Skip to content

SEGV on unknown address due to COLLADABUURI.cpp:225 #645

New issue
New issue
Open
Open
SEGV on unknown address due to COLLADABUURI.cpp:225#645
@Nalen98

Description

@Nalen98
Nalen98
opened on Mar 20, 2021

A crafted input leads to crash (an invalid memory address dereference) at std::__cxx11::basic_string<char, std::char_traits... in libstdc++.so.6 provided by opencolladavalidator v1.6.68 (the latest version, checked on Ubuntu/Debian packages and current master).
Seems the line mUriString = copyFrom_.mUriString; in COLLADABUURI.cpp:225 causes the segmentation fault.

PoC: PoC.zip

Triggered by:

./OpenCOLLADAValidator PoC.dae

ASAN report:

$ ./OpenCOLLADAValidator PoC.dae
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2010438==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f2b14ed0d3c bp 0x7ffe7c9da9f0 sp 0x7ffe7c9da470 T0)
==2010438==The signal is caused by a READ memory access.
==2010438==Hint: address points to the zero page.
    #0 0x7f2b14ed0d3b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x142d3b)
    #1 0x557c59f7c672 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/basic_string.h:1366
    #2 0x557c59f7c672 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/basic_string.h:696
    #3 0x557c59f7c672 in COLLADABU::URI::URI(COLLADABU::URI const&, bool) /home/nale/OpenCOLLADA-1.6.63/COLLADABaseUtils/src/COLLADABUURI.cpp:225
    #4 0x557c59e9264f in COLLADASaxFWL::MeshLoader::initializePositionsOffset() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:754
    #5 0x557c59ea1de9 in COLLADASaxFWL::MeshLoader::initializeOffsets() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:731
    #6 0x557c59ea21b1 in COLLADASaxFWL::MeshLoader::begin__p() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLMeshLoader.cpp:1464
    #7 0x557c5907c812 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::elementBegin(char const*, GeneratedSaxParser::ParserAttributes const&) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:2059
    #8 0x557c59ee53e0 in GeneratedSaxParser::LibxmlSaxParser::startElement(void*, unsigned char const*, unsigned char const**) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:179
    #9 0x7f2b14fba5a6 in xmlParseStartTag (/lib/x86_64-linux-gnu/libxml2.so.2+0x4b5a6)
    #10 0x7f2b14fbcf27  (/lib/x86_64-linux-gnu/libxml2.so.2+0x4df27)
    #11 0x7f2b14fc27cf in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x537cf)
    #12 0x7f2b14fc3f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #13 0x557c59ee59cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #14 0x557c58ad53ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #15 0x557c58ad2a3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #16 0x557c58a632be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #17 0x557c58a536f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #18 0x557c589fffbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #19 0x7f2b14a570b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #20 0x557c58a528ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libstdc++.so.6+0x142d3b) in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
==2010438==ABORTING

GDB info:

image

image

Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions