Assertion in TiXmlBase::StringEqual can cause DoS
Brought to you by:
leethomason
Menu
▾
▴
1 Attachments
#142 Assertion in TiXmlBase::StringEqual can cause DoS
This vulnerability is caused by the following code:
bool TiXmlBase::StringEqual( const char* p,
const char* tag,
bool ignoreCase,
TiXmlEncoding encoding )
{
assert( p );
assert( tag );
if ( !p || !*p )
{
assert( 0 );
return false;
}
My program for testing:
#include "tinyxml.h"
#include <stdlib.h>
#include <string>
int main(int argc, char*argv[]){
char buf[10240];
if(argc < 2){
printf("args error\n");
return 0;
}
FILE *f = fopen(argv[1], "rb");
size_t len = fread(buf, 1, sizeof(buf), f);
std::string s(buf, sizeof(buf));
TiXmlDocument doc;
doc.Parse(s.c_str());
fclose(f);
return 0;
}
Result:
test_input: tinyxmlparser.cpp:543: static bool TiXmlBase::StringEqual(const char *, const char *, bool, TiXmlEncoding): Assertion `0' failed.
[1] 1843 abort ./test_input minimized_crash
And I use libfuzzer to get more detailed output:
harness2: tinyxmlparser.cpp:543: static bool TiXmlBase::StringEqual(const char *, const char *, bool, TiXmlEncoding): Assertion `0' failed.
==1849== ERROR: libFuzzer: deadly signal
#0 0x527e41 in __sanitizer_print_stack_trace (/home/presler/fuzzing/tinyxml/harness2+0x527e41)
#1 0x472f98 in fuzzer::PrintStackTrace() (/home/presler/fuzzing/tinyxml/harness2+0x472f98)
#2 0x4580e3 in fuzzer::Fuzzer::CrashCallback() (/home/presler/fuzzing/tinyxml/harness2+0x4580e3)
#3 0x7f07d48103bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
#4 0x7f07d462118a in __libc_signal_restore_set /build/glibc-eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
#5 0x7f07d462118a in raise /build/glibc-eX1tMB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7f07d4600858 in abort /build/glibc-eX1tMB/glibc-2.31/stdlib/abort.c:79:7
#7 0x7f07d4600728 in __assert_fail_base /build/glibc-eX1tMB/glibc-2.31/assert/assert.c:92:3
#8 0x7f07d4611f35 in __assert_fail /build/glibc-eX1tMB/glibc-2.31/assert/assert.c:101:3
#9 0x558e38 in TiXmlBase::StringEqual(char const*, char const*, bool, TiXmlEncoding) /home/presler/fuzzing/tinyxml/tinyxmlparser.cpp:543:3
#10 0x55b25c in TiXmlDeclaration::Parse(char const*, TiXmlParsingData*, TiXmlEncoding) /home/presler/fuzzing/tinyxml/tinyxmlparser.cpp:1603:8
#11 0x55a4bc in TiXmlElement::ReadValue(char const*, TiXmlParsingData*, TiXmlEncoding) /home/presler/fuzzing/tinyxml/tinyxmlparser.cpp:1229:16
#12 0x559e3a in TiXmlElement::Parse(char const*, TiXmlParsingData*, TiXmlEncoding) /home/presler/fuzzing/tinyxml/tinyxmlparser.cpp:1109:8
#13 0x55949a in TiXmlDocument::Parse(char const*, TiXmlParsingData*, TiXmlEncoding) /home/presler/fuzzing/tinyxml/tinyxmlparser.cpp:759:14
#14 0x551699 in LLVMFuzzerTestOneInput /home/presler/fuzzing/tinyxml/harness2.cpp:17:9
#15 0x4597a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/presler/fuzzing/tinyxml/harness2+0x4597a1)
#16 0x444f12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/presler/fuzzing/tinyxml/harness2+0x444f12)
#17 0x44a9c6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/presler/fuzzing/tinyxml/harness2+0x44a9c6)
#18 0x473682 in main (/home/presler/fuzzing/tinyxml/harness2+0x473682)
#19 0x7f07d46020b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#20 0x41f5dd in _start (/home/presler/fuzzing/tinyxml/harness2+0x41f5dd)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
Test case also was attached
