Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Panic in PullParser::push_pos() #225

Closed
00xc opened this issue Jun 1, 2023 · 1 comment
Closed

Panic in PullParser::push_pos() #225

00xc opened this issue Jun 1, 2023 · 1 comment

Comments

@00xc
Copy link
Contributor

00xc commented Jun 1, 2023

While fuzzing a different crate that uses xml-rs I found a crash in PullParser::push_pos() on v0.8.13:

xml-rs/src/reader/parser.rs

Lines 410 to 411 in 563f975

fn push_pos(&mut self) {
debug_assert!(self.pos.len() != self.pos.capacity(), "How did you get a document that weird? Please file a bug");

Find below a reproducer with a minimized input and the resulting backtrace. Note that the panic is caused by debug_assert!(), so this will not trigger in release mode.

use std::io;
use xml::ParserConfig;

fn main() {
    let source = "<n><!---->L<!----><!----><!----><!----><!----><!----><!----><!----><!---->\"<!----><!---->L<!----><!---->-<->";
    let parser = ParserConfig::new()
        .cdata_to_characters(true)
        .ignore_comments(true)
        .coalesce_characters(false)
        .create_reader(io::Cursor::new(source));
    for e in parser {
        println!("{:?}", e);
    }
}
thread 'main' panicked at 'How did you get a document that weird? Please file a bug', /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader/parser.rs:411:9
stack backtrace:
   0: rust_begin_unwind
             at /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/std/src/panicking.rs:579:5
   1: core::panicking::panic_fmt
             at /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/panicking.rs:64:14
   2: xml::reader::parser::PullParser::push_pos
             at /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader/parser.rs:411:9
   3: xml::reader::parser::outside_tag::<impl xml::reader::parser::PullParser>::outside_tag
             at /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader/parser/outside_tag.rs:96:17
   4: xml::reader::parser::PullParser::dispatch_token
             at /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader/parser.rs:422:54
   5: xml::reader::parser::PullParser::next
             at /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader/parser.rs:340:27
   6: xml::reader::EventReader<R>::next
             at /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader.rs:54:9
   7: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
             at /home/user/.cargo/registry/src/github.heygears.com-1ecc6299db9ec823/xml-rs-0.8.13/src/reader.rs:140:22
   8: xml_rs_crash::main
             at ./src/main.rs:11:14
   9: core::ops::function::FnOnce::call_once
             at /rustc/84c898d65adf2f39a5a98507f1fe0ce10a2b8dbc/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
@00xc 00xc mentioned this issue Jun 1, 2023
Closed
@kornelski
Copy link
Collaborator

Thanks for the report.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kornelski @00xc