Heap-use-after-free in xmlAddNextSibling
When we used the attached XML file for testing, the following call stack error occurred. testcase-xml-202110140003.xml
==757108==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000005748 at pc 0x0000005d270c bp 0x7ffef1da67c0 sp 0x7ffef1da67b8
READ of size 4 at 0x60c000005748 thread T0
SCARINESS: 45 (4-byte-read-heap-use-after-free)
#0 0x5d270b in xmlAddNextSibling /src/libxml2/tree.c:3005:32
#1 0x6ada33 in xmlXIncludeCopyRange /src/libxml2/xinclude.c:1108:7
#2 0x6ac83e in xmlXIncludeCopyXPointer /src/libxml2/xinclude.c:1248:13
#3 0x6ac6d9 in xmlXIncludeCopyXPointer /src/libxml2/xinclude.c:1238:8
#4 0x6a673a in xmlXIncludeIncludeNode /src/libxml2/xinclude.c:2228:6
#5 0x6a48db in xmlXIncludeDoProcess /src/libxml2/xinclude.c:2480:6
#6 0x6a422c in xmlXIncludeProcessTreeFlagsData /src/libxml2/xinclude.c:2533:11
#7 0x6a4ab6 in xmlXIncludeProcessFlagsData /src/libxml2/xinclude.c:2562:12
#8 0x6a4b02 in xmlXIncludeProcessFlags /src/libxml2/xinclude.c:2577:12
#9 0x555b2d in LLVMFuzzerTestOneInput /src/libxml2/fuzz/xml.c:57:9
#10 0x45bb53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#11 0x4472c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#12 0x44cf66 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#13 0x476472 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#14 0x7f21eae1bb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
#15 0x423179 in _start (/root/oss-fuzz/build/out/libxml2/xml+0x423179)
DEDUP_TOKEN: xmlAddNextSibling--xmlXIncludeCopyRange--xmlXIncludeCopyXPointer
0x60c000005748 is located 8 bytes inside of 120-byte region [0x60c000005740,0x60c0000057b8)
freed by thread T0 here:
#0 0x522612 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
#1 0x5cfc7a in xmlFreeNode /src/libxml2/tree.c:3811:5
#2 0x5d23c1 in xmlAddNextSibling /src/libxml2/tree.c:3033:6
#3 0x6ada33 in xmlXIncludeCopyRange /src/libxml2/xinclude.c:1108:7
#4 0x6ac83e in xmlXIncludeCopyXPointer /src/libxml2/xinclude.c:1248:13
#5 0x6ac6d9 in xmlXIncludeCopyXPointer /src/libxml2/xinclude.c:1238:8
#6 0x6a673a in xmlXIncludeIncludeNode /src/libxml2/xinclude.c:2228:6
#7 0x6a48db in xmlXIncludeDoProcess /src/libxml2/xinclude.c:2480:6
#8 0x6a422c in xmlXIncludeProcessTreeFlagsData /src/libxml2/xinclude.c:2533:11
#9 0x6a4ab6 in xmlXIncludeProcessFlagsData /src/libxml2/xinclude.c:2562:12
#10 0x6a4b02 in xmlXIncludeProcessFlags /src/libxml2/xinclude.c:2577:12
#11 0x555b2d in LLVMFuzzerTestOneInput /src/libxml2/fuzz/xml.c:57:9
#12 0x45bb53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#13 0x4472c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#14 0x44cf66 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#15 0x476472 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f21eae1bb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
DEDUP_TOKEN: free--xmlFreeNode--xmlAddNextSibling
previously allocated by thread T0 here:
#0 0x52287d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x5db2cf in xmlStaticCopyNode /src/libxml2/tree.c:4226:24
#2 0x5dbe94 in xmlDocCopyNode /src/libxml2/tree.c:4412:11
#3 0x6ad9e3 in xmlXIncludeCopyRange /src/libxml2/xinclude.c:1103:13
#4 0x6ac83e in xmlXIncludeCopyXPointer /src/libxml2/xinclude.c:1248:13
#5 0x6ac6d9 in xmlXIncludeCopyXPointer /src/libxml2/xinclude.c:1238:8
#6 0x6a673a in xmlXIncludeIncludeNode /src/libxml2/xinclude.c:2228:6
#7 0x6a48db in xmlXIncludeDoProcess /src/libxml2/xinclude.c:2480:6
#8 0x6a422c in xmlXIncludeProcessTreeFlagsData /src/libxml2/xinclude.c:2533:11
#9 0x6a4ab6 in xmlXIncludeProcessFlagsData /src/libxml2/xinclude.c:2562:12
#10 0x6a4b02 in xmlXIncludeProcessFlags /src/libxml2/xinclude.c:2577:12
#11 0x555b2d in LLVMFuzzerTestOneInput /src/libxml2/fuzz/xml.c:57:9
#12 0x45bb53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
#13 0x4472c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
#14 0x44cf66 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
#15 0x476472 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#16 0x7f21eae1bb26 in __libc_start_main (/lib64/libc.so.6+0x25b26)
DEDUP_TOKEN: malloc--xmlStaticCopyNode--xmlDocCopyNode
SUMMARY: AddressSanitizer: heap-use-after-free /src/libxml2/tree.c:3005:32 in xmlAddNextSibling
Shadow bytes around the buggy address:
0x0c187fff8a90: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff8aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff8ab0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff8ac0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c187fff8ae0: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c187fff8af0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff8b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==757108==ABORTING