there is a heap-buffer-overflow on ixmlparser.c:2045:6. It happened CheckXML -> ixmlLoadDocumentEx -> Parser_LoadDocument -> Parser_parseDocument -> Parser_getNextNode
Here is asan report:
==75284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000003bd at pc 0x559301aa5a4d bp 0x7ffed70ab630 sp 0x7ffed70ab628
READ of size 1 at 0x6110000003bd thread T0
0 0x559301aa5a4c in Parser_getNextNode /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2045:6
#1 0x559301aa5a4c in Parser_parseDocument /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2572:7
#2 0x559301aa5a4c in Parser_LoadDocument /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2810:7
#3 0x559301a9e2bf in ixmlLoadDocumentEx /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixml.c:333:9
#4 0x559301a99b4d in CheckXML /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:17:10
#5 0x559301a99b4d in LLVMFuzzerTestOneInput /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:52:11
#6 0x5593019c23b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x4b3b3) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#7 0x5593019ac12f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3512f) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#8 0x5593019b1e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3ae86) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#9 0x5593019dbca2 in main (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x64ca2) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#10 0x7feda1129d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#11 0x7feda1129e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x5593019a69f4 in _start (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x2f9f4) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
0x6110000003bd is located 0 bytes to the right of 253-byte region [0x6110000002c0,0x6110000003bd)
allocated by thread T0 here:
0 0x559301a5ea2e in malloc (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0xe7a2e) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#1 0x559301aa0ec4 in Parser_readFileOrBuffer /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2757:13
#2 0x559301aa0ec4 in Parser_LoadDocument /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2803:7
#3 0x559301a9e2bf in ixmlLoadDocumentEx /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixml.c:333:9
#4 0x559301a99b4d in CheckXML /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:17:10
#5 0x559301a99b4d in LLVMFuzzerTestOneInput /home/fuzz/vuln_search/pupnp_asan/fuzzer/FuzzIxml.c:52:11
#6 0x5593019c23b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x4b3b3) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#7 0x5593019ac12f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3512f) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#8 0x5593019b1e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x3ae86) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#9 0x5593019dbca2 in main (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0x64ca2) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
#10 0x7feda1129d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2045:6 in Parser_getNextNode
Shadow bytes around the buggy address:
0x0c227fff8020: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8070: 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa fa
0x0c227fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff8090: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff80c0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==75284==ABORTING
there is a heap-buffer-overflow on ixmlparser.c:2045:6. It happened CheckXML -> ixmlLoadDocumentEx -> Parser_LoadDocument -> Parser_parseDocument -> Parser_getNextNode
Here is asan report: ==75284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000003bd at pc 0x559301aa5a4d bp 0x7ffed70ab630 sp 0x7ffed70ab628 READ of size 1 at 0x6110000003bd thread T0
0 0x559301aa5a4c in Parser_getNextNode /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2045:6
0x6110000003bd is located 0 bytes to the right of 253-byte region [0x6110000002c0,0x6110000003bd) allocated by thread T0 here:
0 0x559301a5ea2e in malloc (/home/fuzz/vuln_search/pupnp_asan/fuzzer/build/fuzzer/FuzzIxml+0xe7a2e) (BuildId: ee6c0809bde001ba008d47f765b2a7269f0d56bb)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vuln_search/pupnp_asan/ixml/src/ixmlparser.c:2045:6 in Parser_getNextNode Shadow bytes around the buggy address: 0x0c227fff8020: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa 0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff8070: 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa fa 0x0c227fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8090: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c227fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff80c0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==75284==ABORTING