Out-of-bounds write caused by Integer Overflow in ezxml_parse_str (ezxml.c:481)
Status: Beta
Brought to you by:
voisine
Menu
▾
▴
1 Attachments
#24 Out-of-bounds write caused by Integer Overflow in ezxml_parse_str (ezxml.c:481)
Out-of-bounds write caused by Integer Overflow in ezxml_parse_str (ezxml.c:481)
Reproduction steps:
./ezxmltest POC
You should receive similar output:
fstark@ubuntu:~/ezxml$ ./ezxmltest out/crashes/id\:000000\,sig\:11\,src\:000000\,time\:10762\,op\:havoc\,rep\:128
ASAN:SIGSEGV
=================================================================
==19448==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000413176 bp 0x0c24000017e3 sp 0x7ffeab82f870 T0)
#0 0x413175 in ezxml_parse_str /home/fstark/ezxml/ezxml.c:481
#1 0x417849 in ezxml_parse_fd /home/fstark/ezxml/ezxml.c:641
#2 0x417849 in ezxml_parse_file /home/fstark/ezxml/ezxml.c:659
#3 0x4017db in main /home/fstark/ezxml/ezxml.c:1008
#4 0x7f4f6d86c83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#5 0x401af8 in _start (/home/fstark/ezxml/ezxmltest+0x401af8)
Vulnerable code (ezxml.c):
// parse the given xml string and return an ezxml structure
ezxml_t ezxml_parse_str(char *s, size_t len)
{
ezxml_root_t root = (ezxml_root_t)ezxml_new(NULL);
char q, e, *d, **attr, **a = NULL; // initialize a to avoid compile warning
int l, i, j;
root->m = s;
if (! len) return ezxml_err(root, NULL, "root tag missing");
root->u = ezxml_str2utf8(&s, &len); // convert utf-16 to utf-8
root->e = (root->s = s) + len; // record start and end of work area
e = s[len - 1]; // save end char
s[len - 1] = '\0'; // turn end char into null terminator <— 481 line
while (*s && *s != '<') s++; // find first tag
if (! *s) return ezxml_err(root, s, "root tag missing");
