Wrongly using libxml2 APIs can cause system crash or Dos
1. missing xmlDocGetRootElement() check can cause system crash
Hi, developers:
According to API documentation , The return value of xmlDocGetRootElement
might be NULL
. If we don't check the returned pointer and dereference it, it can cause a segmentation fault
.
For example, in libanjuta/anjuta-profile.c:1016
1015 /* Parse plugin in xml file */
1016 xml_root = xmlDocGetRootElement(xml->doc);
1017 handles_list = parse_plugins (&set_list, xml_root, priv->plugin_manager, xml->file, &parse_error);
1018 if (parse_error != NULL) break;
while in function parse_plugins()
doesn't check if xml_root
is NULL
and dereference by xml_root->xmlChildrenNode
in function parse_plugins
directly, this would cause a system crash if xml_root
is NULL
.
876 static GList *
877 parse_plugins (GList **set_list, xmlNodePtr xml_root, AnjutaPluginManager *plugin_manager, GFile *file, GError **error)
878 {
879 xmlNodePtr xml_node;
...
885 /* Read plugin list */
886 for (xml_node = xml_root->xmlChildrenNode; xml_node; xml_node = xml_node->next)
887 {
888 xmlChar *name, *url, *mandatory_text;
The whole list of source code related to this problem:
libanjuta/anjuta-profile.c:1016
libanjuta/anjuta-profile.c:1053
plugins/language-manager/plugin.c:80
plugins/language-support-js/gir-symbol.c:116
plugins/symbol-db/anjuta-tags/gir.c:188
2.missing xmlFree() after xmlGetProp() can cause DoS
According to the libxml Documentation , for xmlGetProp()
use, It's up to the caller to free the memory with xmlFree()
. If missing invoke xmlFree()
at the returned value of xmlGetProp()
, it may cause a DoS.
For example, in libanjuta/anjuta-profile.c:898, 899
, variable name
and url
weren't be freed by calling xmlFree()
.This bug results in memory leakage. In some cases, memory consumption might be huge, which may cause the process to corrupt.
898 name = xmlGetProp (xml_node, (const xmlChar*)"name");
899 url = xmlGetProp (xml_node, (const xmlChar*)"url");
900
The whole list of source code related to this problem:
libanjuta/anjuta-profile.c:898
libanjuta/anjuta-profile.c:899
plugins/document-manager/anjuta-bookmarks.c:858
plugins/language-manager/plugin.c:99
plugins/language-manager/plugin.c:100
plugins/symbol-db/anjuta-tags/gir.c:157
plugins/symbol-db/anjuta-tags/gir.c:104
plugins/symbol-db/anjuta-tags/gir.c:39
plugins/symbol-db/anjuta-tags/gir.c:68
3.missing xmlFree() after xmlNodeGetContent() can cause DoS
According to the libxml Documentation , for xmlNodeGetContent()
use, It's up to the caller to free the memory with xmlFree()
. If missing invoke xmlFree()
after xmlNodeGetContent(),
it may cause a DoS.
in source code plugins/snippets-manager/snippets-xml-parser.c:717
and plugins/snippets-manager/snippets-xml-parser.c:520
don't free the memory allocated by xmlNodeGetContent()
using xmlFree()
.
This bug results in memory leak. In some cases, the memory consumption might be huge, which may cause the process to corrupt.
717 cur_var_content = g_strdup ((gchar *)xmlNodeGetContent (cur_var_node));
718 if (!g_strcmp0 (cur_var_is_command, GLOBAL_VARS_XML_TRUE))
719 cur_var_is_command_bool = TRUE;
720 else
721 cur_var_is_command_bool = FALSE;
518 if (!g_strcmp0 ((gchar*)cur_node->name, NATIVE_XML_GROUP_NAME_TAG))
519 {
520 group_name = g_strdup ((gchar *)xmlNodeGetContent (cur_node));
521 break;
522 }
4. missing xmlNodeGetContent() check can cause system crash
According to the libxml Documentation , xmlNodeGetContent()
would return NULL
if no content is available. If we use the return value without proper check, null dereference can happen.
For example, plugins/snippets-manager/snippets-xml-parser.c:425
, keywords_temp
might be NULL
,while Documentation of g_strsplit said: As a special case, the result of splitting the empty string "" is an empty vector, not a vector containing a single string.
If keywords_temp_array
is an empty array, line 429 accessing keywords_temp_array[i]
would cause an error, resulting in the process terminated by accident.
425 keywords_temp = (gchar *)xmlNodeGetContent (cur_field_node);
426 keywords_temp_array = g_strsplit (keywords_temp, " ", -1);
427
428 i = 0;
429 while (keywords_temp_array[i])
430 {
The same problem in plugins/snippets-manager/snippets-xml-parser.c:446
446 languages_temp = (gchar *)xmlNodeGetContent (cur_field_node);
447 languages_temp_array = g_strsplit (languages_temp, " ", -1);
448
449 i = 0;
450 while (languages_temp_array[i])