
 I've been testing two versions (1.95.0 and 2.1.0) of Expat using the Radamsa fuzz testing tool (https://code.google.com/p/ouspg/wiki/Radamsa). This tool generates a ton of malformed input from a sample file. I used the XML specification as an input since it has tons of encoding edge cases.

 I see a crash inside XML_ParserFree in 2.1.0 with this stacktrace:
+~~~~
     #0  poolDestroy [inlined] () at /Users/pjl/project/test_projects/expat/expat-   2.1.0/lib/xmlparse.c:6132
     6132       BLOCK *tem = p->next;
     (gdb) bt
     #0 poolDestroy [inlined] () at /Users/pjl/project/test_projects/expat/expat-2.1.0/lib/xmlparse.c:6132
     #1  0x000000010ac03a70 in XML_ParserFree (parser=0x65646d7265742020) at xmlparse.c:1170
     #2  0x000000010abf9c34 in main (argc=1702109216, argv=0x10ac45a00) at outline.c:104
-
+~~~~

 The following are attached, hopefully they'll be enough to reproduce the bug:
---The XML spec used as input to Radamsa
---The shell script used to run Radamsa against the Expat example code
---The malformed XML that Radamsa produced
---The OSX binary of the Expat example code
+
+* The XML spec used as input to Radamsa
+* The shell script used to run Radamsa against the Expat example code
+* The malformed XML that Radamsa produced
+* The OSX binary of the Expat example code
+
 I also have the core files but there's a little big to upload here. Ping me if you'd like them in DropBox or elsewhere.

Crash during fuzz testing in Expat 2.1.0: poolDestroy

Fast XML parser library in C

Group

Searches

Help

#517 Crash during fuzz testing in Expat 2.1.0: poolDestroy

Discussion