Uninitialized use on heap cause arbitrary memory read
This bug is detected by a combination of AFL fuzzer and a memory allocator that can poison values in memory before it is initialized.
The git commit to reproduce this bug: b17e3d1c.
How to invoke the bug:
LD_PRELOAD=poison-memory-allocator.so ./xmllint test-input
What is output: if the poisoned value in allocated area is Z, then the output is:
<?xml version="1.0"?>
<item title="ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ                                         " url="http://www.icrontic.com/" first_time="985034339" last_time="985034339" visits="1"/>
Some analysis of this bug: The struct doc is first initialized at line 2388 in xmllint.c, and the poisoned value in doc->children->properties->children is never initialized before it is used.
The location of use of this buffer(here a backtrace is showed):
0 xmlAttrSerializeContent (buf=0x7ffff7bcfac0, attr=0x7ffff7bcd080) at xmlsave.c:439
1 0x00007ffff7f5752d in xmlAttrDumpOutput (ctxt=<optimized out>, cur=0x7ffff7bcd080) at xmlsave.c:775
2 0x00007ffff7f4ea0e in xmlAttrListDumpOutput (cur=0x7ffff7bcd080, ctxt=<optimized out>) at xmlsave.c:792
3 xmlNodeDumpOutputInternal (ctxt=0x7ffff7bb8100, cur=0x7ffff7bcda00) at xmlsave.c:1050
4 0x00007ffff7f4df1b in xmlDocContentDumpOutput (ctxt=0x7ffff7bb8100, cur=<optimized out>) at xmlsave.c:1226
5 0x00007ffff7f4d491 in xmlSaveDoc__internal_alias (ctxt=0x7ffff7bb8100, doc=0x7ffff7bb8900) at xmlsave.c:1928
6 0x000000000040fd68 in parseAndPrintFile (filename=0x7fffffffe24e "/home/username/input.19719", rectxt=<optimized out>) at xmllint.c:2692
7 0x00000000004090c0 in main (argc=0x2, argv=0x7fffffffdec8) at xmllint.c:3728
At line 442 in xmlsave.c, content in children->content(which points to doc->children->properties->children) is still uninitialized and is put into buf->buffer, and later will be written to stdout.
This bug can cause an arbitrary memory read.
The PoC triggering this bug is attached. input.19719