ASAN Read Memory Access Violation in xmlCheckUTF8() while processing large input
Test data size constraints were removed from third_party/libxml/src/fuzz/regexp.c to trigger the bug. A test case of size 2GB+1MB was used. Attached is the compressed large test case.
third_party/libxml/src/xmlstring.c:801:15: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
#0 0x556125292042 in xmlCheckUTF8 third_party/libxml/src/xmlstring.c
#1 0x556124e65cb5 in LLVMFuzzerTestOneInput third_party/libxml/src/fuzz/regexp.c:31:9
#2 0x5561253c8a8e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:653:15
#3 0x5561253c8250 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:535:3
#4 0x5561253c96f3 in fuzzer::Fuzzer::MutateAndTestOne() third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:872:19
#5 0x5561253ca2e5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:1019:5
#6 0x5561253c01d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#7 0x5561253b7222 in main third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7f98d05548d2 in __libc_start_main (/usr/grte/v5/lib64/libc.so.6+0x628d2)
#9 0x556124d9e649 in _start /usr/grte/v5/debug-src/src/csu/../sysdeps/x86_64/start.S:120
SUMMARY: UndefinedBehaviorSanitizer: signed-integer-overflow third_party/libxml/src/xmlstring.c:801:15 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2559801==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9748b15800 (pc 0x556125291e88 bp 0x7fffb8486f70 sp 0x7fffb8486f40 T0)
==2559801==The signal is caused by a READ memory access.
#0 0x556125291e88 in xmlCheckUTF8 third_party/libxml/src/xmlstring.c:799:23
#1 0x556124e65cb5 in LLVMFuzzerTestOneInput third_party/libxml/src/fuzz/regexp.c:31:9
#2 0x5561253c8a8e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:653:15
#3 0x5561253c8250 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:535:3
#4 0x5561253c96f3 in fuzzer::Fuzzer::MutateAndTestOne() third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:872:19
#5 0x5561253ca2e5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:1019:5
#6 0x5561253c01d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#7 0x5561253b7222 in main third_party/llvm/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7f98d05548d2 in __libc_start_main (/usr/grte/v5/lib64/libc.so.6+0x628d2)
#9 0x556124d9e649 in _start /usr/grte/v5/debug-src/src/csu/../sysdeps/x86_64/start.S:120
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/libxml/src/xmlstring.c:799:23 in xmlCheckUTF8
==2559801==ABORTING