Missing -maxmem Sanity Check on xmlSchemaInitTypes
Hello,
We are currently working on a new fuzz testing feature, and we found a crash in xmllint.
Step to Reproduce
We configured and built zlib using CFLAGS="-g -O0 -fPIC" ./configure --static
and make
and configured xmllint using CFLAGS="-g -O0" ./configure --with-zlib=${ZLIB_PATH}
and built using make
,
and run it with:
./xmllint --schema --path --maxmem 0 --nocompact --noent <attached_file> --walker --nowarning --dtdvalidfpi
Attachment: poc_0004.txt
Environment
- OS: Ubuntu 18.04.4 LTS
- Compiler: gcc 7.5.0
- libxml2 version: 2.9.10 (ftp://xmlsoft.org/libxml2/libxml2-sources-2.9.10.tar.gz)
- zlib version: 1.2.11 (https://www.zlib.net/zlib-1.2.11.tar.xz)
Additional context
It seems that the current behavior of xmllint does not sanity check the -maxmem 0
flag.
Here's the stack trace: stack_trace_0004.txt
Program received signal SIGSEGV, Segmentation fault.
0x00000000005caf5d in xmlSchemaInitTypes ()
#0 0x00000000005caf5d in xmlSchemaInitTypes ()
#1 0x00000000005b4c4e in xmlSchemaParse ()
#2 0x0000000000411b1c in main ()
Thank you.