search

michaelrsweet / mxml

Tiny XML library.
https://www.msweet.org/mxml
Apache License 2.0
426 stars 157 forks source link

mxml-V4.0.2 stack-overflow in Function mxmlLoadString #323

Closed ypcd closed 1 month ago

ypcd commented 1 month ago

mxml-V4.0.2 stack-overflow in Function mxmlLoadString

mxml version: V4.0.2, master(2024-4-13)

clang version: V17.0.6

Computer model: apple macbook air M1 (arm64)

Operating system version: centos steam 9 (kernel 5.14.0-435.el9.aarch64)

I'm building mxml 4.0.2 using clang 17 and AddressSanitizer. Performing the following operations results in a "stack-overflow" error in the mxmlLoadString function in the "mxml-file.c" file.

error message:

AddressSanitizer:DEADLYSIGNAL
================================================== ===============
==25150==ERROR: AddressSanitizer: stack-overflow on address 0xffffe4b7d1e5 (pc 0xffffe4b7d1e5 bp 0xffffe4b7c000 sp 0xffffe4b7bee0 T0)
/usr/bin/llvm-symbolizer: error: '[stack]': No such file or directory
     #0 0xffffe4b7d1e5 ([stack]+0x201e5)
     #1 0xffffb3c2aeec in mxmlLoadString /home/user2/mxml-master/mxml-file.c:242:11
     #2 0x50cf88 in main /home/user2/mxml-master/./mxml--V4_test_input--.cpp:19:8
     #3 0xffffb36692fc in __libc_start_call_main (/lib64/libc.so.6+0x272fc) (BuildId: ac204fa2b2a4b439262841496e92461f72f00fcb)
     #4 0xffffb36693d4 in __libc_start_main@GLIBC_2.17 (/lib64/libc.so.6+0x273d4) (BuildId: ac204fa2b2a4b439262841496e92461f72f00fcb)
     #5 0x4304ac in _start (/home/user2/mxml-master/mxml_input+0x4304ac) (BuildId: 908a0efe4e2999feab4c16425ebf978ed47bf77f)

SUMMARY: AddressSanitizer: stack-overflow ([stack]+0x201e5)
==25150==ABORTING

Reproduction steps: mxml--V4.0.2--stack-overflow.zip

Install clang 17.
Unzip the "mxml-4.0.2.tar.gz" file and obtain the "mxml-4.0.2" folder.

The files in the mxml--V4.0.2--stack-overflow.zip compressed package are "mxml--V4_test_input--.cpp", "mxml-V4.0.2--crash--stack-overflow.txt", "run .mxml-V4.input--single-file--.sh", copy to the "mxml-4.0.2" folder.

Under the "mxml-4.0.2" folder, execute the following command:

source run.mxml-V4.input--single-file--.sh or ./run.mxml-V4.input--single-file--.sh
(Be careful not to use sh run.mxml-V4.input--single-file--.sh, the script file will set environment variables)

./mxml_input < ./mxml-V4.0.2--crash--stack-overflow.txt
(Note: The error will not be triggered every time. You will need to run it a few times.)
michaelrsweet commented 1 month ago

OK, so your test code passes an uninitialized mxml_options_t pointer. I'm not able to reproduce when it is initialized to NULL.

I will also advise you not to include the Mini-XML private header since that isn't something you normally will have access to since it is private to the library, subject to change at any time, and not public API...

ypcd commented 1 month ago

Hello, thank you for your reply. The source code for the example I wrote is wrong. My example cannot prove that mxml has security vulnerabilities.