stack overflow in libxml2-2.9.9 due to too much recursion
Hi here,
AddressSanitizer reported a stack-overflow issue in xmllint.
I built libxml2 with ASAN use the latest version in 64bit Ubuntu 16.04. Version information is as follows:
./xmllint --version
./xmllint: using libxml version 20909-GITv2.9.9-66-gb17e3d1
compiled with: Threads Tree Output Push Reader Patterns Writer SAXv1 FTP HTTP DTDValid HTML Legacy C14N Catalog XPath XPointer XInclude Iconv ISO8859X Unicode Regexps Automata Expr Schemas Schematron Modules Debug Zlib
The command to reproduce the problem is ./xmllint --huge poc1
poc1
The ASAN output on the crash is as follows:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==10554==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd39874f7c (pc 0x7fbabd71518e bp 0x7ffd39875420 sp 0x7ffd39874eb0 T0)
#0 0x7fbabd71518d in vfprintf /build/glibc-LK5gWL/glibc-2.23/stdio-common/vfprintf.c:1267
#1 0x7fbabd717ef0 in buffered_vfprintf /build/glibc-LK5gWL/glibc-2.23/stdio-common/vfprintf.c:2320
#2 0x7fbabd71532c in vfprintf /build/glibc-LK5gWL/glibc-2.23/stdio-common/vfprintf.c:1293
#3 0x43e702 in vfprintf ./llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635:1
#4 0x7fbabe90a3c9 in xmlGenericErrorDefaultFunc ./libxml2/src/error.c:78:5
#5 0x7fbabe92105a in xmlReportError ./libxml2/src/error.c:306:5
#6 0x7fbabe9118c4 in __xmlRaiseError ./libxml2/src/error.c:636:2
#7 0x7fbabeaea98e in xmlNsErr ./libxml2/src/parser.c:796:5
#8 0x7fbabeaea98e in xmlParseStartTag2 ./libxml2/src/parser.c:9562
#9 0x7fbabeac52ac in xmlParseElement__internal_alias ./libxml2/src/parser.c:9924:16
#10 0x7fbabeabe4c7 in xmlParseContent__internal_alias ./libxml2/src/parser.c:9842:6
#11 0x7fbabeac6fd3 in xmlParseElement__internal_alias ./libxml2/src/parser.c:10010:5
#12 0x7fbabeabe4c7 in xmlParseContent__internal_alias ./libxml2/src/parser.c:9842:6
#13 0x7fbabeac6fd3 in xmlParseElement__internal_alias ./libxml2/src/parser.c:10010:5
#14 0x7fbabeabe4c7 in xmlParseContent__internal_alias ./libxml2/src/parser.c:9842:6
#15 0x7fbabea98ef6 in xmlParseBalancedChunkMemoryInternal ./libxml2/src/parser.c:13436:5
SUMMARY: AddressSanitizer: stack-overflow /build/glibc-LK5gWL/glibc-2.23/stdio-common/vfprintf.c:1267 in vfprintf
==10554==ABORTING
It looked like infinite recursion caused stack overflow. The function call frame is over 20000 , stack traceback information in gdb is as follows:
> bt
#0 0x00007ffff6cf818e in _IO_vfprintf_internal (s=0x7fffff7ff450, format=0xe3e2c0 <.str.15> "namespace ", ap=0x7fffff801b60)
at vfprintf.c:1267
#1 0x00007ffff6cfaef1 in buffered_vfprintf (s=0x7ffff7070540 <_IO_2_1_stderr_>, format=<optimized out>, args=<optimized out>)
at vfprintf.c:2320
#2 0x00007ffff6cf832d in _IO_vfprintf_internal (s=0x7ffff7070540 <_IO_2_1_stderr_>, format=0xe3e2c0 <.str.15> "namespace ",
ap=0x7fffff801b60) at vfprintf.c:1293
#3 0x000000000043c1d3 in vfprintf ()
at /vul/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635
#4 0x0000000000514ca2 in xmlGenericErrorDefaultFunc (ctx=<optimized out>, msg=<optimized out>) at error.c:78
#5 0x0000000000521372 in xmlReportError (err=0x61700005c0d8, ctxt=<optimized out>, str=<optimized out>, channel=<optimized out>,
data=<optimized out>) at error.c:306
#6 0x0000000000518ad0 in __xmlRaiseError (schannel=0x0, channel=<optimized out>, data=0x61700005be80, ctx=<optimized out>,
nod=<optimized out>, domain=<optimized out>, code=<optimized out>, level=<optimized out>, file=<optimized out>, line=22,
str1=<optimized out>, str2=<optimized out>, str3=<optimized out>, int1=<optimized out>, col=<optimized out>, msg=<optimized out>)
at error.c:636
#7 0x000000000060dbb4 in xmlNsErr (ctxt=0x61700005be80, error=XML_NS_ERR_UNDEFINED_NAMESPACE, msg=<optimized out>,
info1=<optimized out>, info2=<optimized out>, info3=0x0) at parser.c:796
#8 xmlParseStartTag2 (ctxt=<optimized out>, pref=<optimized out>, URI=<optimized out>, tlen=<optimized out>) at parser.c:9562
#9 0x00000000005fadb3 in xmlParseElement (ctxt=<optimized out>) at parser.c:9924
#10 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#11 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#12 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#13 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#14 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#15 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
......
#23018 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23019 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23020 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23021 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23022 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23023 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23024 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23025 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23026 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23027 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23028 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23029 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23030 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23031 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23032 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23033 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23034 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23035 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23036 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23037 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23038 0x00000000005f728b in xmlParseContent (ctxt=<optimized out>) at parser.c:9842
#23039 0x00000000005e4615 in xmlParseBalancedChunkMemoryInternal (oldctxt=<optimized out>, string=<optimized out>,
user_data=<optimized out>, lst=<optimized out>) at parser.c:13436
#23040 0x00000000005dbb3e in xmlParseReference (ctxt=<optimized out>) at parser.c:7120
#23041 0x00000000005f6cc4 in xmlParseContent (ctxt=<optimized out>) at parser.c:9851
#23042 0x00000000005fbb3b in xmlParseElement (ctxt=<optimized out>) at parser.c:10010
#23043 0x0000000000623533 in xmlParseDocument (ctxt=0x617000000080) at parser.c:10707
#23044 0x000000000067510c in xmlDoRead (ctxt=0x617000000080, URL=0x0, encoding=0x0, options=4784128, reuse=0) at parser.c:15192
#23045 xmlReadFile (filename=<optimized out>, encoding=0x0, options=4784128) at parser.c:15254
#23046 0x00000000004dc1dd in parseAndPrintFile (filename=<optimized out>, rectxt=<optimized out>) at xmllint.c:2388
#23047 0x00000000004ce463 in main (argc=3, argv=<optimized out>) at xmllint.c:3728
Please help to confirm this problem.