xml-rs
xml-rs copied to clipboard
netvl
panicked at 'attempt to add with overflow'
with given input file:
and following code:
fn main(){
let filepath = "<input file>";
let data = std::fs::read(filepath).unwrap();
let reader = xml::reader::EventReader::new(&data);
for _ in reader.into_iter() {}
}
output:
thread 'main' panicked at 'attempt to add with overflow', /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:486:57
stack backtrace:
0: rust_begin_unwind
1: core::panicking::panic_fmt
2: core::panicking::panic
3: xml::reader::lexer::Lexer::doctype_finishing
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:486:57
4: xml::reader::lexer::Lexer::dispatch_char
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:373:54
5: xml::reader::lexer::Lexer::read_next_token
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:354:19
6: xml::reader::lexer::Lexer::next_token
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:312:24
7: xml::reader::parser::PullParser::next
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/parser/mod.rs:262:19
8: xml::reader::EventReader<R>::next
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/mod.rs:52:9
9: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/mod.rs:113:22
...
expect: properly return error instead of panic
I think this is same issue I have reported to @netvl privately.
The function where integer overflow (and panic) occurs is
https://github.com/netvl/xml-rs/blob/9c82a7664520e9c54996aefefed48014ca5cc4f6/src/reader/lexer.rs#L483-L491
where with certain input file (hex dump below), the match case '<' (line 486) causes integer overflow in d + 1, probably when d = 255.
This case only panics when Rust's integer overflow checks are enabled, so usually in debug builds and not in release build. With release builds what probably happens is that the integer just silently overflows and things break in some other way.
This is a hex dump of my test case (found and minimized by cargo fuzz):
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 0a 3c 21 44 4f 43 54 59 ┊ 50 45 3c 65 3c 3c 6f 3c │_<!DOCTY┊PE<e<<o<│
│00000010│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000020│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000030│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000040│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000050│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000060│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000070│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000080│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000090│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000a0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000b0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000c0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000d0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000e0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000f0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000100│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c │<<<<<<<<┊<<< │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘
