xml-rs
xml-rs copied to clipboard
Published
20 hours ago •
netvl
netvl
Overflow in lexer when parsing malformed doctype
Found through fuzzing and minimized the test case manually.
Sample program (Tested against 0.8.3 on crates.io as well as the latest version from git (df46cd4))
fn main() {
let x = "<!DOCTYPE<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<";
let c = std::io::Cursor::new(x);
for _ in xml::reader::EventReader::new(c) {}
}
Stack trace:
thread 'main' panicked at 'attempt to add with overflow', /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
stack backtrace:
0: rust_begin_unwind
at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/std/src/panicking.rs:493:5
1: core::panicking::panic_fmt
at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:92:14
2: core::panicking::panic
at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:50:5
3: xml::reader::lexer::Lexer::doctype_finishing
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
4: xml::reader::lexer::Lexer::dispatch_char
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:372:54
5: xml::reader::lexer::Lexer::read_next_token
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:353:19
6: xml::reader::lexer::Lexer::next_token
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:311:24
7: xml::reader::parser::PullParser::next
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/parser/mod.rs:262:19
8: xml::reader::EventReader<R>::next
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:52:9
9: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:113:22
10: scratchi0Wd3V0pt::main
at ./main.rs:10:14
11: core::ops::function::FnOnce::call_once
at /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
Had a brief look at the code, and it looks like we could return an error if we have too many open brackets in a row? Seems very unlikely that a valid XML document would do that.
