tinyxml2 icon indicating copy to clipboard operation
tinyxml2 copied to clipboard
verified publisher icon leethomason

ERROR: AddressSanitizer: global-buffer-overflow in function ErrorIDToName

Open thientc opened this issue 3 years ago • 2 comments

Instrument Futag found this error with tinyxml2 version 9.0.0 and in current version.

https://github.com/leethomason/tinyxml2/blob/e45d9d16d430a3f5d3eee9fe40d5e194e1e5e63a/tinyxml2.cpp#L2501-L2507

errorID is a variable of XMLError type, which can receive value from XML_SUCCESS (0) to XML_ERROR_COUNT (19) https://github.com/leethomason/tinyxml2/blob/e45d9d16d430a3f5d3eee9fe40d5e194e1e5e63a/tinyxml2.h#L523-L545

The _errorNames array has 19 elements (from 0 to 18) and was defined here: https://github.com/leethomason/tinyxml2/blob/e45d9d16d430a3f5d3eee9fe40d5e194e1e5e63a/tinyxml2.cpp#L2136-L2156

So, when errorID gets XML_ERROR_COUNT value, error occurs at instruction const char* errorName = _errorNames[errorID];

The generated fuzzing wrapper is attached below. ErrorIDToName1.cpp.zip

thientc avatar Nov 01 '22 22:11 thientc

TIXMLASSERT( errorID >= 0 && errorID < XML_ERROR_COUNT );

Looks like a false positive. XML_ERROR_COUNT is a placeholder used as a constant size and not an actual XMLError.

pj59 avatar Nov 11 '22 20:11 pj59

TIXMLASSERT( errorID >= 0 && errorID < XML_ERROR_COUNT );

Looks like a false positive. XML_ERROR_COUNT is a placeholder used as a constant size and not an actual XMLError.

Is it positive If the TIXMLASSERT does not work on line 95 (commit 1dee28e51f9175a31955b9791c74c430fe13dc82 - version 9.0.0)?

https://github.com/leethomason/tinyxml2/blob/1dee28e51f9175a31955b9791c74c430fe13dc82/tinyxml2.h#L82-L97

This line has been fixed with current commit https://github.com/leethomason/tinyxml2/blob/e45d9d16d430a3f5d3eee9fe40d5e194e1e5e63a/tinyxml2.h#L95

thientc avatar Nov 12 '22 06:11 thientc