Re: [xml] Heap use after free in parser.c

On 08/01/2018 22:43, Jay Civelli wrote:
On Mon, Jan 8, 2018 at 11:27 AM, Nick Wellnhofer <wellnhofer aevum de <mailto:wellnhofer aevum de>> wrote:

    On 02/01/2018 20:08, Jay Civelli via xml wrote:

        We ran into a heap use after free in Chromium
        <> that I think I tracked down.

    I don't have access to this page.

You should have access now.

I still don't have access to the original Clusterfuzz report. I only found your reduced test case "bad_xml" but I couldn't reproduce the issue with xmllint. Given the stack trace and Chromium sources, it seems that you're using xmlReaderForMemory in recovery mode:

Note that it's discouraged to use XML_PARSE_RECOVER in production code. This flag hides errors in invalid XML and exercises some less-tested code paths in libxml2.

For future reports, it would be helpful to provide test cases that show the problem with xmllint. The following flags should make xmllint behave similar to the Chromium code in question:

    xmllint --stream --memory --recover file.xml

Good idea, done in new attached patch. Note that I changed the error from the existing from XML_ERR_INVALID_ENCODING to XML_ERR_INVALID_CHAR which seemed to make more sense.

I committed a minimal fix that only adds a call to xmlHaltParser.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]