SEGV parser.c:14073 in xmlSAXParseFileWithData when AFL fuzzing test
The error message was as follows when running AFL-fuzz test for xmlRecoverFile interface :
==145885==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x0000004acd91 bp 0x000000000000 sp 0x7ffca0757e40 T0)
==145885==The signal is caused by a READ memory access.
==145885==Hint: address points to the zero page.
#0 0x4acd90 in xmlSAXParseFileWithData /home/abuild/rpmbuild/BUILD/libxml2-2.9.10/parser.c:14073
#1 0x407305 in main /home/EulerOS_API-sanity/tests_src/libxml2/tests/libxml2/2.9.8-4/groups/parser/functions/xmlRecoverFile/test.c:8
#2 0x7f5f73f98b66 in __libc_start_main (/usr/lib64/libc.so.6+0x25b66)
#3 0x408269 in _start (/home/EulerOS_API-sanity/tests_src/libxml2/tests/libxml2/2.9.8-4/groups/parser/functions/xmlRecoverFile/test.bak2+0x408269)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/abuild/rpmbuild/BUILD/libxml2-2.9.10/parser.c:14073 in xmlSAXParseFileWithData
==145885==ABORTING
Reproduction steps:
- prepare a test.c
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <string.h>
int main(int argc, char *argv[])
{
char testfile[1000];
strcpy(testfile, argv[1]);
xmlRecoverFile(testfile); //target call
return 0;
}
- compile:AFL_USE_ASAN=1 afl-gcc -Wall -I/usr/include/libxml2 test.c -o test -L/usr/lib64 -lm-2.28 -lc-2.28 -llzma -ldl-2.28 /var/tmp/build-root/standard_x86_64-x86_64/home/abuild/rpmbuild/BUILD/libxml2-2.9.10/.libs/libxml2.a -lz -lpthread
- during run afl-fuzz -i testdata -o out -m none ./test @@, crashes found. At this time, its testdata was as attached.