Ticket #4 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

xmlif segfault on malformed input

Reported by: hanno Owned by: ovasik
Priority: major Milestone:
Component: xmlif Version:
Keywords: Cc:
Blocked By: Blocking:

Description

attached file will cause a segfault in xmlif.

valgrind output:
==2066== Invalid read of size 8
==2066==    at 0x401496: end_attribute (xmlif.l:104)
==2066==    by 0x401496: yylex (xmlif.l:211)
==2066==    by 0x4E55F9F: (below main) (libc-start.c:289)
==2066==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==2066== 
==2066== 
==2066== Process terminating with default action of signal 11 (SIGSEGV)
==2066==  Access not within mapped region at address 0x8
==2066==    at 0x401496: end_attribute (xmlif.l:104)
==2066==    by 0x401496: yylex (xmlif.l:211)
==2066==    by 0x4E55F9F: (below main) (libc-start.c:289)
==2066==  If you believe this happened as a result of a stack
==2066==  overflow in your program's main thread (unlikely but
==2066==  possible), you can try to increase the size of the
==2066==  main thread stack using the --main-stacksize= flag.
==2066==  The main thread stack size used in this run was 8388608.

Attachments

xmlif-crash.xml (13 bytes) - added by hanno 2 years ago.
xmlif-crash.xml

Change History

Changed 2 years ago by hanno

xmlif-crash.xml

comment:1 Changed 2 years ago by ovasik

Reproducible with simple xmlif <xmlif-crash.xml ... thanks for report. I will take a look how to easily fix it.

comment:2 Changed 2 years ago by ovasik

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in revision 81. However, it seems that svn browser is broken, so I can't give you a link to a patch: $ svn diff Index: ChangeLog? =================================================================== --- ChangeLog? (revision 80) +++ ChangeLog? (working copy) @@ -1,3 +1,6 @@ +2015-02-05 Ondrej Vasik <ovasik@…> + * xmlif/xmlif.{c,l}: fix segfault with malformed end attribute +

2015-01-21 Ondrej Vasik <ovasik@…>

  • configure.in: prefer elinks over links nowadays (suggested by mathiaswe from Gentoo)

Index: xmlif/xmlif.c =================================================================== --- xmlif/xmlif.c (revision 78) +++ xmlif/xmlif.c (working copy) @@ -1138,6 +1138,11 @@

if (attribute)

free(attribute);

+ if (!end->up) + { + fprintf(stderr,"xmlif: malformed end attribute!\n"); + exit(1); + }

end->suppressed = (ifsense == !!end->suppressed); for (up = end->up; up->up; up = up->up)

if (up->suppressed)

Index: xmlif/xmlif.l =================================================================== --- xmlif/xmlif.l (revision 78) +++ xmlif/xmlif.l (working copy) @@ -100,6 +100,11 @@

if (attribute)

free(attribute);

+ if (!end->up) + { + fprintf(stderr,"xmlif: malformed end attribute!\n"); + exit(1); + }

end->suppressed = (ifsense == !!end->suppressed); for (up = end->up; up->up; up = up->up)

if (up->suppressed)

Note: See TracTickets for help on using tickets.