wget2 | Stack-overflow in libwget_atom_url

wget-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget2 | Stack-overflow in libwget_atom_url_fuzzer.exe (#643)

From:	Gisle Vanem (@gvanem)
Subject:	wget2 \| Stack-overflow in libwget_atom_url_fuzzer.exe (#643)
Date:	Wed, 06 Sep 2023 08:51:02 +0000


Gisle Vanem created an issue: https://gitlab.com/gnuwget/wget2/-/issues/643



While running `fuzz/libwget_atom_url_fuzzer.exe` on Windows, I get this output:
```
testing 11 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/00ee3e6925375e7d75634248d8386a1441e117f2'
testing 6 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/01d61dce0047962810b1685ad5c8ee05ae326701'
testing 11 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/022ed321f45e755fc9dc89cc524ce28eb3cb6d28'
testing 35 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/02cf3504f311677fd815d1483453552b56dd2b77'
testing 129 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/0347a472f73ece079ee64fb23828054163147feb'
testing 226 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/038361e50df53b12bfab11183bf7ba4abf2ef979'
testing 16 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/038aa3bf2edbf406aacef915cf3768ee254f34ea'
testing 25 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/03bde4aef85f3878f82c7e74845551e18c5d99f4'
testing 19 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/03c29724a11c2522cacb276a04d2eec55fb334ac'
testing 7229 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/049f35d017f4213d6ad79adff8f32cccf64409ed'
testing 9561 bytes from 
'F:/MinGW32/src/inet/Web/wget2/fuzz/libwget_atom_url_fuzzer.in/04ec4244c56917e08d6285eb1f32b8816654439f'
boom!
```

Then exception from WinDbg is 
`STACK_OVERFLOW_c00000fd_libwget2.dll!wget_xml_parse_buffer`.
This is the call-stack:
```
ntdll!RtlpAllocateHeapInternal+0x9a2
ucrtbase!_malloc_base+0x36
libwget2!wget_malloc(void)+0x6
libwget2!buffer_realloc(struct wget_buffer * buf = 0x00000073`be404280, 
unsigned int64 size = 1)+0x36
libwget2!wget_buffer_memcat(struct wget_buffer * buf = 0x00000073`be404280, 
void * data = 0x00000186`c26263f0, unsigned int64 length = 1)+0x55
libwget2!copy_string(struct wget_buffer * buf = 0x00000073`be404280, unsigned 
int flags = 0, int field_width = 0n0, int precision = <Value unavailable 
error>, char * arg = 0x00000186`c26263f0 
"e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><g><g><g><g><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><G><g><e><>><e><e><e><e><e><g><e><g><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><e><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><g><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><e><g><e><>><e><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><e><g><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><g><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e><e><e><e><e><g><e><>><e>")+0xa9
libwget2!wget_buffer_vprintf_append(struct wget_buffer * buf = 
0x00000073`be404280, char * fmt = <Value unavailable error>, char * args = 
0x00000073`be4042f8 "")+0x3f1
libwget2!wget_vsnprintf(char * fmt = 0x00007fff`13e23284 "%.*s")+0x25
libwget2!wget_snprintf(char * str = 0x00000073`be40440f "", unsigned int64 size 
= 1, char * fmt = 0x00007fff`13e23284 "%.*s")+0x3f
libwget2!parseXML(char * dir = <Value unavailable error>, struct xml_context * 
context = 0x00000073`be5efd90)+0x17d
libwget2!parseXML(char * dir = <Value unavailable error>, struct xml_context * 
context = 0x00000073`be5efd90)+0x543
...
```

Adding some trace to `xml.c`, I see there could be approx. 3500 recursive calls 
to `parseXML()` from some fuzz-input files.<br>
And I believe `parseXML()` uses the stack of the parent fuzz programs, no? 

So increasing the stack-size to 4 MByte for `fuzz/*.exe`, the exception is gone 
(the default seems to be 100 000).<br>
But what if `libwget2.dll` gets such input in *real-life*? Should the stack of 
`wget2.exe` be increased too?

I built with both MSVC and clang-cl. They both has the same issue.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/643
You're receiving this email because of your account on gitlab.com.

[Prev in Thread]

Current Thread

[Next in Thread]

wget2 | Stack-overflow in libwget_atom_url_fuzzer.exe (#643), Gisle Vanem (@gvanem) <=
- Re: wget2 | Stack-overflow in libwget_atom_url_fuzzer.exe (#643), @rockdaboot, 2023/09/17

Prev by Date: Re: wget2 | [Win32] Illegal filename (#642)
Next by Date: Re: wget2 | dns: Merge SOCK_STREAM and SOCK_DGRAM addrinfo lists (!530)
Previous by thread: wget2 | [Win32] Illegal filename (#642)
Next by thread: Re: wget2 | Stack-overflow in libwget_atom_url_fuzzer.exe (#643)
Index(es):
- Date
- Thread