You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A crafted input leads to crash (heap buffer overflow) at COLLADASaxFWLTransformationLoader.cpp:50 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).
Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: Input is not proper UTF-8, indicate encoding !
Bytes: 0xAF 0x74 0x72 0x61
Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: xmlParseStartTag: invalid element name
free(): invalid pointer
Aborted
ASAN report:
$ ./OpenCOLLADAValidator PoC.dae
==601510==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000083a0 at pc 0x555557058cc6 bp 0x7fffffffca80 sp 0x7fffffffca70
WRITE of size 8 at 0x6060000083a0 thread T0
#0 0x555557058cc5 in COLLADASaxFWL::TransformationLoader::dataTranslate(float const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:50
#1 0x5555560c1672 in bool GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2Data<float, &GeneratedSaxParser::Utils::toFloat>(char const*, unsigned long, float (COLLADASaxFWL14::ColladaParserAutoGen14Private::*)(char const*, char const*, char const**, char const*, bool&), bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:836
#2 0x555556125445 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2FloatData(char const*, unsigned long, bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1196
#3 0x555556125445 in COLLADASaxFWL14::ColladaParserAutoGen14Private::_data__translate(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/generated14/COLLADASaxFWLColladaParserAutoGen14Private.cpp:19170
#4 0x55555626145a in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::textData(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1840
#5 0x555557141681 in GeneratedSaxParser::LibxmlSaxParser::characters(void*, unsigned char const*, int) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:196
#6 0x7ffff7393ece in xmlParseCharData (/lib/x86_64-linux-gnu/libxml2.so.2+0x42ece)
#7 0x7ffff73a4682 in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x53682)
#8 0x7ffff73a5f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
#9 0x5555571419cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
#10 0x555555d313ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
#11 0x555555d2ea3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
#12 0x555555cbf2be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
#13 0x555555caf6f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
#14 0x555555c5bfbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
#15 0x7ffff6e390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#16 0x555555cae8ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)
0x6060000083a0 is located 0 bytes to the right of 64-byte region [0x606000008360,0x6060000083a0)
allocated by thread T0 here:
#0 0x7ffff768d947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
#1 0x55555708fa1f in void COLLADASaxFWL::TransformationLoader::beginTransformation<COLLADAFW::Translate>() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/include/COLLADASaxFWLTransformationLoader.h:71
#2 0x55555708fa1f in bool COLLADASaxFWL::NodeLoader::beginTransformation<COLLADAFW::Translate>(char const*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:100
#3 0x55555708fa1f in COLLADASaxFWL::NodeLoader::begin__translate(COLLADASaxFWL::translate__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:141
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:50 in COLLADASaxFWL::TransformationLoader::dataTranslate(float const*, unsigned long)
Shadow bytes around the buggy address:
0x0c0c7fff9020: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9030: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff9040: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9050: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9060: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fff9070: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9080: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9090: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c0c7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==601510==ABORTING
GDB info:
Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
The text was updated successfully, but these errors were encountered:
A crafted input leads to crash (heap buffer overflow) at
COLLADASaxFWLTransformationLoader.cpp:50in opencolladavalidatorv1.6.68(the latest version, checked on Ubuntu/Debian packages and current master).PoC: PoC.zip
Triggered by:
./OpenCOLLADAValidator PoC.daeASAN report:
GDB info:
Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
The text was updated successfully, but these errors were encountered: