SEGV on unknown address in COLLADASaxFWL::LibraryLightsLoader::getUniqueId at COLLADASaxFWLLibraryLightsLoader.cpp:40

[Nalen98]

A crafted input leads to crash (an invalid memory address dereference) at COLLADASaxFWLLibraryLightsLoader.cpp:40 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1912414==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5561e5342447 bp 0x604000019e50 sp 0x7ffcc433fb20 T0)
==1912414==The signal is caused by a READ memory access.
==1912414==Hint: address points to the zero page.
    #0 0x5561e5342446 in COLLADASaxFWL::LibraryLightsLoader::getUniqueId() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLibraryLightsLoader.cpp:40
    #1 0x5561e4e59821 in COLLADASaxFWL::IFilePartLoader::begin__technique(COLLADASaxFWL::technique__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLIFilePartLoader.cpp:292
    #2 0x5561e515a285 in non-virtual thunk to COLLADASaxFWL::LibraryLightsLoader14::begin__technique(COLLADASaxFWL14::technique__AttributeData const&) (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x1948285)
    #3 0x5561e4596812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
    #4 0x5561e53ff3e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
    #5 0x7ff86a7e315e in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b15e)
    #6 0x7ff86a7e5f27  (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
    #7 0x7ff86a7eb7cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
    #8 0x7ff86a7ecf0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #9 0x5561e53ff9cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #10 0x5561e3fef3ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #11 0x5561e3feca3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #12 0x5561e3f7d2be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #13 0x5561e3f6d6f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #14 0x5561e3f19fbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #15 0x7ff86a2800b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #16 0x5561e3f6c8ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLibraryLightsLoader.cpp:40 in COLLADASaxFWL::LibraryLightsLoader::getUniqueId()
==1912414==ABORTING

GDB info:

Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64