Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mxml-V4.0.2 stack-overflow in Function mxmlLoadString #323

Closed
ypcd opened this issue Apr 13, 2024 · 2 comments
Closed

mxml-V4.0.2 stack-overflow in Function mxmlLoadString #323

ypcd opened this issue Apr 13, 2024 · 2 comments
Assignees
@michaelrsweet
Labels
unable-to-reproduce Unable to reproduce

Comments

@ypcd
Copy link

ypcd commented Apr 13, 2024
edited
Loading

mxml-V4.0.2 stack-overflow in Function mxmlLoadString

mxml version: V4.0.2, master(2024-4-13)

clang version: V17.0.6

Computer model: apple macbook air M1 (arm64)

Operating system version: centos steam 9 (kernel 5.14.0-435.el9.aarch64)

I'm building mxml 4.0.2 using clang 17 and AddressSanitizer.
Performing the following operations results in a "stack-overflow" error in the mxmlLoadString function in the "mxml-file.c" file.

error message:

AddressSanitizer:DEADLYSIGNAL
================================================== ===============
==25150==ERROR: AddressSanitizer: stack-overflow on address 0xffffe4b7d1e5 (pc 0xffffe4b7d1e5 bp 0xffffe4b7c000 sp 0xffffe4b7bee0 T0)
/usr/bin/llvm-symbolizer: error: '[stack]': No such file or directory
     #0 0xffffe4b7d1e5 ([stack]+0x201e5)
     #1 0xffffb3c2aeec in mxmlLoadString /home/user2/mxml-master/mxml-file.c:242:11
     #2 0x50cf88 in main /home/user2/mxml-master/./mxml--V4_test_input--.cpp:19:8
     #3 0xffffb36692fc in __libc_start_call_main (/lib64/libc.so.6+0x272fc) (BuildId: ac204fa2b2a4b439262841496e92461f72f00fcb)
     #4 0xffffb36693d4 in __libc_start_main@GLIBC_2.17 (/lib64/libc.so.6+0x273d4) (BuildId: ac204fa2b2a4b439262841496e92461f72f00fcb)
     #5 0x4304ac in _start (/home/user2/mxml-master/mxml_input+0x4304ac) (BuildId: 908a0efe4e2999feab4c16425ebf978ed47bf77f)

SUMMARY: AddressSanitizer: stack-overflow ([stack]+0x201e5)
==25150==ABORTING

Reproduction steps:
mxml--V4.0.2--stack-overflow.zip

Install clang 17.
Unzip the "mxml-4.0.2.tar.gz" file and obtain the "mxml-4.0.2" folder.


The files in the mxml--V4.0.2--stack-overflow.zip compressed package are "mxml--V4_test_input--.cpp", "mxml-V4.0.2--crash--stack-overflow.txt", "run .mxml-V4.input--single-file--.sh", copy to the "mxml-4.0.2" folder.

Under the "mxml-4.0.2" folder, execute the following command:

source run.mxml-V4.input--single-file--.sh or ./run.mxml-V4.input--single-file--.sh
(Be careful not to use sh run.mxml-V4.input--single-file--.sh, the script file will set environment variables)

./mxml_input < ./mxml-V4.0.2--crash--stack-overflow.txt
(Note: The error will not be triggered every time. You will need to run it a few times.)
@michaelrsweet
Copy link
Owner

OK, so your test code passes an uninitialized mxml_options_t pointer. I'm not able to reproduce when it is initialized to NULL.

I will also advise you not to include the Mini-XML private header since that isn't something you normally will have access to since it is private to the library, subject to change at any time, and not public API...

@michaelrsweet michaelrsweet self-assigned this Apr 13, 2024
@michaelrsweet michaelrsweet added the unable-to-reproduce Unable to reproduce label Apr 13, 2024
@ypcd
Copy link
Author

ypcd commented Apr 13, 2024
edited
Loading

Hello, thank you for your reply.
The source code for the example I wrote is wrong.
My example cannot prove that mxml has security vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
unable-to-reproduce Unable to reproduce
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelrsweet @ypcd