Ticket #5 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

double free on invalid input

Reported by: hanno Owned by: ovasik
Priority: major Milestone:
Component: xmlif Version:
Keywords: Cc:
Blocked By: Blocking:

Description

Attached file will cause a double free in xmlif.

Address Sanitizer output:

==10820==ERROR: AddressSanitizer: attempting double-free on 0x60200000efd0 in thread T0:
    #0 0x7f0bc9b2847f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5747f)
    #1 0x407474 in end_attribute /mnt/ram/xmlto/xmlif.l:102
    #2 0x407474 in yylex /mnt/ram/xmlto/xmlif.l:211
    #3 0x7f0bc9755f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #4 0x401961 (/mnt/ram/xmlto/xmlif/xmlif+0x401961)

0x60200000efd0 is located 0 bytes inside of 2-byte region [0x60200000efd0,0x60200000efd2)
freed by thread T0 here:
    #0 0x7f0bc9b2847f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5747f)
    #1 0x407474 in end_attribute /mnt/ram/xmlto/xmlif.l:102
    #2 0x407474 in yylex /mnt/ram/xmlto/xmlif.l:211

previously allocated by thread T0 here:
    #0 0x7f0bc9b286f7 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x576f7)
    #1 0x7f0bc97b8299 in strdup (/lib64/libc.so.6+0x82299)

Found with american fuzzy lop.

Attachments

doublefree.xml (25 bytes) - added by hanno 2 years ago.

Change History

Changed 2 years ago by hanno

comment:1 Changed 2 years ago by ovasik

  • Status changed from new to closed
  • Resolution set to fixed

Confirmed, attribute should be set to NULL after free to prevent it. Thanks for report,

comment:2 Changed 2 years ago by ovasik

--- xmlif/xmlif.l (revision 81) +++ xmlif/xmlif.l (working copy) @@ -100,6 +100,8 @@

if (attribute)

free(attribute);

+ attribute=NULL; +

if (!end->up) {

fprintf(stderr,"xmlif: malformed end attribute!\n");

.....Committed revision 82.

Note: See TracTickets for help on using tickets.