New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack buffer overflow in SAX parser #195
Comments
|
Not sure if the file from gist is correct. Basically it is |
|
The file is correct. It starts with |
|
from a quick debug, I can see that in the instance where the issue is triggered: the |
|
That seem a bit high. Thanks. |
|
I'm not too strong in C, but I can see that in the |
|
Might be right, I haven't gotten to look at it yet. |
|
this was the original file that triggered the crash: https://drive.google.com/open?id=0B5Au7ViXBlHbbWhYNUNqa1hka0k |
|
Just pushed a fix to master. I'll release after you check. |
|
@ohler55 had a quick go with 2.8.2, seems it's still happening. |
|
It looks like it might be a different, but related error. Not a crash but reading one past the loaded string. Any chance of telling me what the stack trace is? |
|
@ohler55 in a container with the extension compiled with ASan, it still giving me the same error. Without it seems to be fine now. I'd considered it closed, since I can't replicate in a normal execution scenario. I'll give it another go tomorrow. I'll let you know if something else pops up. |
|
@ohler55 if you want to test it out with ASan, here is the container I was using: https://hub.docker.com/r/clod81/afl-gcc-asan-ruby2.4.2/ On that, the error still shows up |
|
Thanks. I'll take a look in a few hours. I believe it is a different error but none the less it should be fixed and it is related. I suspect a check for <= end instead of < end. Have to find it though. |
|
Docker is not part of my regular routine. Once I have pulled the image, how do I run it? |
|
@ohler55 to get shell access: |
|
I was going to try locally but gave up and tried valgrind instead. It shows clean with no invalid reads. Turning on my own tracing it looks ok. I'm at a loss to figure out where that is occurring. |
|
Spent some more time and got the image running with Docker. Turns out it was a different buffer than the first. Completely different issue. Basically, on a long invalid processing instruction in the XML a temporary buffer was not terminated. Fixed and pushed. Thanks for the use of the image. |
|
@ohler55 cool. great effort |
Tested on ruby-2.4.2
POC crash (
test.rb):Input file that causes the crash: https://drive.google.com/open?id=0B5Au7ViXBlHbVG8yUDBtdHJzNlU
Launch:
Output:
Backtrace:
Output with AddressSanitizer (ASan):
The text was updated successfully, but these errors were encountered: