(CVE-2021-3516) heap-use-after-free in entities.c:621
Hi, I found a vulnerability in current master fb08d9fe. There is a heap-use-after-free in entities.c:621 in xmlEncodeEntitiesInternal
build
CFLAGS="-ggdb -fsanitize=address" ./configure
POC
reproduce :
xmllint --nocompact --html --push ./poc1
Asan report
➜ Yuan /home/yuan/libxml2/xmllint --nocompact --html --push ./poc1
./poc1:1: HTML parser error : htmlParseTryOrFinish: invalid element name
<<a
^
./poc1:4: HTML parser error : Couldn't find end of Start Tag a
^
=================================================================
==19156==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000000a8 at pc 0x7ffff67ebba8 bp 0x7fffffffbb20 sp 0x7fffffffbb10
READ of size 1 at 0x6190000000a8 thread T0
#0 0x7ffff67ebba7 in xmlEncodeEntitiesInternal /home/yuan/libxml2/entities.c:621
#1 0x7ffff67ebd1b in xmlEncodeEntitiesReentrant__internal_alias /home/yuan/libxml2/entities.c:815
#2 0x7ffff69178a3 in htmlNodeDumpFormatOutput__internal_alias /home/yuan/libxml2/HTMLtree.c:850
#3 0x7ffff6918308 in htmlDocContentDumpOutput__internal_alias /home/yuan/libxml2/HTMLtree.c:995
#4 0x7ffff6918406 in htmlDocDump__internal_alias /home/yuan/libxml2/HTMLtree.c:1049
#5 0x55555556aeef in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2555
#6 0x555555572a4e in main /home/yuan/libxml2/xmllint.c:3753
#7 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#8 0x555555562899 in _start (/home/yuan/libxml2/.libs/xmllint+0xe899)
0x6190000000a8 is located 40 bytes inside of 1048-byte region [0x619000000080,0x619000000498)
freed by thread T0 here:
#0 0x7ffff6ef67a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x7ffff6ae2ed0 in xmlDictFree__internal_alias /home/yuan/libxml2/dict.c:848
#2 0x7ffff68090b8 in xmlFreeParserCtxt__internal_alias /home/yuan/libxml2/parserInternals.c:1802
#3 0x7ffff690a548 in htmlFreeParserCtxt__internal_alias /home/yuan/libxml2/HTMLparser.c:5130
#4 0x555555569ad0 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2222
#5 0x555555572a4e in main /home/yuan/libxml2/xmllint.c:3753
#6 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
previously allocated by thread T0 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7ffff6ae0515 in xmlDictAddString /home/yuan/libxml2/dict.c:271
#2 0x7ffff6ae394d in xmlDictLookup__internal_alias /home/yuan/libxml2/dict.c:962
#3 0x7ffff6af019a in xmlSAX2TextNode /home/yuan/libxml2/SAX2.c:1862
#4 0x7ffff6af4635 in xmlSAX2Text /home/yuan/libxml2/SAX2.c:2540
#5 0x7ffff6af52ee in xmlSAX2Characters__internal_alias /home/yuan/libxml2/SAX2.c:2641
#6 0x7ffff690f93a in htmlParseTryOrFinish /home/yuan/libxml2/HTMLparser.c:6017
#7 0x7ffff6910e9e in htmlParseChunk__internal_alias /home/yuan/libxml2/HTMLparser.c:6270
#8 0x555555569a34 in parseAndPrintFile /home/yuan/libxml2/xmllint.c:2218
#9 0x555555572a4e in main /home/yuan/libxml2/xmllint.c:3753
#10 0x7ffff638abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-use-after-free /home/yuan/libxml2/entities.c:621 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
0x0c327fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8010: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c327fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19156==ABORTING