-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy path10304.json
115 lines (115 loc) · 7.42 KB
/
10304.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
{
"fix": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/8c9daf790abfc06e8ca3a44652542c577bb67d49",
"verify": "0",
"localId": 10304,
"project": "libxml2",
"fuzzer": "libfuzzer",
"sanitizer": "asan",
"crash_type": "Heap-use-after-free READ 1",
"severity": "High",
"report": {
"comments": [
{
"projectName": "oss-fuzz",
"localId": 10304,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1536717217,
"content": "Detailed report: https://oss-fuzz.com/testcase?key=5721921484750848\n\nProject: libxml2\nFuzzer: libFuzzer_libxml2_xml_read_memory_fuzzer\nFuzz target binary: libxml2_xml_read_memory_fuzzer\nJob Type: libfuzzer_asan_libxml2\nPlatform Id: linux\n\nCrash Type: Heap-use-after-free READ 1\nCrash Address: 0x625000002a7d\nCrash State:\n xmlSAX2AttributeNs\n xmlSAX2StartElementNs\n xmlParseStartTag2\n \nSanitizer: address (ASAN)\n\nRecommended Security Severity: High\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_libxml2&range=201809110239:201809112110\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5721921484750848\n\nIssue filed automatically.\n\nSee https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.\n\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues.",
"descriptionNum": 1
},
{
"projectName": "oss-fuzz",
"localId": 10304,
"sequenceNum": 1,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1536717690,
"amendments": [
{
"fieldName": "Labels",
"newOrDeltaValue": "OS-Linux"
}
]
},
{
"projectName": "oss-fuzz",
"localId": 10304,
"sequenceNum": 2,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1536822310,
"content": "ClusterFuzz has detected this issue as fixed in range 201809120240:201809130245.\n\nDetailed report: https://oss-fuzz.com/testcase?key=5721921484750848\n\nProject: libxml2\nFuzzer: libFuzzer_libxml2_xml_read_memory_fuzzer\nFuzz target binary: libxml2_xml_read_memory_fuzzer\nJob Type: libfuzzer_asan_libxml2\nPlatform Id: linux\n\nCrash Type: Heap-use-after-free READ 1\nCrash Address: 0x625000002a7d\nCrash State:\n xmlSAX2AttributeNs\n xmlSAX2StartElementNs\n xmlParseStartTag2\n \nSanitizer: address (ASAN)\n\nRecommended Security Severity: High\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_libxml2&range=201809110239:201809112110\nFixed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_libxml2&range=201809120240:201809130245\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5721921484750848\n\nSee https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.\n\nIf you suspect that the result above is incorrect, try re-doing that job on the test case report page."
},
{
"projectName": "oss-fuzz",
"localId": 10304,
"sequenceNum": 3,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1536823197,
"content": "ClusterFuzz testcase 5721921484750848 is verified as fixed, so closing issue as verified.\n\nIf this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new",
"amendments": [
{
"fieldName": "Status",
"newOrDeltaValue": "Verified",
"oldValue": "New"
},
{
"fieldName": "Labels",
"newOrDeltaValue": "ClusterFuzz-Verified"
}
]
},
{
"projectName": "oss-fuzz",
"localId": 10304,
"sequenceNum": 4,
"commenter": {
"userId": "1373012459",
"displayName": "[email protected]"
},
"timestamp": 1537395410,
"content": "Hi Nick, you fixed this here:\r\n\r\n<https://gitlab.gnome.org/GNOME/libxml2/commit/8c9daf790abfc06e8ca3a44652542c577bb67d49>\r\n\r\nHowever, in both xmlSAX2StartElement() and xmlSAX2StartElementNs(), there is code that adds `ret` to a document via xmlAddChild() before the fix to check the return value of nodePush():\r\n\r\nxmlSAX2StartElement (line 1644):\r\n if (ctxt->myDoc->children == NULL) {\r\n#ifdef DEBUG_SAX_TREE\r\n xmlGenericError(xmlGenericErrorContext, \"Setting %s as root\\n\", name);\r\n#endif\r\n xmlAddChild((xmlNodePtr) ctxt->myDoc, (xmlNodePtr) ret);\r\n } else if (parent == NULL) {\r\n parent = ctxt->myDoc->children;\r\n }\r\n\r\nxmlSAX2StartElementNs (line 2302):\r\n if (parent == NULL) {\r\n xmlAddChild((xmlNodePtr) ctxt->myDoc, (xmlNodePtr) ret);\r\n }\r\n\r\nBy freeing `ret` after it has been added (in some cases), that would leave a pointer to freed memory in the document.\r\n"
},
{
"projectName": "oss-fuzz",
"localId": 10304,
"sequenceNum": 5,
"commenter": {
"userId": "1373012459",
"displayName": "[email protected]"
},
"timestamp": 1537401060,
"content": "Via git-bisect, this regressed in 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407:\r\n\r\n<https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407>\r\n"
},
{
"projectName": "oss-fuzz",
"localId": 10304,
"sequenceNum": 6,
"commenter": {
"userId": "4164592774",
"displayName": "[email protected]"
},
"timestamp": 1539444235,
"content": "This bug has been fixed for 30 days. It has been opened to the public.\n\n- Your friendly Sheriffbot",
"amendments": [
{
"fieldName": "Labels",
"newOrDeltaValue": "-restrict-view-commit"
}
]
}
]
},
"fix_commit": "8c9daf790abfc06e8ca3a44652542c577bb67d49",
"repo_addr": "https://gitlab.gnome.org/GNOME/libxml2.git"
}