ezXML Bugs
Status: Beta
Brought to you by:
voisine
Function ezxml_ent_ok() is using recursion and for a crafted XML file it fails to stop consecutive executions leading to filling the execution stack and crashing the application.
Crash report from ASAN:
./ezxml_asan.exe crash_012_stack_ezxml_ent_ok.raw ASAN:DEADLYSIGNAL ================================================================= ==29237==ERROR: AddressSanitizer: stack-overflow on address 0x7fff9aa94f88 (pc 0x0000004361d7 bp 0x7fff9aa957f0 sp 0x7fff9aa94f90 T0) 0 0x4361d6 in __interceptor_strlen.part.45 (ezxml-0.8.6/ezxml_asan.exe+0x4361d6) 1 0x4ed796 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed796) 2 0x4ed973 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed973) 3 0x4ed973 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed973) 4 0x4ed973 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed973) 5 0x4ed973 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed973) ... 250 0x4ed973 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed973) 251 0x4ed973 in ezxml_ent_ok (ezxml-0.8.6/ezxml_asan.exe+0x4ed973) SUMMARY: AddressSanitizer: stack-overflow (ezxml-0.8.6/ezxml_asan.exe+0x4361d6) in __interceptor_strlen.part.45 ==29237==ABORTING
Reproduction:
Sample XML file leading to crash:
crash_012_stack_ezxml_ent_ok.raw
Code snippet for reproduction:
ezxml_t result = ezxml_parse_file("crash_012_stack_ezxml_ent_ok.raw ");
For me, this issue is resolved by the fix for bug 26.
Check my comment there.