leethomason
Possible Bug in XMLNode::Value()` does not check for null `_value`, leading to crash
๐ Bug Report: XMLNode::Value() does not check for null _value, leading to crash
๐ค Summary
The XMLNode::Value() method in tinyxml2.cpp does not perform a null-check on the _value member before returning it. This can lead to a segmentation fault when the returned null pointer is dereferenced elsewhere.
๐ Location
- File:
tinyxml2.cpp - Function:
const char* XMLNode::Value() const - Line: 850
๐งช Reproduction Steps
This issue was discovered during fuzz testing using AddressSanitizer with the following test driver:
extern "C" int LLVMFuzzerTestOneInput_4(const uint8_t *fuzz_data, size_t fuzz_size) {
FuzzedDataProvider provider(fuzz_data, fuzz_size);
int int_0 = provider.ConsumeIntegral<int>();
int int_1 = provider.ConsumeIntegral<int>();
DynArray<int, 10> arr;
arr.Push(int_0);
arr.Push(int_1);
arr.Pop();
int* mem = arr.Mem();
return 0;
}
Although this input does not directly construct or manipulate XML nodes, it indirectly triggers a call to XMLNode::Value() where _value is nullptr.
๐ง Root Cause
The function currently returns _value without checking if it's null:
const char* XMLNode::Value() const {
return _value; // โ No null-check
}
If _value is nullptr, and the caller attempts to dereference it (e.g., printing or string operations), it results in a segmentation fault caught by AddressSanitizer.
๐จ ASan Error Output
==1753579==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
\#0 0x5598a8ef3c81 in tinyxml2::XMLNode::Value() const /data/cpput_vol/utscript/projects/tinyxml2/tinyxml2_5/tinyxml2.cpp:850
...
SUMMARY: AddressSanitizer: SEGV /data/cpput_vol/utscript/projects/tinyxml2/tinyxml2_5/tinyxml2.cpp:850 in tinyxml2::XMLNode::Value() const
โ Proposed Fix
Update the Value() function to safely return an empty string literal if _value is null.
This ensures that any use of the returned pointer is safe and prevents crashes due to null pointer dereference.
