Recursion crash in xmlTextReaderCollectSiblings() calling xmlTextReaderReadString()
Recursion crash in xmlTextReaderCollectSiblings()
calling xmlTextReaderReadString()
.
I'm pretty sure this is just a case of using an XMLReader function (which uses a recursive algorithm) on input that causes massive entity expansion, resulting in a stack-overflow crash. If so, this bug can be marked as not confidential (unless there is another reason to keep it private for now).
Steps to Reproduce
- Checkout commit 4f132bcd from libxml2.git.
- Configure the build. This is the line from
config.log
:$ ./configure --prefix=/usr --without-iconv --with-icu --without-lzma --without-python --with-xptr-locs --with-zlib 'CC=xcrun -sdk macosx cc -fsanitize=address,fuzzer -fsanitize-coverage=inline-8bit-counters,trace-cmp -fno-sanitize-coverage=pc-table -g -fno-omit-frame-pointer -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION' --no-create --no-recursion
- Copy
xmlTextReaderCollectSiblings-recursion-reduced.c
to replacefuzz/schema.c
. make && make -C fuzz schema
./fuzz/schema xmlTextReaderCollectSiblings-recursion-repro.bin
Attachments
xmlTextReaderCollectSiblings-recursion-reduced.c xmlTextReaderCollectSiblings-recursion-repro.bin