NULL pointer dereference in D4ParserSax2

Description

Reported on Github by GwanYeong Kim

Summary

memory error (invalid write of size 4) in vsnprnt caused by the percent characters (%) in the xml file (attached) specifically designed to look for memory corruption (fuzzing), whereby security experts look for the bits that cause a particular crash and determine if they are exploited.

Specifically,

1 valgrind --trace-children=yes ./dmr-test -p Null_D4ParserSax2

returns (just including useful portion):

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ==19281== Command: /home/centos/hyrax/libdap4/tests/.libs/lt-dmr-test -p Null_D4ParserSax2 ==19281== ==19281== Invalid write of size 4 ==19281== at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223) ==19281== by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209) ==19281== by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704) ==19281== by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342) ==19281== by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94) ==19281== by 0x4134F9: main (dmr-test.cc:380) ==19281== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==19281== ==19281== ==19281== Process terminating with default action of signal 11 (SIGSEGV) ==19281== Access not within mapped region at address 0x0 ==19281== at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223) ==19281== by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209) ==19281== by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704) ==19281== by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342) ==19281== by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94) ==19281== by 0x4134F9: main (dmr-test.cc:380) ==19281== If you believe this happened as a result of a stack ==19281== overflow in your program's main thread (unlikely but ==19281== possible), you can try to increase the size of the ==19281== main thread stack using the --main-stacksize= flag. ==19281== The main thread stack size used in this run was 8388608. ==19281== ==19281== HEAP SUMMARY: ==19281== in use at exit: 41,430 bytes in 185 blocks ==19281== total heap usage: 247 allocs, 62 frees, 46,682 bytes allocated ==19281==

Minimal crash file from GwanYeong Kim <gy741.kim@gmail.com>

1 <?l?><t xmlns="http://xml.opendap.org/ns/DAP/4.0#"><Dimension name="" size="%n">

Environment

None

Status

Assignee

James Gallagher

Reporter

Uday Kari

Labels

None

Story Points

None

Epic Link

Components

Sprint

None

Priority

Medium
Configure