We're updating the issue view to help you get more done.Â
NULL pointer dereference in D4ParserSax2
Description
Reported on Github by GwanYeong Kim
Summary
memory error (invalid write of size 4) in vsnprnt caused by the percent characters (%) in the xml file (attached) specifically designed to look for memory corruption (fuzzing), whereby security experts look for the bits that cause a particular crash and determine if they are exploited.
Specifically,
1
valgrind --trace-children=yes ./dmr-test -p Null_D4ParserSax2returns (just including useful portion):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
==19281== Command: /home/centos/hyrax/libdap4/tests/.libs/lt-dmr-test -p Null_D4ParserSax2
==19281==
==19281== Invalid write of size 4
==19281== at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so)
==19281== by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so)
==19281== by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223)
==19281== by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209)
==19281== by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704)
==19281== by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1)
==19281== by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1)
==19281== by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1)
==19281== by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342)
==19281== by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94)
==19281== by 0x4134F9: main (dmr-test.cc:380)
==19281== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==19281==
==19281==
==19281== Process terminating with default action of signal 11 (SIGSEGV)
==19281== Access not within mapped region at address 0x0
==19281== at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so)
==19281== by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so)
==19281== by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223)
==19281== by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209)
==19281== by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704)
==19281== by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1)
==19281== by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1)
==19281== by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1)
==19281== by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342)
==19281== by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94)
==19281== by 0x4134F9: main (dmr-test.cc:380)
==19281== If you believe this happened as a result of a stack
==19281== overflow in your program's main thread (unlikely but
==19281== possible), you can try to increase the size of the
==19281== main thread stack using the --main-stacksize= flag.
==19281== The main thread stack size used in this run was 8388608.
==19281==
==19281== HEAP SUMMARY:
==19281== in use at exit: 41,430 bytes in 185 blocks
==19281== total heap usage: 247 allocs, 62 frees, 46,682 bytes allocated
==19281==Minimal crash file from GwanYeong Kim <gy741.kim@gmail.com>
1
<?l?><t xmlns="http://xml.opendap.org/ns/DAP/4.0#"><Dimension name="" size="%n">Environment
None
