#24 Buffer overflow in strip_spaces src/sxmlc.c:1916

[Yunho Kim]

Dear Matthieu Labas
We have found a buffer overflow issue in strip_spaces at src/sxmlc.c:1916.
The crash input is automatically generated by our test generation tool FOCAL.
You can find crash1.html in the attachement

Here are details to reproduce the buffer overflow.
- OS & Compiler
Ubuntu Linux 16.04 x64 and GCC 5.4.0
- Build command
$ gcc -fsanitize=address -o htmlstrip ./src/examples/htmlstrip.c src/sxmlc.c
- Run command
$ ./htmlstrip crash1.html
- Outputs

=================================================================
==7264==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009eff at pc 0x000000429f61 bp 0x7ffed1a86fb0 sp 0x7ffed1a86fa0
READ of size 1 at 0x611000009eff thread T0
    #0 0x429f60 in strip_spaces src/sxmlc.c:1916
    #1 0x4026a8 in html_strip src/examples/htmlstrip.c:99
    #2 0x423497 in _parse_data_SAX src/sxmlc.c:1284
    #3 0x42635e in XMLDoc_parse_file_SAX src/sxmlc.c:1622
    #4 0x401817 in main src/examples/htmlstrip.c:133
    #5 0x7fa4429ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401ac8 in _start (/home/yhkim/sxmlc/htmlstrip+0x401ac8)

0x611000009eff is located 1 bytes to the left of 256-byte region [0x611000009f00,0x61100000a000)
allocated by thread T0 here:
    #0 0x7fa442e10602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4045fa in read_line_alloc src/sxmlc.c:1825

SUMMARY: AddressSanitizer: heap-buffer-overflow src/sxmlc.c:1916 strip_spaces
Shadow bytes around the buggy address:
  0x0c227fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7264==ABORTING

[Matthieu Labas]

There is indeed a problem in strip_spaces() when the str argument is only spaces (i.e. isspace() returns non-0).

[Matthieu Labas]

Will be delivered in v4.2.9.