Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider using reliable crash-resistant xml parser instead of xml-rs. #3

Closed
xjewer opened this issue Aug 1, 2022 · 4 comments
Closed

Consider using reliable crash-resistant xml parser instead of xml-rs. #3

xjewer opened this issue Aug 1, 2022 · 4 comments

Comments

@xjewer
Copy link
Collaborator

xjewer commented Aug 1, 2022

After introducing libfuzzer #2 (comment), found out that xms-rs crate has at least one place to crash with add to attempt with overflow.

Moreover xml-rs doesn't have contributions for almost a year and it seems to be abandoned.

cc @kornelski
@kornelski
Copy link
Collaborator

The state of Rust XML parsers is a bit sad. I've tried quick-xml, but it wasn't better.

@00xc
Copy link

00xc commented Jun 1, 2023

I tested this with the latest xml-rs version (v0.8.13) and the crash does not reproduce anymore. Consider updating the dependencies for this repository.

@00xc
Copy link

00xc commented Jun 1, 2023

Just FYI, I have tested this again and found 2 more panics in xml-rs through the svg-hush harness:

@kornelski
Copy link
Collaborator

I've fixed and improved a bunch of things in xml-rs, and I think it's a good choice now. There might still be some bugs left, so please keep fuzzing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kornelski @xjewer @00xc