This bug isn't a new one, but haven't been found by CF before now, so I'm filing it.

It is also reported at the upstream (https://bugzilla.gnome.org/show_bug.cgi?id=766956)

Testcase from the CF report.

Deleted: fuzz-2-libxml_xml_read_memory_fuzzer 204 bytes

fuzz-2-libxml_xml_read_memory_fuzzer 204 bytes View Download

I ran git-bisect on our internal tree, and this issue will be fixed by this upstream bug:

 Bug 759398 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=759398>

I am unable to post a patch at this time (working on resolving that internally), so if someone here wants to take my comments in <https://bugzilla.gnome.org/show_bug.cgi?id=766956#c3> and create a patch, that would help to get that bug fixed quicker.

> I ran git-bisect on our internal tree, and this issue will be fixed by this upstream bug:
>
>  Bug 759398 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
> <https://bugzilla.gnome.org/show_bug.cgi?id=759398>

BTW, Apple is planning on shipping this fix by the end of July 2016, so we need to get Daniel Veillard engaged on this bug.  Posting a patch for review is the best way to do that.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5810396837707776

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x60300000ee4f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94bjMOglPlGItRInhMx06pTpzmaeY6waZDaNh3GiXzizRLP7PpNjYpLP8B9ZIEX4BULYrIrp12G7DzCci_zVXSxaxT0AdECnNPo7Ub29XmT6JV31yORcl-Mb0VWT8YWE5viA8eKV1B3tQF2q4aCzSgRzd-QQg?testcase_id=5810396837707776
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<![INCLUDE[&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;�ggKENSMYNT&#35;MENTD&#37


Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Current status: I was not actively working on this, half hoping there would be an upstream patch. I could develop one.

OK, taking a look at this.

Hmm, I can't reproduce this at r403744.

I kicked off redo fixed job on both reports:
https://cluster-fuzz.appspot.com/testcase?key=5810396837707776
https://cluster-fuzz.appspot.com/testcase?key=5851397434376192

ClusterFuzz says it could reproduce these at r404631 and r404605. I need to try again.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4835303932297216

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60500000bf2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseName
  
Recommended Security Severity: Medium


Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv954ifA6vOolHwuhWorQ2gViH1J39Vt1jeXpk9BjQWcF70l_TpLWFZWwEnxFJG_Al-vs1wSoK4dwVA0iHDrhGrEc8GSVP1ZKiD7RSz6iolhU7cCAbwFdQ7A0Va5siUKBCf457HONVpPdRsV8YZfBeQ6fVydQ5w?testcase_id=4835303932297216

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4593889466122240

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60600000ee2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95JfhQONaR-2B3QHwy8kUMRNwv9cCGDAAr0Gc1uVYSQGxlYeIXVdkM_LlA-TtKGiVTjdWXETCSLqBE1F9KdT-zwzHCwlENOH7VEdMd2NZamy88EUv0yeNKUcJ_50R-hoX_AXroEoK4bT0Zsc-L4QpI7OlFdlA?testcase_id=4593889466122240

<!--
--><!--e
--><!--
<--><!--
--><?lm verUTF-16
<!DOCTYPE root [
<?m<l  enc<v xmnnodlig"0"?>
<!DOCTYPE root [
<!ENTITY % dafroot '
&#60;!ELEMENT dia:dciagram (dia:diagramdata, draft.--mon:h >
<!ELEMENT dia:diag&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTIradata (dia:attbirute)* >
<!ENTITY //docboo	SYsSTEMTY' >
%dafroot;%de


Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

dominicc, are you following the instructions at https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md ?

I can still reproduce this locally today. 

 Issue 637552  has been merged into this issue.

friendly ping Dominicc. These are probably are end-tail of libxml bugs that will be great for knockout!

