We're updating the issue view to help you get more done. 

NULL pointer dereference in D4ParserSax2

Description

Reported on Github by GwanYeong Kim

Summary

memory error (invalid write of size 4) in vsnprnt caused by the percent characters (%) in the xml file (attached) specifically designed to look for memory corruption (fuzzing), whereby security experts look for the bits that cause a particular crash and determine if they are exploited.

Specifically,

1 valgrind --trace-children=yes ./dmr-test -p Null_D4ParserSax2

returns (just including useful portion):

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ==19281== Command: /home/centos/hyrax/libdap4/tests/.libs/lt-dmr-test -p Null_D4ParserSax2 ==19281== ==19281== Invalid write of size 4 ==19281== at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223) ==19281== by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209) ==19281== by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704) ==19281== by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342) ==19281== by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94) ==19281== by 0x4134F9: main (dmr-test.cc:380) ==19281== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==19281== ==19281== ==19281== Process terminating with default action of signal 11 (SIGSEGV) ==19281== Access not within mapped region at address 0x0 ==19281== at 0x63D2611: vfprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x63FC1B8: vsnprintf (in /usr/lib64/libc-2.17.so) ==19281== by 0x5124CAF: libdap::D4ParserSax2::dmr_error(void*, char const*, ...) (D4ParserSax2.cc:1223) ==19281== by 0x51288EA: libdap::D4ParserSax2::process_dimension_def(char const*, unsigned char const**, int) (D4ParserSax2.cc:209) ==19281== by 0x512BC40: libdap::D4ParserSax2::dmr_start_element(void*, unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) (D4ParserSax2.cc:704) ==19281== by 0x58478CF: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584DE61: ??? (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x584F61D: xmlParseChunk (in /usr/lib64/libxml2.so.2.9.1) ==19281== by 0x512595C: libdap::D4ParserSax2::intern(std::istream&, libdap::DMR*, bool) (D4ParserSax2.cc:1342) ==19281== by 0x4160C2: test_dap4_parser(std::string const&, bool, bool) (dmr-test.cc:94) ==19281== by 0x4134F9: main (dmr-test.cc:380) ==19281== If you believe this happened as a result of a stack ==19281== overflow in your program's main thread (unlikely but ==19281== possible), you can try to increase the size of the ==19281== main thread stack using the --main-stacksize= flag. ==19281== The main thread stack size used in this run was 8388608. ==19281== ==19281== HEAP SUMMARY: ==19281== in use at exit: 41,430 bytes in 185 blocks ==19281== total heap usage: 247 allocs, 62 frees, 46,682 bytes allocated ==19281==

Minimal crash file from GwanYeong Kim <gy741.kim@gmail.com>

1 <?l?><t xmlns="http://xml.opendap.org/ns/DAP/4.0#"><Dimension name="" size="%n">

Environment

None

Status

Assignee

James Gallagher

Reporter

Uday Kari

Labels

None

Story Points

None

Epic Link

Components

Sprint

None

Priority

Medium