Bug#780153: libtinyxml2-2: null pointer dereference

Mon, 09 Mar 2015 14:15:49 -0700 

Package: libtinyxml2-2
Version: 2.2.0-1
Usertags: afl

TinyXML-2 crashes when parsing the attached file:

$ make prettyprintxml CXXFLAGS="-g -O2 -Wall" LDFLAGS=-ltinyxml2
g++ -g -O2 -Wall  -ltinyxml2  prettyprintxml.cc   -o prettyprintxml
$ ./prettyprintxml crash.xml
Segmentation fault


Valgrind says it's a null pointer dereference:

==2570== Invalid read of size 1
==2570==    at 0x4056C53: tinyxml2::StrPair::GetStr() (tinyxml2.cpp:175)
==2570==    by 0x405C5AD: tinyxml2::XMLPrinter::Visit(tinyxml2::XMLText const&) 
(tinyxml2.cpp:2219)
==2570==    by 0x4056450: tinyxml2::XMLText::Accept(tinyxml2::XMLVisitor*) 
const (tinyxml2.cpp:920)
==2570==    by 0x4056418: tinyxml2::XMLDocument::Accept(tinyxml2::XMLVisitor*) 
const (tinyxml2.cpp:554)
==2570==    by 0x405BAB6: tinyxml2::XMLDocument::Print(tinyxml2::XMLPrinter*) 
const (tinyxml2.cpp:1830)
==2570==    by 0x8048C6C: main (prettyprintxml.cc:19)
==2570==  Address 0x0 is not stack'd, malloc'd or (recently) free'd


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libtinyxml2-2 depends on:
ii  libc6              2.19-15
ii  libgcc1            1:5-20150307-1
ii  libstdc++6         5-20150307-1
ii  multiarch-support  2.19-15

--
Jakub Wilk

Attachment: crash.xml
Description: XML document

#include <stdio.h>


#include <tinyxml2.h>


using namespace tinyxml2;


int main(int argc, char ** argv)
{
	if (argc != 2) {
		fprintf(stderr, "Usage: %s <file>\n", argv[0]);
		return 1;
	}
	XMLDocument* doc = new XMLDocument();
	if (doc->LoadFile(argv[1]) != XML_NO_ERROR) {
		doc->PrintError();
		return 1;
	}
	XMLPrinter printer;
	doc->Print(&printer);
	puts(printer.CStr());
	return 0;
}

Reply via email to