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5810396837707776

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x60300000ee4f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94bjMOglPlGItRInhMx06pTpzmaeY6waZDaNh3GiXzizRLP7PpNjYpLP8B9ZIEX4BULYrIrp12G7DzCci_zVXSxaxT0AdECnNPo7Ub29XmT6JV31yORcl-Mb0VWT8YWE5viA8eKV1B3tQF2q4aCzSgRzd-QQg?testcase_id=5810396837707776
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<![INCLUDE[&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;�ggKENSMYNT&#35;MENTD&#37


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4593889466122240

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60600000ee2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95JfhQONaR-2B3QHwy8kUMRNwv9cCGDAAr0Gc1uVYSQGxlYeIXVdkM_LlA-TtKGiVTjdWXETCSLqBE1F9KdT-zwzHCwlENOH7VEdMd2NZamy88EUv0yeNKUcJ_50R-hoX_AXroEoK4bT0Zsc-L4QpI7OlFdlA?testcase_id=4593889466122240

<!--
--><!--e
--><!--
<--><!--
--><?lm verUTF-16
<!DOCTYPE root [
<?m<l  enc<v xmnnodlig"0"?>
<!DOCTYPE root [
<!ENTITY % dafroot '
&#60;!ELEMENT dia:dciagram (dia:diagramdata, draft.--mon:h >
<!ELEMENT dia:diag&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTIradata (dia:attbirute)* >
<!ENTITY //docboo	SYsSTEMTY' >
%dafroot;%de


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5851397434376192

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60200000ed84
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseNameComplex
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94yUDbm7VSHsZCwDfY9OV2wj-95e3Hxtu_wd1_df9jHOuG--TnJNK61RtqVD1jTLkYa2NHDzkIbFQCFlKUCSLsLJnxG6hO4YytEVi4yhWj36wtPBOs-84FDd43TV_tfN_DnVC_kFI-XN8thhYpfIBfp5-91Kw?testcase_id=5851397434376192
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<!ELEMENT<!ATTLISTNT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Looks fixed for all the testcases except of https://cluster-fuzz.appspot.com/v2/testcase-detail/4835303932297216

Kicked of "Redo Fixed" job there.

As noted in Comment #8, most of these issues were probably fixed by upstream:

 Bug 759398 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=759398>

The rest should be fixed by this upstream bug (which hasn't landed yet):

 Bug 766956 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=766956>

Note that GNOME  Bug 766956  is tracked by < https://crbug.com/616698 >.

We rolled libxml2 45752d2c334b50016666d8f0ec3691e2d680f0a0 which says it fixes https://bugzilla.gnome.org/show_bug.cgi?id=759398 in r396097.

Guess I will mark this blocked on  Issue 616698 .  Issue 616040  says the other bug mentioned above, <https://bugzilla.gnome.org/show_bug.cgi?id=766956>, is being tracked in  Issue 616698 .

Brief update, the issue in the original post still repros at r440736, taking a look at this now.

Patch up at https://codereview.chromium.org/2603933002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b6cc2b4809e9e7479b03e69b39f613f2de70e0b

commit 6b6cc2b4809e9e7479b03e69b39f613f2de70e0b
Author: dominicc <dominicc@chromium.org>
Date: Tue Jan 10 06:19:01 2017

Give up looking up interned names if the encoding changed during parsing

NEXTL may process encoding changes by refilling the parser's input
buffer, which makes the accumulated length 'len' inaccurate.

BUG= 620679 

Review-Url: https://codereview.chromium.org/2603933002
Cr-Commit-Position: refs/heads/master@{#442517}

[modify] https://crrev.com/6b6cc2b4809e9e7479b03e69b39f613f2de70e0b/third_party/libxml/README.chromium
[modify] https://crrev.com/6b6cc2b4809e9e7479b03e69b39f613f2de70e0b/third_party/libxml/src/parser.c

This should be fixed, ClusterFuzz PTAL.

ClusterFuzz has detected this issue as fixed in range 442501:442519.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4835303932297216

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60500000bf2f
Crash State:
  xmlDictComputeFastKey
  xmlDictLookup
  xmlParseName
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=442501:442519

Minimized Testcase (0.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv954ifA6vOolHwuhWorQ2gViH1J39Vt1jeXpk9BjQWcF70l_TpLWFZWwEnxFJG_Al-vs1wSoK4dwVA0iHDrhGrEc8GSVP1ZKiD7RSz6iolhU7cCAbwFdQ7A0Va5siUKBCf457HONVpPdRsV8YZfBeQ6fVydQ5w?testcase_id=4835303932297216

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I believe this has been fixed by upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

> I believe this has been fixed by upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

That matches my notes as well.