CWE-476 NULL pointer dereference in valid.c:772 (#244) · Issues · GNOME / libxml2

CWE-476 NULL pointer dereference in valid.c:772

Hi, I found a vulnerability in current master 5465a8e5, and I also reproduced it on v2.9.10.

There is another CWE-476 NULL Pointer Dereference in library in xmlValidBuildAContentModel, it can be triggered by different payload.

Thank you.

PoC:

poc.gz

To reproduce:

CFLAGS='-g -fsanitize=address' ./configure
make

./xmllint --recover --postvalid ./poc

ASAN report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2659923==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5104d55bd6 bp 0x7fff4c07e140 sp 0x7fff4c07e010 T0)
==2659923==The signal is caused by a READ memory access.
==2659923==Hint: address points to the zero page.
    #0 0x7f5104d55bd6 in xmlValidBuildAContentModel /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:772
    #1 0x7f5104d55aea in xmlValidBuildAContentModel /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:769
    #2 0x7f5104d56418 in xmlValidBuildContentModel__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:839
    #3 0x7f5104d68581 in xmlValidateElementContent /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:5330
    #4 0x7f5104d6c3de in xmlValidateOneElement__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6233
    #5 0x7f5104d6db00 in xmlValidateElement__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6478
    #6 0x7f5104d701d7 in xmlValidateDocument__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6941
    #7 0x5625a31e08db in parseAndPrintFile /home/yuawn/fuzzing/libxml2/reproduce/libxml2/xmllint.c:2815
    #8 0x5625a31e6f81 in main /home/yuawn/fuzzing/libxml2/reproduce/libxml2/xmllint.c:3754
    #9 0x7f5104a140b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x5625a31d6b2d in _start (/home/yuawn/fuzzing/libxml2/reproduce/libxml2/.libs/xmllint+0xfb2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:772 in xmlValidBuildAContentModel
==2659923==ABORTING

Edited Apr 30, 2021 by yuawn