Segmentation fault with libxml2 (xmllint) on the attached file
xmllint
throws a segmentation fault on the attached file with the latest master
revision of libxml2
if libxml2
is compiled with ICU (--with-icu
). I'm not sure whether this is an issue with libxml2
or the ICU library.
Additional info:
- The crash does not happen when
libxml2
is compiled without ICU - The attached test file was found with fuzzing the
igraph
graph library in OSS-fuzz;igraph
happens to uselibxml2
for parsing GraphML files - The attached test file seems to be almost minimal; removing even a single byte from the end resolves the problem. The
version="1.0"
part can be removed without affecting the outcome (i.e. the file still crashes).
Stack trace from OSS-fuzz:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==24503==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x0001034ed9c9 bp 0x7ffeedca2ba0 sp 0x7ffeedca2b70 T0)
==24503==The signal is caused by a READ memory access.
==24503==Hint: address points to the zero page.
#0 0x1034ed9c9 in ucnv_MBCSSimpleGetNextUChar_67+0x2c (libicuuc.67.dylib:x86_64+0x209c9)
#1 0x1034f4ac1 in UConverter_toUnicode_ISO_2022_CN_OFFSETS_LOGIC(UConverterToUnicodeArgs*, UErrorCode*)+0x2f4 (libicuuc.67.dylib:x86_64+0x27ac1)
#2 0x1034db21c in _toUnicodeWithCallback(UConverterToUnicodeArgs*, UErrorCode*)+0x1ae (libicuuc.67.dylib:x86_64+0xe21c)
#3 0x1034dbec7 in ucnv_convertEx_67+0x405 (libicuuc.67.dylib:x86_64+0xeec7)
#4 0x1023ae014 in xmlUconvWrapper+0xc2 (libxml2.2.dylib:x86_64+0x8014)
#5 0x1023acd99 in xmlEncInputChunk+0x73 (libxml2.2.dylib:x86_64+0x6d99)
#6 0x1023acebe in xmlCharEncFirstLineInput+0x105 (libxml2.2.dylib:x86_64+0x6ebe)
#7 0x1023b0fa0 in xmlSwitchInputEncodingInt+0x1af (libxml2.2.dylib:x86_64+0xafa0)
#8 0x1023b0db8 in xmlSwitchToEncodingInt+0x28 (libxml2.2.dylib:x86_64+0xadb8)
#9 0x1023bc1c9 in xmlParseEncodingDecl+0x1ea (libxml2.2.dylib:x86_64+0x161c9)
#10 0x1023bfc83 in xmlParseXMLDecl+0x14f (libxml2.2.dylib:x86_64+0x19c83)
#11 0x1023c17b8 in xmlParseTryOrFinish+0xaa8 (libxml2.2.dylib:x86_64+0x1b7b8)
#12 0x1023c09ec in xmlParseChunk+0x294 (libxml2.2.dylib:x86_64+0x1a9ec)
#13 0x1020ae9f0 in igraph_read_graph_graphml graphml.c:1449
#14 0x101f5e170 in main xx2.cpp:50
#15 0x7fff77dfb3d4 in start+0x0 (libdyld.dylib:x86_64+0x163d4)