Skip to content

Attempt to apply table method to string object within parser:parse() call #107

New issue
New issue
Open
Open
Attempt to apply table method to string object within parser:parse() call#107
@Antwy

Description

@Antwy
Antwy
opened on Mar 3, 2025

Hello,

I was playing with libFuzzer-based Lua fuzzer called luzer and found crash with parser:parse() call.
Crash occurs when loading crash.tar.gz file (well, github struggles to load it, too). You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:

/fuzz/stdin_parse_xml.lua < crash-0c2577e1a76131d5d264c705734ce4f5a3225e94.txt

Stacktrace output:

lua: /usr/local/share/lua/5.1/xmlhandler/tree.lua:132: bad argument #1 to 'insert' (table expected, got string)
stack traceback:
	[C]: in function 'insert'
	/usr/local/share/lua/5.1/xmlhandler/tree.lua:132: in function 'starttag'
	/usr/local/share/lua/5.1/XmlParser.lua:328: in function 'parseNormalTag'
	/usr/local/share/lua/5.1/XmlParser.lua:356: in function 'parseTagType'
	/usr/local/share/lua/5.1/XmlParser.lua:428: in function 'parse'
	./oss/stdin_parse_xml.lua:12: in function 'TestOneInput'
	./oss/stdin_parse_xml.lua:17: in main chunk
	[C]: ?

Crash input hexdump to check it isn't damaged after unpacking:

00000000  3c 3e 2c 3c 2f 3e 2f 3c  0a 3e 2f 3c 2f 3e 2c 3c  |<>,</>/<.>/</>,<|
00000010  20 2f 3e 3e 3c 20 2f 3e  2f 2f 3c 0a 3e 2f 3c 2f  | />>< />//<.>/</|
00000020  3e 2c 3c 3c 2f 3e 3c 0a  20 2f 3e 3c 20 2f 3e 2f  |>,<</><. />< />/|
00000030  3c 0a 3e 2f 7c 2f 3e 2c  3c 20 2f 3e 2f 3c 0a 3e  |<.>/|/>,< />/<.>|
00000040  2f 3c 3e 3e 50 3c 3e 51  74 20 3c 74 20 3c 6e 0a  |/<>>P<>Qt <t <n.|
00000050  6c 74 3e 72 75 61 0a 6c  70 22 3c 70 65 65 3d 3f  |lt>rua.lp"<pee=?|
00000060  22 6e 61 3e 72 75 20 1d  20 20 38 6e 61 15 65 3e  |"na>ru .  8na.e>|
00000070  6c 3c 2f 6e 61 6d 65 3e  0a 20 20 20 3c 63 69 74  |l</name>.   <cit|
00000080  79 3e 50 2f 63 34 61 69  74 79 3e 0a 20 20 3c 2f  |y>P/c4aity>.  </|
00000090  70 65 72 73 2f 3c 51 ad  3c 90 af 3e 90 8d 3c 3e  |pers/<Q.<..>..<>|
000000a0  2f 22 6e 61 3e 72 75 61  0a 6c 74 3e 72 75 61 0a  |/"na>rua.lt>rua.|
000000b0  6c 74 22 3c 70 65 65 3d  3f 22 6e 61 3e 72 75 20  |lt"<pee=?"na>ru |
000000c0  1d 20 20 3c 6e 61 15 65  3e 0d 00 00 00 00 00 00  |.  <na.e>.......|
000000d0  00 6c 3c 2f 6e 61 6d 65  3e 0a 20 20 20 3c 63 69  |.l</name>.   <ci|
000000e0  74 79 3e 50 61 37 2f 63  69 74 79 3e 0a 20 20 3c  |ty>Pa7/city>.  <|
000000f0  2f 70 65 72 73 2f 3c 63  69 74 79 65 3e 61 0a 6c  |/pers/<citye>a.l|
00000100  74 22 20 1d 20 20 3c 6e  61 3e d0 6e 23 d0 3c 3c  |t" .  <na>.n#.<<|
00000110  0a 3e 2f 3c 3e 75 61 61  0a 6c 74 3e 72 75 61 0a  |.>/<>uaa.lt>rua.|
00000120  6c 74 22 3c 70 65 65 3d  3e 50 ad 3e 3f 22 6e 61  |lt"<pee=>P.>?"na|
00000130  3e 72 75 20 5a 20 20 3c  6e 61 15 65 3e 6c 3c 2f  |>ru Z  <na.e>l</|
00000140  6e 61 6d 65 3e 0a 20 3e  8d 3c 2c 2f 20 3c 2f 70  |name>. >.<,/ </p|
00000150  65 72 73 2f 3c 63 96 74  79 65 3e 61 0a 6c 74 22  |ers/<c.tye>a.lt"|
00000160  20 1d 20 20 3c 6e 61 6d  65 3e 0a                 | .  <name>.|
0000016b

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions