Opened 5 years ago

Closed 4 years ago

#6851 closed defect (fixed)

Buffer overflow in CPLSerializeXMLNode

Reported by: Kurt Schwehr Owned by: warmerdam
Priority: normal Milestone:
Component: default Version: svn-trunk
Severity: normal Keywords: xml asan fuzzing
Cc:

Description

Using https://github.com/schwehr/gdal-autotest2/blob/master/cpp/port/cpl_minixml_fuzzer.cc

cpl_minixml_fuzzer crash-b9f5e6bad9065580a918bd3948ba622f8d157ea4

AddressSanitizer: heap-buffer-overflow 

WRITE of size 2 at 0x6160000011fa thread T0
    #0 0x7bccfd in CPLSerializeXMLNode(CPLXMLNode const*, int, char**, unsigned long*, unsigned long*) port/cpl_minixml.cpp:1166:21
    #1 0x7bbeae in CPLSerializeXMLTree port/cpl_minixml.cpp:1229:14

is located 0 bytes to the right of 634-byte region
allocated by thread T0 here:
    #0 0x4f0725 in __interceptor_realloc asan_malloc_linux.cc:79:3
    #1 0x7bfb13 in _GrowBuffer(unsigned long, char**, unsigned long*) port/cpl_minixml.cpp:993:33
    #2 0x7bc60a in CPLSerializeXMLNode(CPLXMLNode const*, int, char**, unsigned long*, unsigned long*) port/cpl_minixml.cpp:1036:14
    #3 0x7bcc80 in CPLSerializeXMLNode(CPLXMLNode const*, int, char**, unsigned long*, unsigned long*) port/cpl_minixml.cpp:1169:22
    #4 0x7bbeae in CPLSerializeXMLTree port/cpl_minixml.cpp:1229:14

The crash can be reproduced with the attach file, but the equivalent hex string is:

  const char crash_b9f5e6bad9065580a918bd3948ba622f8d157ea4[] =
      "\x3c\x61\x20\x62\x3d\x27\x63\x27\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e"
      "\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x3e\x74\x65\x78\x74\x20\x1e\x2f\x64"
      "\x3e\x22\x3c\x6a\x2f\x3e\x20\x3c\x2f\x61\x3e\x0a";

Attachments (1)

crash-b9f5e6bad9065580a918bd3948ba622f8d157ea4 (182 bytes) - added by Kurt Schwehr 5 years ago.
asan fuzzing failure for cpl_minixml.cpp.

Download all attachments as: .zip

Change History (4)

Changed 5 years ago by Kurt Schwehr

asan fuzzing failure for cpl_minixml.cpp.

comment:1 Changed 5 years ago by Even Rouault

In 37918:

CPLSerializeXMLNode(): fix potential buffer overflow (refs #6851)

comment:2 Changed 5 years ago by Even Rouault

In 37922:

CPLSerializeXMLNode(): fix potential buffer overflow (refs #6851)

comment:3 Changed 4 years ago by Even Rouault

Resolution: fixed
Status: newclosed

Issue has been fixed

Note: See TracTickets for help on using tickets.