Skip to content

Overflow in lexer when parsing malformed doctype #204

New issue
New issue
Closed
Closed
Overflow in lexer when parsing malformed doctype#204
@5225225

Description

@5225225
5225225
opened on Apr 1, 2021

Found through fuzzing and minimized the test case manually.

Sample program (Tested against 0.8.3 on crates.io as well as the latest version from git (df46cd4))

fn main() {
    let x = "<!DOCTYPE<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\
    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<";

    let c = std::io::Cursor::new(x);

    for _ in xml::reader::EventReader::new(c) {}
}

Stack trace:

thread 'main' panicked at 'attempt to add with overflow', /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
stack backtrace:
   0: rust_begin_unwind
             at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/std/src/panicking.rs:493:5
   1: core::panicking::panic_fmt
             at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:92:14
   2: core::panicking::panic
             at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:50:5
   3: xml::reader::lexer::Lexer::doctype_finishing
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
   4: xml::reader::lexer::Lexer::dispatch_char
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:372:54
   5: xml::reader::lexer::Lexer::read_next_token
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:353:19
   6: xml::reader::lexer::Lexer::next_token
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:311:24
   7: xml::reader::parser::PullParser::next
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/parser/mod.rs:262:19
   8: xml::reader::EventReader<R>::next
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:52:9
   9: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
             at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:113:22
  10: scratchi0Wd3V0pt::main
             at ./main.rs:10:14
  11: core::ops::function::FnOnce::call_once
             at /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Had a brief look at the code, and it looks like we could return an error if we have too many open brackets in a row? Seems very unlikely that a valid XML document would do that.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions