VULNERABILITY DETAILS
A use after free and an out of bounds read can happen with malformed inputs in libxml2, which is used by Chrome for various use cases.
VERSION
libxml 2.9.4 and current git
REPRODUCTION CASE
I'll attach sample files + error reports from Address Sanitizer. Both issues are triggered in the function xmlDictComputeFastKey().
ADDITIONAL INFO
I tried to reproduce these issues with an asan-build of chromium and a javascript testcase, yet I was unable to reproduce them for unknown reasons.
As libxml is explicitly mentioned on the Chrome Rewards webpage [1] I thought it's reasonable to report these issues. I'll report them in parallel to the libxml2 developers.
Bugs found with afl.
[1] https://www.google.com/about/appsecurity/chrome-rewards/
|
Deleted:
libxml2-heap-oob-xmlDictComputeFastKey.xml
51 bytes
|
|
|
libxml2-heap-oob-xmlDictComputeFastKey.xml
51 bytes
View
Download
|
|
|
Deleted:
libxml2-heap-oob-xmlDictComputeFastKey-asan.txt
3.9 KB
|
|
|
libxml2-heap-oob-xmlDictComputeFastKey-asan.txt
3.9 KB
View
Download
|
|
|
Deleted:
libxml2-heap-uaf-xmlDictComputeFastKey.xml
129 bytes
|
|
|
libxml2-heap-uaf-xmlDictComputeFastKey.xml
129 bytes
View
Download
|
|
|
Deleted:
libxml2-heap-uaf-xmlDictComputeFastKey-asan.txt
6.1 KB
|
|
|
libxml2-heap-uaf-xmlDictComputeFastKey-asan.txt
6.1 KB
View
Download
|
Comment 1 by och...@chromium.org
, Aug 15 2016Status: Duplicate (was: Unconfirmed)