CWE-476 NULL pointer dereference in valid.c:1330 in xmlSnprintfElementContent
Hi, I found a vulnerability in current master 5465a8e5, and I also reproduced it on v2.9.10.
There is a CWE-476 NULL Pointer Dereference in library in xmlSnprintfElementContent__internal_alias, it can lead to segmentation fault and cause denial-of-service.
Thank you!
PoC:
To reproduce:
CFLAGS='-g -fsanitize=address' ./configure
make
./xmllint --recover --postvalid ./poc
ASAN report:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2601435==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6b90db7841 bp 0x7ffd77f1a4b0 sp 0x7ffd77f1a470 T0)
==2601435==The signal is caused by a READ memory access.
==2601435==Hint: address points to the zero page.
#0 0x7f6b90db7841 in xmlSnprintfElementContent__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:1330
#1 0x7f6b90dc7cf0 in xmlValidateElementContent /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:5527
#2 0x7f6b90dcb3de in xmlValidateOneElement__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6233
#3 0x7f6b90dccb00 in xmlValidateElement__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6478
#4 0x7f6b90dcf1d7 in xmlValidateDocument__internal_alias /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:6941
#5 0x56016b2638db in parseAndPrintFile /home/yuawn/fuzzing/libxml2/reproduce/libxml2/xmllint.c:2815
#6 0x56016b269f81 in main /home/yuawn/fuzzing/libxml2/reproduce/libxml2/xmllint.c:3754
#7 0x7f6b90a730b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#8 0x56016b259b2d in _start (/home/yuawn/fuzzing/libxml2/reproduce/libxml2/.libs/xmllint+0xfb2d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuawn/fuzzing/libxml2/reproduce/libxml2/valid.c:1330 in xmlSnprintfElementContent__internal_alias
==2601435==ABORTING
Edited by yuawn