Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIGABRT due to Heap buffer overflow in COLLADASaxFWLTransformationLoader.cpp:117 #646

Open
Nalen98 opened this issue Mar 22, 2021 · 0 comments
Open

SIGABRT due to Heap buffer overflow in COLLADASaxFWLTransformationLoader.cpp:117 #646

Nalen98 opened this issue Mar 22, 2021 · 0 comments

Comments

@Nalen98
Copy link

Nalen98 commented Mar 22, 2021

A crafted input leads to crash (heap buffer overflow) at COLLADASaxFWLTransformationLoader.cpp:117 in opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

Schema validation error: Error: ERROR_TEXTDATA_PARSING_FAILED Element: scale, Line: 1512, Column: 11, Additional: |/scale>
          
Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: Opening and ending tag mismatch: scale line 0 and node

free(): invalid pointer
Aborted

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
==491773==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000007da0 at pc 0x555557059c3f bp 0x7fffffffca50 sp 0x7fffffffca40
WRITE of size 8 at 0x606000007da0 thread T0
    #0 0x555557059c3e in COLLADASaxFWL::TransformationLoader::dataScale(float const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:117
    #1 0x5555560c1672 in bool GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2Data<float, &GeneratedSaxParser::Utils::toFloat>(char const*, unsigned long, float (COLLADASaxFWL14::ColladaParserAutoGen14Private::*)(char const*, char const*, char const**, char const*, bool&), bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:836
    #2 0x555556123865 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2FloatData(char const*, unsigned long, bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1196
    #3 0x555556123865 in COLLADASaxFWL14::ColladaParserAutoGen14Private::_data__scale(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/generated14/COLLADASaxFWLColladaParserAutoGen14Private.cpp:18870
    #4 0x55555626145a in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::textData(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1840
    #5 0x555557141681 in GeneratedSaxParser::LibxmlSaxParser::characters(void*, unsigned char const*, int) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:196
    #6 0x7ffff7393ece in xmlParseCharData (/lib/x86_64-linux-gnu/libxml2.so.2+0x42ece)
    #7 0x7ffff73a4682 in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x53682)
    #8 0x7ffff73a5f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #9 0x5555571419cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #10 0x555555d313ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #11 0x555555d2ea3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #12 0x555555cbf2be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #13 0x555555caf6f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #14 0x555555c5bfbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #15 0x7ffff6e390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #16 0x555555cae8ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

0x606000007da0 is located 0 bytes to the right of 64-byte region [0x606000007d60,0x606000007da0)
allocated by thread T0 here:
    #0 0x7ffff768d947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55555708fd60 in void COLLADASaxFWL::TransformationLoader::beginTransformation<COLLADAFW::Scale>() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/include/COLLADASaxFWLTransformationLoader.h:71
    #2 0x55555708fd60 in bool COLLADASaxFWL::NodeLoader::beginTransformation<COLLADAFW::Scale>(char const*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:100
    #3 0x55555708fd60 in COLLADASaxFWL::NodeLoader::begin__scale(COLLADASaxFWL::scale__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:195

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:117 in COLLADASaxFWL::TransformationLoader::dataScale(float const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c0c7fff8f60: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff8f70: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8f80: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff8f90: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff8fa0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff8fb0: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8fc0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8fd0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff8fe0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff8ff0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9000: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==491773==ABORTING

GDB info:

image

Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Nalen98