Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV on unknown address at strlen-avx2.S:65 due to COLLADASaxFWLSourceArrayLoader.cpp:236 #644

Open
Nalen98 opened this issue Mar 20, 2021 · 0 comments
Open

SEGV on unknown address at strlen-avx2.S:65 due to COLLADASaxFWLSourceArrayLoader.cpp:236 #644

Nalen98 opened this issue Mar 20, 2021 · 0 comments

Comments

@Nalen98
Copy link

Nalen98 commented Mar 20, 2021

A crafted input leads to crash (an invalid memory address dereference) at strlen-avx2.S:65 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).
Seems the line accessorParameter.type = attributeData.type; in COLLADASaxFWL::SourceArrayLoader::begin__param (COLLADASaxFWLSourceArrayLoader.cpp:236) causes the segmentation fault.

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1957786==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff1b674a675 bp 0x7ffdbe0b8090 sp 0x7ffdbe0b7808 T0)
==1957786==The signal is caused by a READ memory access.
==1957786==Hint: address points to the zero page.
    #0 0x7ff1b674a674  (/lib/x86_64-linux-gnu/libc.so.6+0x18b674)
    #1 0x7ff1b6d928fb  (/lib/x86_64-linux-gnu/libasan.so.5+0x678fb)
    #2 0x55a87a400923 in std::char_traits<char>::length(char const*) /usr/include/c++/9/bits/char_traits.h:335
    #3 0x55a87a400923 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*) /usr/include/c++/9/bits/basic_string.h:1439
    #4 0x55a87a400923 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(char const*) /usr/include/c++/9/bits/basic_string.h:705
    #5 0x55a87a400923 in COLLADASaxFWL::SourceArrayLoader::begin__param(COLLADASaxFWL::param__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLSourceArrayLoader.cpp:236
    #6 0x55a87a1f663e in non-virtual thunk to COLLADASaxFWL::SourceArrayLoader14::begin__param(COLLADASaxFWL14::param__AttributeData const&) (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x191963e)
    #7 0x55a879661812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
    #8 0x55a87a4ca3e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
    #9 0x7ff1b6b4915e in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b15e)
    #10 0x7ff1b6b4bf27  (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
    #11 0x7ff1b6b517cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
    #12 0x7ff1b6b52f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #13 0x55a87a4ca9cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #14 0x55a8790ba3ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #15 0x55a8790b7a3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #16 0x55a8790482be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #17 0x55a8790386f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #18 0x55a878fe4fbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #19 0x7ff1b65e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #20 0x55a8790378ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b674) 
==1957786==ABORTING

GDB info:

image

image

Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Nalen98