SIGABRT due to Heap buffer overflow in COLLADASaxFWLTransformationLoader.cpp:50

A crafted input leads to crash (heap buffer overflow) at `COLLADASaxFWLTransformationLoader.cpp:50` in opencolladavalidator `v1.6.68` (the latest version, checked on Ubuntu/Debian packages and current master).

PoC: [PoC.zip](https://github.com/KhronosGroup/OpenCOLLADA/files/6182757/PoC.zip)


Triggered by:

`./OpenCOLLADAValidator PoC.dae`
```
Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: Input is not proper UTF-8, indicate encoding !
Bytes: 0xAF 0x74 0x72 0x61

Schema validation error: Critical error: ERROR_XML_PARSER_ERROR Additional: xmlParseStartTag: invalid element name

free(): invalid pointer
Aborted
```

ASAN report:

```
$ ./OpenCOLLADAValidator PoC.dae
==601510==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000083a0 at pc 0x555557058cc6 bp 0x7fffffffca80 sp 0x7fffffffca70
WRITE of size 8 at 0x6060000083a0 thread T0
    #0 0x555557058cc5 in COLLADASaxFWL::TransformationLoader::dataTranslate(float const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:50
    #1 0x5555560c1672 in bool GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2Data<float, &GeneratedSaxParser::Utils::toFloat>(char const*, unsigned long, float (COLLADASaxFWL14::ColladaParserAutoGen14Private::*)(char const*, char const*, char const**, char const*, bool&), bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:836
    #2 0x555556125445 in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::characterData2FloatData(char const*, unsigned long, bool (COLLADASaxFWL14::ColladaParserAutoGen14::*)(float const*, unsigned long)) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1196
    #3 0x555556125445 in COLLADASaxFWL14::ColladaParserAutoGen14Private::_data__translate(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/generated14/COLLADASaxFWLColladaParserAutoGen14Private.cpp:19170
    #4 0x55555626145a in GeneratedSaxParser::ParserTemplate<COLLADASaxFWL14::ColladaParserAutoGen14Private, COLLADASaxFWL14::ColladaParserAutoGen14>::textData(char const*, unsigned long) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/include/GeneratedSaxParserParserTemplate.h:1840
    #5 0x555557141681 in GeneratedSaxParser::LibxmlSaxParser::characters(void*, unsigned char const*, int) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:196
    #6 0x7ffff7393ece in xmlParseCharData (/lib/x86_64-linux-gnu/libxml2.so.2+0x42ece)
    #7 0x7ffff73a4682 in xmlParseContent (/lib/x86_64-linux-gnu/libxml2.so.2+0x53682)
    #8 0x7ffff73a5f0f in xmlParseDocument (/lib/x86_64-linux-gnu/libxml2.so.2+0x54f0f)
    #9 0x5555571419cf in GeneratedSaxParser::LibxmlSaxParser::parseFile(char const*) /home/nale/OpenCOLLADA-1.6.63/GeneratedSaxParser/src/GeneratedSaxParserLibxmlSaxParser.cpp:103
    #10 0x555555d313ca in COLLADASaxFWL::VersionParser::createAndLaunchParser() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLVersionParser.cpp:329
    #11 0x555555d2ea3e in COLLADASaxFWL::FileLoader::load() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLFileLoader.cpp:79
    #12 0x555555cbf2be in COLLADASaxFWL::Loader::loadDocument(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, COLLADAFW::IWriter*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLLoader.cpp:226
    #13 0x555555caf6f4 in parse(char*, ValidationErrorHandler&) /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:37
    #14 0x555555c5bfbc in main /home/nale/OpenCOLLADA-1.6.63/COLLADAValidator/src/main.cpp:54
    #15 0x7ffff6e390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #16 0x555555cae8ad in _start (/home/nale/OpenCOLLADA-1.6.63/build/bin/OpenCOLLADAValidator+0x75a8ad)

0x6060000083a0 is located 0 bytes to the right of 64-byte region [0x606000008360,0x6060000083a0)
allocated by thread T0 here:
    #0 0x7ffff768d947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55555708fa1f in void COLLADASaxFWL::TransformationLoader::beginTransformation<COLLADAFW::Translate>() /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/include/COLLADASaxFWLTransformationLoader.h:71
    #2 0x55555708fa1f in bool COLLADASaxFWL::NodeLoader::beginTransformation<COLLADAFW::Translate>(char const*) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:100
    #3 0x55555708fa1f in COLLADASaxFWL::NodeLoader::begin__translate(COLLADASaxFWL::translate__AttributeData const&) /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLNodeLoader.cpp:141

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/nale/OpenCOLLADA-1.6.63/COLLADASaxFrameworkLoader/src/COLLADASaxFWLTransformationLoader.cpp:50 in COLLADASaxFWL::TransformationLoader::dataTranslate(float const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c0c7fff9020: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9030: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9040: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9050: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9060: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fff9070: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff9080: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9090: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c0c7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==601510==ABORTING
```

GDB info:

![image](https://user-images.githubusercontent.com/52778977/112002897-6d662080-8b31-11eb-882b-bc2fb1e83131.png)


Environment:
Host Operating System and version: Ubuntu 20.04.2 LTS
Host CPU architecture: x86_64







Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SIGABRT due to Heap buffer overflow in COLLADASaxFWLTransformationLoader.cpp:50 #647

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

SIGABRT due to Heap buffer overflow in COLLADASaxFWLTransformationLoader.cpp:50 #647

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions