[redland-dev] [Raptor RDF Syntax Library 0000618]: heap buffer overflow in raptor_xml_writer_start_element_common
Mantis Bug Tracker
mantis-bug-sender at librdf.org
Sat Apr 15 18:02:07 EDT 2017
The following issue has been SUBMITTED.
======================================================================
http://bugs.librdf.org/mantis/view.php?id=618
======================================================================
Reported By: hanno
Assigned To:
======================================================================
Project: Raptor RDF Syntax Library
Issue ID: 618
Category: api
Reproducibility: always
Severity: crash
Priority: normal
Status: new
Syntax Name:
======================================================================
Date Submitted: 2017-04-15 15:02
Last Modified: 2017-04-15 15:02
======================================================================
Summary: heap buffer overflow in
raptor_xml_writer_start_element_common
Description:
The attached file will cause a heap buffer overflow and crash raptor. This was
found via fuzzing with the tool american fuzzy lop.
This is a security bug, so I'm marking it private.
Here's a stack trace (from address sanitizer):
==3322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000001f88
at pc 0x0000005ccdbc bp 0x7ffe62bb8540 sp 0x7ffe62bb8538
WRITE of size 8 at 0x604000001f88 thread T0
#0 0x5ccdbb in raptor_xml_writer_start_element_common
/f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:241:65
#1 0x5cd317 in raptor_xml_writer_start_element
/f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3
#2 0x55c534 in raptor_rdfxml_start_element_grammar
/f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9
#3 0x55c534 in raptor_rdfxml_start_element_handler
/f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830
#4 0x54d8e6 in raptor_sax2_start_element
/f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5
#5 0x7f5125ce9cad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad)
#6 0x7f5125cf7323 (/usr/lib64/libxml2.so.2+0x4f323)
#7 0x7f5125cf83ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba)
#8 0x54c2e7 in raptor_sax2_parse_chunk
/f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10
#9 0x558ec9 in raptor_rdfxml_parse_chunk
/f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8
#10 0x512da5 in raptor_parser_parse_chunk
/f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10
#11 0x512da5 in raptor_parser_parse_file_stream
/f/raptor/raptor2-2.0.15/src/raptor_parse.c:554
#12 0x51324f in raptor_parser_parse_file
/f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8
#13 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8
#14 0x7f5124be02b0 in __libc_start_main (/lib64/libc.so.6+0x202b0)
#15 0x41b919 in _start (/r/raptor/rapper+0x41b919)
0x604000001f88 is located 8 bytes to the left of 38-byte region
[0x604000001f90,0x604000001fb6)
allocated by thread T0 here:
#0 0x4d1d28 in malloc (/r/raptor/rapper+0x4d1d28)
#1 0x525745 in raptor_namespace_format_as_xml
/f/raptor/raptor2-2.0.15/src/raptor_namespace.c:791:12
#2 0x5cb4ed in raptor_xml_writer_start_element_common
/f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:201:9
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2017-04-15 15:02 hanno New Issue
2017-04-15 15:02 hanno File Added:
raptor-heapoverflow-raptor_xml_writer_start_element_common.rdf
======================================================================
More information about the redland-dev
mailing list