Possible Bug: Null Pointer Dereference in XMLElement::SetText() with malformed input #1033
Description
A null pointer dereference occurs when calling XMLElement::SetText() using fuzzed or malformed input passed through XMLDocument::Parse(). The bug causes a crash due to strlen() being invoked on a nullptr inside the internal StrPair::SetStr() call chain.
Steps to Reproduce:
Compile TinyXML2 with AddressSanitizer (-fsanitize=address) and a fuzzing harness that passes unvalidated input to the following code:
std::string xml(reinterpret_cast<const char*>(data), size);
XMLDocument doc;
doc.Parse(xml.c_str(), size);
XMLElement* root = doc.NewElement("root");
XMLElement* child = doc.NewElement("child");
child->SetText(xml.c_str()); // <-- crash if xml.c_str() is nullptr/invalid
root->InsertEndChild(child);
doc.InsertFirstChild(root);
doc.Print();Feed an empty or malformed string
ASan Output (Abbreviated):
==5687==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
#0 0x7fcd75a3875d in strlen (/lib/x86_64-linux-gnu/libc.so.6)
#1 0x56489a6ced09 in tinyxml2::StrPair::SetStr(char const*, int) tinyxml2.cpp:198
#2 0x56489a6bfe65 in tinyxml2::XMLElement::SetAttribute(char const*, char const*)
Proposed Fix:
Add a null check before calling strlen() in StrPair::SetStr() and validate arguments in SetText() or upstream.