// NVP doesn't match expected value, perform a search
ar( cereal::make_nvp("myData", md) );
ar( i4 ); // cereal continues from node it found using search
ar( cereal::make_nvp("var1", i1) ); // new search re-positions at node var1
ar( i2, i3 ); // continue from location of last search
// next value read would be 'myData'
return 0;
}
After enabling ASAN, I received the following error. I'm not sure if it's a security vulnerability.
AddressSanitizer:DEADLYSIGNAL
==62609==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x55b157fbfc04 bp 0x7ffd68d98060 sp 0x7ffd68d97ea0 T0)
==62609==The signal is caused by a READ memory access.
==62609==Hint: address points to the zero page.
0 0x55b157fbfc04 in cereal::XMLInputArchive::NodeInfo::NodeInfo(cereal::rapidxml::xml_node*) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp
#1 0x55b157fbfc04 in void __gnu_cxx::new_allocator<cereal::XMLInputArchive::NodeInfo>::construct<cereal::XMLInputArchive::NodeInfo, cereal::rapidxml::xml_node<char>*&>(cereal::XMLInputArchive::NodeInfo*, cereal::rapidxml::xml_node<char>*&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/new_allocator.h:162:23
#2 0x55b157fbfc04 in void std::allocator_traits<std::allocator<cereal::XMLInputArchive::NodeInfo> >::construct<cereal::XMLInputArchive::NodeInfo, cereal::rapidxml::xml_node<char>*&>(std::allocator<cereal::XMLInputArchive::NodeInfo>&, cereal::XMLInputArchive::NodeInfo*, cereal::rapidxml::xml_node<char>*&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/alloc_traits.h:516:8
#3 0x55b157fbfc04 in void std::deque<cereal::XMLInputArchive::NodeInfo, std::allocator<cereal::XMLInputArchive::NodeInfo> >::emplace_back<cereal::rapidxml::xml_node<char>*&>(cereal::rapidxml::xml_node<char>*&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/deque.tcc:170:6
#4 0x55b157fbfc04 in void std::stack<cereal::XMLInputArchive::NodeInfo, std::deque<cereal::XMLInputArchive::NodeInfo, std::allocator<cereal::XMLInputArchive::NodeInfo> > >::emplace<cereal::rapidxml::xml_node<char>*&>(cereal::rapidxml::xml_node<char>*&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_stack.h:256:6
#5 0x55b157fbfc04 in cereal::XMLInputArchive::startNode() /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp:504:18
#6 0x55b157fc0f6e in void cereal::prologue<double, (cereal::traits::detail::sfinae)0>(cereal::XMLInputArchive&, double const&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp:862:8
#7 0x55b157fc0f6e in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<double&>(double&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:852:9
#8 0x55b157fc0f6e in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<bool&, double&>(bool&, double&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:862:9
#9 0x55b157fbf311 in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::operator()<bool&, double&>(bool&, double&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:730:9
#10 0x55b157fbf311 in void MyData::serialize<cereal::XMLInputArchive>(cereal::XMLInputArchive&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/xml_fuzz.cc:12:5
#11 0x55b157fbf311 in decltype(fp0.serialize(fp)) cereal::access::member_serialize<cereal::XMLInputArchive, MyData>(cereal::XMLInputArchive&, MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/access.hpp:246:18
#12 0x55b157fbf311 in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::processImpl<MyData, (cereal::traits::detail::sfinae)0>(MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:917:9
#13 0x55b157fbf311 in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<MyData&>(MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:853:15
#14 0x55b157fbf311 in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::operator()<MyData&>(MyData&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:730:9
#15 0x55b157fbf311 in void cereal::load<MyData&>(cereal::XMLInputArchive&, cereal::NameValuePair<MyData&>&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp:902:5
#16 0x55b157fb16af in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::processImpl<cereal::NameValuePair<MyData&>, (cereal::traits::detail::sfinae)0>(cereal::NameValuePair<MyData&>&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:941:9
#17 0x55b157fb16af in void cereal::InputArchive<cereal::XMLInputArchive, 0u>::process<cereal::NameValuePair<MyData&> >(cereal::NameValuePair<MyData&>&&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:853:15
#18 0x55b157fb16af in cereal::XMLInputArchive& cereal::InputArchive<cereal::XMLInputArchive, 0u>::operator()<cereal::NameValuePair<MyData&> >(cereal::NameValuePair<MyData&>&&) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/cereal.hpp:730:9
#19 0x55b157fb16af in main /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/xml_fuzz.cc:32:5
#20 0x7fe8a85cdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#21 0x7fe8a85cde3f in __libc_start_main csu/../csu/libc-start.c:392:3
#22 0x55b157ef08c4 in _start (/home/liyuweiheng/fuzz_target/linux_program/cereal/poc/xml-fuzz+0x218c4) (BuildId: 28b568b61fb8dd21a422583f1ad458817291bf74)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp in cereal::XMLInputArchive::NodeInfo::NodeInfo(cereal::rapidxml::xml_node*)
==62609==ABORTING
The content of the "data.xml" file is as follows:
<?xml version="1.0"?>
This is my tested C++ code:
include <cereal/archives/xml.hpp>
include
struct MyData { bool b; double d;
template
void serialize( Archive & ar )
{
ar( b, d );
}
};
int main() { int i1, i2, i3, i4; MyData md; std::string xmlData; std::string line; while (std::getline(std::cin, line)) { xmlData += line + "\n"; // 将每行追加到xmlData中 } std::cout << xmlData << std::endl; std::stringstream ss(xmlData); cereal::XMLInputArchive ar(ss); // std::ifstream is("data.xml"); // cereal::XMLInputArchive ar(is);
return 0; }
After enabling ASAN, I received the following error. I'm not sure if it's a security vulnerability.
AddressSanitizer:DEADLYSIGNAL
==62609==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x55b157fbfc04 bp 0x7ffd68d98060 sp 0x7ffd68d97ea0 T0) ==62609==The signal is caused by a READ memory access. ==62609==Hint: address points to the zero page.
0 0x55b157fbfc04 in cereal::XMLInputArchive::NodeInfo::NodeInfo(cereal::rapidxml::xml_node*) /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/liyuweiheng/fuzz_target/linux_program/cereal/poc/../include/cereal/archives/xml.hpp in cereal::XMLInputArchive::NodeInfo::NodeInfo(cereal::rapidxml::xml_node*)
==62609==ABORTING
The content of the "data.xml" file is as follows:
<?xml version="1.0"?>
All files are attached. data.zip