Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV on unknown address due to COLLADABUURI.cpp:225 #645

Open
Nalen98 opened this issue Mar 20, 2021 · 0 comments
Open

SEGV on unknown address due to COLLADABUURI.cpp:225 #645

Nalen98 opened this issue Mar 20, 2021 · 0 comments

Comments

@Nalen98
Copy link

Nalen98 commented Mar 20, 2021

A crafted input leads to crash (an invalid memory address dereference) at std::__cxx11::basic_string<char, std::char_traits... in libstdc++.so.6 provided by opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).
Seems the line mUriString = copyFrom_.mUriString; in COLLADABUURI.cpp:225 causes the segmentation fault.

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2010438==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f2b14ed0d3c bp 0x7ffe7c9da9f0 sp 0x7ffe7c9da470 T0)
==2010438==The signal is caused by a READ memory access.
==2010438==Hint: address points to the zero page.
    #0 0x7f2b14ed0d3b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x142d3b)
    #1 0x557c59f7c672 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/basic_string.h:1366
    #2 0x557c59f7c672 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/basic_string.h:696
    #3 0x557c59f7c672 in COLLADABU::URI::URI(COLLADABU::URI const&, bool) /home/nale/OpenCOLLADA-1.6.63/COLLADABaseUtils/src/COLLADABUURI.cpp:225
    #4 0x557c59e9264f in COLLADASaxFWL::MeshLoader::initializePositionsOffset() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:754
    #5 0x557c59ea1de9 in COLLADASaxFWL::MeshLoader::initializeOffsets() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:731
    #6 0x557c59ea21b1 in COLLADASaxFWL::MeshLoader::begin__p() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:1464
    #7 0x557c5907c812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
    #8 0x557c59ee53e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
    #9 0x7f2b14fba5a6 in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b5a6)
    #10 0x7f2b14fbcf27  (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
    #11 0x7f2b14fc27cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
    #12 0x7f2b14fc3f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #13 0x557c59ee59cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #14 0x557c58ad53ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #15 0x557c58ad2a3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #16 0x557c58a632be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #17 0x557c58a536f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #18 0x557c589fffbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #19 0x7f2b14a570b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #20 0x557c58a528ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x142d3b) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
==2010438==ABORTING

GDB info:

image

image

Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Nalen98