This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Possibly this is a new bug in libxml, or possibly our version is out of date? (Again.) scottmg, can you please take a look or pass it to a likely person?

FWIW superficially this repro looks similar to  Issue 680244 .

I'm working on libxml bugs, time permitting, so feel free to assign this to me. Currently we're at 3169602058bd2d04913909e869c61d1540bc7fb4; upstream is ahead 8 at e905f081 with these:

e905f081 Fix more NULL pointer derefs in xpointer.c
229d1f93 Avoid function/data pointer conversion in xpath.c
94613f64 Remove unused variables
c2545cbb Fix format string warnings
c1d1f712 Disallow namespace nodes in XPointer ranges
3f8a9103 Disallow namespace nodes in XPointer points
9ab01a27 Fix XPointer paths beginning with range-to
a0051993 Fix comparison with root node in xmlXPathCmpNodes

I'd be surprised if they're relevant to this but you never know.

URGENT - PLEASE REVIEW ASAP

Greetings from the release team!

This bug is marked as an M-57 beta blocker, which means it needs to be fixed on trunk by THIS FRIDAY, Jan 27 in order to be merged back to the M57 branch on time.  Please prioritize fixing this issue.

Unsure if this bug should block the beta release, or know it should block but you won't be able to fix it in time?  CC me to this bug and we can discuss.

If you're absolutely sure this should not block beta, the bug can be punted to stable (by changing ReleaseBlock-Beta to ReleaseBlock-Stable), or if the bug should not block the release at all simply remove the release block tag.

Thanks,
Alex

Taking a look.

+groebert FYI, clusterfuzz found a one byte read before the start of a heap buffer in libxml.

I have asked Gnome to make https://bugzilla.gnome.org/show_bug.cgi?id=777730 for this.

Patch up at https://codereview.chromium.org/2657773002

[Bulk edit]

A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

ClusterFuzz has detected this issue as fixed in range 446028:446125.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4764317233971200

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60200000026f
Crash State:
  xmlParseNameComplex
  xmlParseEntityDecl
  xmlParseMarkupDecl
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=446028:446125

Minimized Testcase (0.11 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94aoPKdkd7O5h02nqtTpYoZofgpyOGNPQrB9yo2Dt1i9EklSUPtw90a48LzAkNkyelsH7jufz5C7qVU1XvfHk0xd4EhJv00TEPbNLf-iLQJ4vU1ul-gwKYpP7S_FvAnNSaj-W6ExUaLh6jMuRA47RqJ1XYsbP977Xe9Ph96A0T3AtCWqNCC-8_kXtenZH-eaUYFV_o8-HwIf9W1vAMhWoPUUm2G0g0_z4dBHJiUPh8MEg_hQzdkpS6WXyFudzCmKohD0tjLXm9bplbgSpeu5YeRVUEqAy4IUwN5hDCF7NGEBxTr4PUGtPIPkMkay2rD9fV5Cnhfzkb2dG_8EoOD2Tzk6eUCTk0vToF68tBoOZXwLx7AtD0?testcase_id=4764317233971200
<?pml ver'PPPPP0'?>
<!DOCTYPEAest-[
<!ENTITY % xx '<!ENTITYCWndi󠄅ALPOg&#37;zz;'>
<!ENTITY % zz '

&#13;
 ' >
%xx;


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4764317233971200 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

I fat-fingered the BUG= line on the patch. I fixed this in

Review-Url: https://codereview.chromium.org/2657773002
Cr-Commit-Position: refs/heads/master@{#446041}
Committed: https://chromium.googlesource.com/chromium/src/+/b4054e8b83b60019c8cdcc9e9025fc6138725cf4

Do we want to merge a one byte heap overread?

Oops, not a dup.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Upstream fix:

https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3

Thanks for the link Nick. I will drop our local patches.