Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV found in InsertFirstChild #1005

Open
Anza2001 opened this issue Nov 21, 2024 · 0 comments
Open

SEGV found in InsertFirstChild #1005

Anza2001 opened this issue Nov 21, 2024 · 0 comments

Comments

@Anza2001
Copy link

Hi,
UBSAN reported SEGV in InsertFirstChild.

==12==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5577ea17c682 bp 0x7ffd8d604130 sp 0x7ffd8d604120 T12)
==12==The signal is caused by a READ memory access.
==12==Hint: address points to the zero page.
    #0 0x5577ea17c682 in tinyxml2::XMLNode::InsertFirstChild(tinyxml2::XMLNode*) /src/tinyxml2/tinyxml2.cpp:966:29
    #1 0x5577ea17a2e8 in LLVMFuzzerTestOneInput /src/xmltest_tinyxml2_968.cpp:19:11
    #2 0x5577ea0dc830 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #3 0x5577ea0dc055 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #4 0x5577ea0dd835 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
    #5 0x5577ea0de5c5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
    #6 0x5577ea0cd40b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #7 0x5577ea0f87e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7fac49c0f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #9 0x5577ea0bfc8d in _start (/out/xmltest_tinyxml2_968+0x20c8d)
==12==ABORTING
MS: 4 CMP-CopyPart-ShuffleBytes-ChangeByte- DE: "<!"-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x3c,0x21,0x3e,
<!>
artifact_prefix='./'; Test unit written to ./crash-5af51d708183128d272179d551c344b7a643044c
Base64: PCE+

This occurs when I try to run the following fuzzer in oss-fuzz locally:

#include "tinyxml2/tinyxml2.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    // Create a new XMLDocument
    tinyxml2::XMLDocument doc;

    // Parse the input data
    if (doc.Parse((const char*)data, size) != tinyxml2::XML_SUCCESS) {
        return 0;
    }

    // Get the root element of the document
    tinyxml2::XMLElement* root = doc.RootElement();

    // Create a new XMLNode
    tinyxml2::XMLNode* newNode = doc.NewElement("newNode");

    // Insert the new node as the first child of the root element
    root->InsertFirstChild(newNode);

    return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Anza2001