search

KhronosGroup / OpenCOLLADA

652 stars 252 forks source link

SEGV on unknown address at strlen-avx2.S:65 due to COLLADASaxFWLSourceArrayLoader.cpp:236 #644

Open Nalen98 opened 3 years ago

Nalen98 commented 3 years ago

A crafted input leads to crash (an invalid memory address dereference) at strlen-avx2.S:65 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master). Seems the line accessorParameter.type = attributeData.type; in COLLADASaxFWL::SourceArrayLoader::begin__param (COLLADASaxFWLSourceArrayLoader.cpp:236) causes the segmentation fault.

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1957786==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff1b674a675 bp 0x7ffdbe0b8090 sp 0x7ffdbe0b7808 T0)
==1957786==The signal is caused by a READ memory access.
==1957786==Hint: address points to the zero page.
    #0 0x7ff1b674a674  (/lib/x86_64-linux-gnu/libc.so.6+0x18b674)
    #1 0x7ff1b6d928fb  (/lib/x86_64-linux-gnu/libasan.so.5+0x678fb)
    #2 0x55a87a400923 in std::char_traits<char>::length(char const*) /usr/include/c++/9/bits/char_traits.h:335
    #3 0x55a87a400923 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*) /usr/include/c++/9/bits/basic_string.h:1439
    #4 0x55a87a400923 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(char const*) /usr/include/c++/9/bits/basic_string.h:705
    #5 0x55a87a400923 in COLLADASaxFWL::SourceArrayLoader::begin__param(COLLADASaxFWL::param__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLSourceArrayLoader.cpp:236
    #6 0x55a87a1f663e in non-virtual thunk to COLLADASaxFWL::SourceArrayLoader14::begin__param(COLLADASaxFWL14::param__AttributeData const&) (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x191963e)
    #7 0x55a879661812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
    #8 0x55a87a4ca3e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
    #9 0x7ff1b6b4915e in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b15e)
    #10 0x7ff1b6b4bf27  (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
    #11 0x7ff1b6b517cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
    #12 0x7ff1b6b52f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #13 0x55a87a4ca9cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #14 0x55a8790ba3ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #15 0x55a8790b7a3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #16 0x55a8790482be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #17 0x55a8790386f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #18 0x55a878fe4fbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #19 0x7ff1b65e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #20 0x55a8790378ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b674) 
==1957786==ABORTING

GDB info:

image

image

Environment: Host Operating System and version: Ubuntu 20.04.2 LTS Host CPU architecture: x86_64