Package: libtinyxml2.6.2
Version: 2.6.2-2
Usertags: afl

TinyXml crashes with failed assertion while trying to parse the attached file:

$ make prettyprintxml CXXFLAGS="-g -O2 -Wall" LDFLAGS=-ltinyxml
g++ -g -O2 -Wall  -ltinyxml  prettyprintxml.cc   -o prettyprintxml
$ ./prettyprintxml badxml.xml
prettyprintxml: tinyxmlparser.cpp:543: static bool TiXmlBase::StringEqual(const 
char*, const char*, bool, TiXmlEncoding): Assertion `0' failed.
Aborted


Backtrace:

#0  0xf7fdc425 in __kernel_vsyscall ()
#1  0xf7c5d307 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xf7c5e9c3 in __GI_abort () at abort.c:89
#3  0xf7c56687 in __assert_fail_base (fmt=0xf7d90794 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
assertion=assertion@entry=0xf7fb8751 "0", file=file@entry=0xf7fb8d76 "tinyxmlparser.cpp", 
line=line@entry=543, function=function@entry=0xf7fb93c0 <TiXmlBase::StringEqual(char const*, char const*, bool, 
TiXmlEncoding)::__PRETTY_FUNCTION__> "static bool TiXmlBase::StringEqual(const char*, const char*, bool, 
TiXmlEncoding)") at assert.c:92
#4  0xf7c56737 in __GI___assert_fail (assertion=0xf7fb8751 "0", file=0xf7fb8d76 
"tinyxmlparser.cpp", line=543, function=0xf7fb93c0 <TiXmlBase::StringEqual(char const*, char const*, 
bool, TiXmlEncoding)::__PRETTY_FUNCTION__> "static bool TiXmlBase::StringEqual(const char*, const char*, 
bool, TiXmlEncoding)") at assert.c:101
#5  0xf7fb5674 in TiXmlBase::StringEqual (p=p@entry=0x804fbbf "", 
tag=tag@entry=0xf7fb8e08 "version", ignoreCase=ignoreCase@entry=true, 
encoding=encoding@entry=TIXML_ENCODING_UNKNOWN) at tinyxmlparser.cpp:543
#6  0xf7fb7862 in TiXmlDeclaration::Parse (this=0x804fbc8, p=0x804fbbf "", 
data=0xffffd620, _encoding=TIXML_ENCODING_UNKNOWN) at tinyxmlparser.cpp:1603
#7  0xf7fb625b in TiXmlDocument::Parse (this=0xffffd748, p=0x804fbb8 
"<?xml?\n", prevData=0x0, encoding=TIXML_ENCODING_UNKNOWN) at 
tinyxmlparser.cpp:759
#8  0xf7fb13db in TiXmlDocument::LoadFile (this=this@entry=0xffffd748, 
file=file@entry=0x804fa50, encoding=encoding@entry=TIXML_ENCODING_UNKNOWN) at 
tinyxml.cpp:1054
#9  0xf7fb153c in TiXmlDocument::LoadFile (this=this@entry=0xffffd748, 
_filename=0x804fa1c "badxml.xml", 
encoding=encoding@entry=TIXML_ENCODING_UNKNOWN) at tinyxml.cpp:952
#10 0xf7fb15fa in TiXmlDocument::LoadFile (this=0xffffd748, 
encoding=TIXML_ENCODING_UNKNOWN) at tinyxml.cpp:933
#11 0x08048ded in main (argc=2, argv=0xffffd854) at prettyprintxml.cc:13


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libtinyxml2.6.2 depends on:
ii  libc6              2.19-15
ii  libgcc1            1:5-20150307-1
ii  libstdc++6         5-20150307-1
ii  multiarch-support  2.19-15

--
Jakub Wilk
#include <stdio.h>

#define TIXML_USE_STL 1
#include <tinyxml.h>

int main(int argc, char ** argv)
{
	if (argc != 2) {
		fprintf(stderr, "Usage: %s <file>\n", argv[0]);
		return 1;
	}
	TiXmlDocument doc(argv[1]);
	if (!doc.LoadFile()) {
		fprintf(stderr, "invalid XML\n");
		return 1;
	}
	TiXmlPrinter printer;
	doc.Accept(&printer);
	puts(printer.CStr());
	return 0;
}

Attachment: badxml.xml
Description: XML document

Reply via email to