heap-use-after-free at /libxml2/error.c:448 in xmlFormatError
Hello,
I am using the current 5bb84b47.
environment
uname -a
Linux cas-PC 5.4.0-144-generic #161~18.04.1-Ubuntu SMP Fri Feb 10 15:55:22 UTC 2023 x86_64 GNU/Linux
Build command
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -fPIC -g -O1" CXXFLAGS="-fsanitize=address -fPIC -g -O1" ./configure --enable-static --disable-shared
make
Then run
./xmllint --valid --dtdattr --stream poc
AddressSanitizer output is the following:
=================================================================
==28126==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000001fc8 at pc 0x0000006b9912 bp 0x7fffffffd570 sp 0x7fffffffd568
READ of size 4 at 0x60c000001fc8 thread T0
#0 0x6b9911 in xmlFormatError /home/chenxu/testcrash/libxml2/error.c:448:34
#1 0x6ba888 in xmlParserWarning /home/chenxu/testcrash/libxml2/error.c:818:5
#2 0x4cbfba in xmllintExternalEntityLoader /home/chenxu/testcrash/libxml2/xmllint.c
#3 0x52081b in xmlLoadExternalEntity /home/chenxu/testcrash/libxml2/parserInternals.c:2216:11
#4 0x520d4e in xmlNewEntityInputStream /home/chenxu/testcrash/libxml2/parserInternals.c:1844:17
#5 0x4febc8 in xmlCtxtParseEntity /home/chenxu/testcrash/libxml2/parser.c:12099:13
#6 0x4fdaf4 in xmlParseReference /home/chenxu/testcrash/libxml2/parser.c
#7 0x509aeb in xmlParseTryOrFinish /home/chenxu/testcrash/libxml2/parser.c:11283:7
#8 0x508128 in xmlParseChunk /home/chenxu/testcrash/libxml2/parser.c:11580:5
#9 0x5bfaec in xmlTextReaderPushData /home/chenxu/testcrash/libxml2/xmlreader.c:771:12
#10 0x5c2295 in xmlTextReaderDoExpand /home/chenxu/testcrash/libxml2/xmlreader.c:1154:8
#11 0x5c0d1d in xmlTextReaderExpand /home/chenxu/testcrash/libxml2/xmlreader.c:1600:9
#12 0x5be3de in xmlTextReaderRead /home/chenxu/testcrash/libxml2/xmlreader.c:1448:17
#13 0x4cc62f in streamFile /home/chenxu/testcrash/libxml2/xmllint.c:1874:12
#14 0x4c9bdb in main /home/chenxu/testcrash/libxml2/xmllint.c:3786:7
#15 0x7ffff7c58082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#16 0x41c47d in _start (/home/chenxu/testcrash/xmllint+0x41c47d)
0x60c000001fc8 is located 8 bytes inside of 120-byte region [0x60c000001fc0,0x60c000002038)
freed by thread T0 here:
#0 0x496eb2 in free /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
#1 0x5c0ad7 in xmlTextReaderFreeNode /home/chenxu/testcrash/libxml2/xmlreader.c:433:2
previously allocated by thread T0 here:
#0 0x49711d in malloc /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x52d8b1 in xmlSAX2TextNode /home/chenxu/testcrash/libxml2/SAX2.c:1687:21
SUMMARY: AddressSanitizer: heap-use-after-free /home/chenxu/testcrash/libxml2/error.c:448:34 in xmlFormatError
Shadow bytes around the buggy address:
0x0c187fff83a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff83c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff83d0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c187fff83f0: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c187fff8400: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c187fff8420: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff8430: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c187fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28126==ABORTING
Link to POC: poc
Edited by Nick Wellnhofer