A crafted input leads to crash (heap buffer overflow) at COLLADASaxFWLTransformationLoader.cpp:50 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).
Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: Input is not proper UTF-8, indicate encoding !
Bytes: 0xAF 0x74 0x72 0x61
Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: xmlParseStartTag: invalid element name
free(): invalid pointer
Aborted
ASAN report:
$ ./OpenCOLLADAValidator PoC.dae
==601510==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000083a0 at pc 0x555557058cc6 bp 0x7fffffffca80 sp 0x7fffffffca70
WRITE of size 8 at 0x6060000083a0 thread T0
#0 0x555557058cc5 in COLLADASaxFWL::TransformationLoader::dataTranslate(float const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:50
#1 0x5555560c1672 in bool GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2Data<float, &GeneratedSaxParser::Utils::toFloat>(char const*, unsigned long, float (COLLADASaxFWL14::ColladaParserAutoGen14Private::*)(char const*, char const*, char const**, char const*, bool&), bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:836
#2 0x555556125445 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2FloatData(char const*, unsigned long, bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1196
#3 0x555556125445 in COLLADASaxFWL14::ColladaParserAutoGen14Private::_data__translate(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/generated14/COLLADASaxFWLColladaParserAutoGen14Private.cpp:19170
#4 0x55555626145a in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::textData(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1840
#5 0x555557141681 in GeneratedSaxParser::LibxmlSaxParser::characters(void*, unsigned char const*, int) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:196
#6 0x7ffff7393ece in xmlParseCharData (/lib/x86_64-linux-gnu/libxml2.so.2+0x42ece)
#7 0x7ffff73a4682 in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x53682)
#8 0x7ffff73a5f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
#9 0x5555571419cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
#10 0x555555d313ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
#11 0x555555d2ea3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
#12 0x555555cbf2be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
#13 0x555555caf6f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
#14 0x555555c5bfbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
#15 0x7ffff6e390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#16 0x555555cae8ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)
0x6060000083a0 is located 0 bytes to the right of 64-byte region [0x606000008360,0x6060000083a0)
allocated by thread T0 here:
#0 0x7ffff768d947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
#1 0x55555708fa1f in void COLLADASaxFWL::TransformationLoader::beginTransformation<COLLADAFW::Translate>() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/include/COLLADASaxFWLTransformationLoader.h:71
#2 0x55555708fa1f in bool COLLADASaxFWL::NodeLoader::beginTransformation<COLLADAFW::Translate>(char const*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:100
#3 0x55555708fa1f in COLLADASaxFWL::NodeLoader::begin__translate(COLLADASaxFWL::translate__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:141
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:50 in COLLADASaxFWL::TransformationLoader::dataTranslate(float const*, unsigned long)
Shadow bytes around the buggy address:
0x0c0c7fff9020: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9030: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff9040: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9050: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9060: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fff9070: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9080: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9090: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c0c7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==601510==ABORTING
GDB info:
Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
A crafted input leads to crash (heap buffer overflow) at
COLLADASaxFWLTransformationLoader.cpp:50in opencolladavalidatorv1.6.68(the latest version, checked on Ubuntu/Debian packages and current master).PoC: PoC.zip
Triggered by:
./OpenCOLLADAValidator PoC.daeASAN report:
GDB info:
Environment: Host Operating System and version: Ubuntu 20.04.2 LTS Host CPU architecture: x86_64