View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000618Raptor RDF Syntax Libraryapipublic2017-04-15 15:022022-12-26 22:25
Reporterhanno Assigned ToDave Beckett  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
PlatformLinuxOSLinux 
Product Version2.0.15 
Fixed in Version2.0.16 
Summary0000618: heap buffer overflow in raptor_xml_writer_start_element_common
DescriptionThe attached file will cause a heap buffer overflow and crash raptor. This was found via fuzzing with the tool american fuzzy lop.

This is a security bug, so I'm marking it private.

Here's a stack trace (from address sanitizer):
==3322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000001f88 at pc 0x0000005ccdbc bp 0x7ffe62bb8540 sp 0x7ffe62bb8538
WRITE of size 8 at 0x604000001f88 thread T0
    #0 0x5ccdbb in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:241:65
    #1 0x5cd317 in raptor_xml_writer_start_element /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:571:3
    #2 0x55c534 in raptor_rdfxml_start_element_grammar /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:2044:9
    #3 0x55c534 in raptor_rdfxml_start_element_handler /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:830
    #4 0x54d8e6 in raptor_sax2_start_element /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:826:5
    #5 0x7f5125ce9cad in xmlParseStartTag (/usr/lib64/libxml2.so.2+0x41cad)
    #6 0x7f5125cf7323 (/usr/lib64/libxml2.so.2+0x4f323)
    #7 0x7f5125cf83ba in xmlParseChunk (/usr/lib64/libxml2.so.2+0x503ba)
    #8 0x54c2e7 in raptor_sax2_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_sax2.c:534:10
    #9 0x558ec9 in raptor_rdfxml_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_rdfxml.c:1169:8
    #10 0x512da5 in raptor_parser_parse_chunk /f/raptor/raptor2-2.0.15/src/raptor_parse.c:482:10
    #11 0x512da5 in raptor_parser_parse_file_stream /f/raptor/raptor2-2.0.15/src/raptor_parse.c:554
    #12 0x51324f in raptor_parser_parse_file /f/raptor/raptor2-2.0.15/src/raptor_parse.c:616:8
    #13 0x50dd82 in main /f/raptor/raptor2-2.0.15/utils/rapper.c:917:8
    #14 0x7f5124be02b0 in __libc_start_main (/lib64/libc.so.6+0x202b0)
    #15 0x41b919 in _start (/r/raptor/rapper+0x41b919)

0x604000001f88 is located 8 bytes to the left of 38-byte region [0x604000001f90,0x604000001fb6)
allocated by thread T0 here:
    #0 0x4d1d28 in malloc (/r/raptor/rapper+0x4d1d28)
    #1 0x525745 in raptor_namespace_format_as_xml /f/raptor/raptor2-2.0.15/src/raptor_namespace.c:791:12
    #2 0x5cb4ed in raptor_xml_writer_start_element_common /f/raptor/raptor2-2.0.15/src/raptor_xml_writer.c:201:9
TagsNo tags attached.
Syntax Name

Activities

hanno

2017-04-15 15:02

reporter  

raptor-heapoverflow-raptor_xml_writer_start_element_common.rdf (165 bytes)

Dave Beckett

2017-04-16 15:04

administrator   ~0002132

Proposed fix, works for me and also fixes 617

@@ -181,9 +187,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
   size_t nspace_declarations_count = 0;
   unsigned int i;

- /* max is 1 per element and 1 for each attribute + size of declared */
   if(nstack) {
- int nspace_max_count = element->attribute_count+1;
+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
+ if(element->name->nspace)
+ nspace_max_count++;
     if(element->declared_nspaces)
       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
     if(element->xml_language)

hanno

2017-04-16 15:09

reporter   ~0002133

Tested the patch and can confirm it fixes both bugs for me, too. Thanks.

Dave Beckett

2017-04-16 15:18

administrator   ~0002135

Fixed in GIT commit 590681e546cd9aa18d57dc2ea1858cb734a3863f

Issue History

Date Modified Username Field Change
2017-04-15 15:02 hanno New Issue
2017-04-15 15:02 hanno File Added: raptor-heapoverflow-raptor_xml_writer_start_element_common.rdf
2017-04-16 15:04 Dave Beckett Note Added: 0002132
2017-04-16 15:09 hanno Note Added: 0002133
2017-04-16 15:18 Dave Beckett Note Added: 0002135
2017-04-16 15:18 Dave Beckett Status new => closed
2017-04-16 15:18 Dave Beckett Assigned To => Dave Beckett
2017-04-16 15:18 Dave Beckett Resolution open => fixed
2017-04-16 15:18 Dave Beckett Fixed in Version => 2.0.16
2022-12-26 22:25 Dave Beckett View Status private => public