svg-hush icon indicating copy to clipboard operation
svg-hush copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Consider using reliable crash-resistant xml parser instead of xml-rs.

Open xjewer opened this issue 3 years ago • 1 comments

After introducing libfuzzer https://github.com/cloudflare/svg-hush/pull/2#issuecomment-1201314078, found out that xms-rs crate has at least one place to crash with add to attempt with overflow.

Moreover xml-rs doesn't have contributions for almost a year and it seems to be abandoned.

cc @kornelski

xjewer avatar Aug 01 '22 16:08 xjewer

The state of Rust XML parsers is a bit sad. I've tried quick-xml, but it wasn't better.

kornelski avatar Aug 01 '22 17:08 kornelski

I tested this with the latest xml-rs version (v0.8.13) and the crash does not reproduce anymore. Consider updating the dependencies for this repository.

00xc avatar Jun 01 '23 10:06 00xc

Just FYI, I have tested this again and found 2 more panics in xml-rs through the svg-hush harness:

  • https://github.com/netvl/xml-rs/issues/225 (only with debug assertions enabled)
  • https://github.com/netvl/xml-rs/pull/226 (fix got merged)

00xc avatar Jun 01 '23 16:06 00xc

I've fixed and improved a bunch of things in xml-rs, and I think it's a good choice now. There might still be some bugs left, so please keep fuzzing!

kornelski avatar Jun 02 '23 01:06 kornelski