From mantis-bug-sender at librdf.org  Mon Nov  9 06:32:05 2020
From: mantis-bug-sender at librdf.org (Mantis Bug Tracker)
Date: Mon, 9 Nov 2020 03:32:05 -0800
Subject: [redland-dev] [Raptor RDF Syntax Library 0000650]: Out of bounds
 read leads to segfault in raptor_xml_writer_start_element_common
Message-ID: <949bf1795b55e327175462db6d5be4db@bugs.librdf.org>

The following issue has been SUBMITTED. 
====================================================================== 
https://bugs.librdf.org/mantis/view.php?id=650 
====================================================================== 
Reported By:                hanno
Assigned To:                
====================================================================== 
Project:                    Raptor RDF Syntax Library
Issue ID:                   650
Category:                   api
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     new
Syntax Name:                 
====================================================================== 
Date Submitted:             2020-11-09 03:32
Last Modified:              2020-11-09 03:32
====================================================================== 
Summary:                    Out of bounds read leads to segfault in
raptor_xml_writer_start_element_common
Description: 
A malformed input file can lead to a segfault due to an out of bounds array
access in raptor_xml_writer_start_element_common.

I'm attaching a sample file triggering this bug and a stack trace from asan.

Bug happens in line 230 of raptor_xml_writer.c (current git):
https://github.com/dajobe/raptor/blob/master/src/raptor_xml_writer.c#L230

From looking at that code it seems to me it always expects
nspace_declarations_count to be lower than element->attribute_count, however
this input seems to create a different situation. I made an attempt at a patch
that throws an error in this situation (but please review it, I am not familiar
with what this code does and should do - though the patch doesn't seem to
introduce test failures).

Steps to Reproduce: 
Run rapper with attached sample.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2020-11-09 03:32 hanno          New Issue                                    
2020-11-09 03:32 hanno          File Added: raptor-oob-trigger-example.rdf      
             
2020-11-09 03:32 hanno          File Added: raptor-fix-oob.patch                
   
2020-11-09 03:32 hanno          File Added: raptor-oob-asan-stacktrace.txt      
             
======================================================================