Skip to content

Possible Bug: Global Buffer Overflow in tinyxml2::XMLPrinter::PushText(char const*, bool) #1031

New issue
New issue
Open
Open
Possible Bug: Global Buffer Overflow in tinyxml2::XMLPrinter::PushText(char const*, bool)#1031
@wangziqi520

Description

@wangziqi520
wangziqi520
opened on Jun 17, 2025

🐞 Bug Report: Global Buffer Overflow in tinyxml2::XMLPrinter::PushText(char const*, bool)

🔤 Summary

A global buffer overflow vulnerability was identified in the function tinyxml2::XMLPrinter::PushText(const char*, bool) located at line 2860 of tinyxml2.cpp. The crash occurred during a read operation involving global memory, indicating an out-of-bounds access that may be exploitable.

📍 Location

  • File: tinyxml2.cpp
  • Function: tinyxml2::XMLPrinter::PushText(const char*, bool)
  • Line: 2860

🧪 Reproduction Steps

This issue was triggered using the following fuzzing test driver:

extern "C" int LLVMFuzzerTestOneInput_0(const uint8_t *fuzz_data, size_t fuzz_size) {
    XMLDocument doc;
    XMLElement* root;

    doc.Parse("<root>"
              "<child1/>"
              "<child2 name=\"test\"/>"
              "<child3/>"
              "<child4/>"
              "</root>");
    root = doc.RootElement();
    
    FuzzedDataProvider provider(fuzz_data, fuzz_size);
    std::string tmp_string_content_0 = provider.ConsumeRandomLengthString();
    const char* string_content_0 = tmp_string_content_0.c_str();

    XMLHandle handle(root->FirstChildElement());
    XMLHandle result = handle.NextSiblingElement(string_content_0);
    
    result.ToElement()->Name();

    return 0;
}

Although this test case primarily involves XML parsing and traversal logic, it indirectly leads to a call to PushText(), where the invalid memory access occurs.

Root Cause Analysis

The crash occurred inside the following function:

void XMLPrinter::PushText( const char* text, bool cdata )
{
    _textDepth = _depth-1;

    SealElementIfJustOpened();
    if ( cdata ) {
        Write( "<![CDATA[" );
        Write( text );
        Write( "]]>" );
    }
    else {
        PrintString( text, true );
    }
}

AddressSanitizer reported a segmentation fault caused by reading from address 0x000000000088 — which points to the zero page — suggesting that text was nullptr or invalid when passed into Write() or PrintString().

This is likely due to:

  • A missing null-pointer check on text.
  • Improper handling of malformed input strings.
  • Use of text without ensuring it's valid or properly terminated.

The error is classified as a global buffer overflow , meaning the access was outside any allocated buffer, potentially allowing an attacker to read or write adjacent global memory regions.

🚨 ASan Error Output

==1752043==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000088
READ of size 4 at 0x7ffce45545b8 thread T0
#0 0x55b447ba0f3a in tinyxml2::XMLPrinter::PushText(char const*, bool)
...
SUMMARY: AddressSanitizer: SEGV /data/cpput_vol/utscript/projects/tinyxml2/tinyxml2_3/tinyxml2.cpp:2860

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions