New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free in Function mxmlWalkNext #234
Comments
|
@fouzhe I'm sorry, but I really don't know what to do with this. The backtrace is for mxmldoc, but the command you've provided is the unit test program. The referenced file is garbage. |
|
@michaelrsweet Anyway, the bug ocurrs in the library! |
|
@fouzhe If I cannot reproduce, I cannot fix. Please provide more information or I will just have to close it... |
|
@michaelrsweet The file is OK and you should add AddressSanitizer( |
|
However, just as this issue #232 says, there are detected memory leaks when compiling with AddressSanitizer, but you are not willing to fix it, so you should also |
|
There is a limit to how much bloat I will add to what is a standalone developer tool that happens to be bundled with the Mini-XML library. |
|
Rediculous.... |
|
If the library can't deal with garbage file, the library is just a garbage...... |
|
@fouzhe This isn't the library crashing, this is the standalone developer tool that is bundled with the library crashing, based on invalid C code being passed to it. All the more reason I should just move mxmldoc to a separate project... |
|
Dupe of Issue #237, and I've just removed mxmldoc from the project. |
|
FWIW, changes in the codedoc project fix this issue. |

I used clang 6.0 and AddressSanitizer to build mxml 2.12, this file can cause heap-use-after-free in mxmlWalkNext in mxml-search.c when executing this command:
./mxmldoc $crashThis is the ASAN information:
==2544==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000008ec0 at pc 0x7fedf0751729 bp 0x7fff65264ee0 sp 0x7fff65264ed0 READ of size 8 at 0x608000008ec0 thread T0 #0 0x7fedf0751728 in mxmlWalkNext /home/fouzhe/my_fuzz/mxml/mxml-search.c:212 #1 0x7fedf075180c in mxmlFindElement /home/fouzhe/my_fuzz/mxml/mxml-search.c:101 #2 0x405074 in sort_node /home/fouzhe/my_fuzz/mxml/mxmldoc.c:3372 #3 0x405b5d in scan_file /home/fouzhe/my_fuzz/mxml/mxmldoc.c:1981 #4 0x402b1d in main /home/fouzhe/my_fuzz/mxml/mxmldoc.c:503 #5 0x7fedeff5d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x402ff8 in _start (/home/fouzhe/my_fuzz/mxml/mxmldoc+0x402ff8) 0x608000008ec0 is located 32 bytes inside of 88-byte region [0x608000008ea0,0x608000008ef8) freed by thread T0 here: #0 0x7fedf09f92ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca) #1 0x4050c1 in sort_node /home/fouzhe/my_fuzz/mxml/mxmldoc.c:3389 previously allocated by thread T0 here: #0 0x7fedf09f979a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a) #1 0x7fedf0750e50 in mxml_new /home/fouzhe/my_fuzz/mxml/mxml-node.c:844 SUMMARY: AddressSanitizer: heap-use-after-free /home/fouzhe/my_fuzz/mxml/mxml-search.c:212 mxmlWalkNext Shadow bytes around the buggy address: 0x0c107fff9180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c107fff9190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c107fff91a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c107fff91b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c107fff91c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa =>0x0c107fff91d0: fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd fd fa 0x0c107fff91e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c107fff91f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c107fff9200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c107fff9210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c107fff9220: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2544==ABORTINGThe text was updated successfully, but these errors were encountered: