xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal
Hi, we found a global-buffer-overflow in xmlEncodeEntitiesInternal at libxml2/entities.c:583
version: commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1)
How to reproduce:
- build libxml2 with ASAN.
- run following cmd
xmllint --htmlout $PoC
Here's ASAN log.
==19600==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5608cd40a230 at pc 0x7f6705c1cdb4 bp 0x7ffced505890 sp 0x7ffced505880
READ of size 1 at 0x5608cd40a230 thread T0
#0 0x7f6705c1cdb3 in xmlEncodeEntitiesInternal /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/entities.c:583
#1 0x5608cd1ea3f5 in xmlHTMLEncodeSend /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:531
#2 0x5608cd1ea3f5 in xmlHTMLError /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:642
#3 0x7f6705c7fac9 in __xmlRaiseError /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/error.c:638
#4 0x7f6705da51ec in xmlFatalErrMsgStrIntStr /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:720
#5 0x7f6705da51ec in xmlParseElementStart /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:10027
#6 0x7f6705dfea47 in xmlParseContent__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:9865
#7 0x7f6705e16d8f in xmlParseElement__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:9915
#8 0x7f6705e16d8f in xmlParseDocument__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:10751
#9 0x7f6705e6a5ab in xmlDoRead /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:15101
#10 0x7f6705e6a5ab in xmlCtxtReadFile__internal_alias /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/parser.c:15346
#11 0x5608cd1daee8 in parseAndPrintFile /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:2332
#12 0x5608cd1c0741 in main /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/xmllint.c:3732
#13 0x7f67057adb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#14 0x5608cd1ca1b9 in _start (/mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/.libs/xmllint+0x1f1b9)
0x5608cd40a230 is located 48 bytes to the left of global variable 'end' defined in 'xmllint.c:420:30' (0x5608cd40a260) of size 16
0x5608cd40a230 is located 0 bytes to the right of global variable 'buffer' defined in 'xmllint.c:525:13' (0x5608cd3fdee0) of size 50000
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/hda2/suhwan/add_project/final/FINAL_TEST_ZONE/program/xxx/libxml2/entities.c:583 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
0x0ac199a793f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac199a79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac199a79410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac199a79420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac199a79430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac199a79440: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 00 00 f9 f9
0x0ac199a79450: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac199a79460: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0ac199a79470: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac199a79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac199a79490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19600==ABORTING
This is found by Agency for Defense Development (ADD).