You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Found through fuzzing and minimized the test case manually.
Sample program (Tested against 0.8.3 on crates.io as well as the latest version from git (df46cd4))
fnmain(){let x = "<!DOCTYPE<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<";let c = std::io::Cursor::new(x);for _ in xml::reader::EventReader::new(c){}}
Stack trace:
thread 'main' panicked at 'attempt to add with overflow', /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
stack backtrace:
0: rust_begin_unwind
at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/std/src/panicking.rs:493:5
1: core::panicking::panic_fmt
at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:92:14
2: core::panicking::panic
at /rustc/07e0e2ec268c140e607e1ac7f49f145612d0f597/library/core/src/panicking.rs:50:5
3: xml::reader::lexer::Lexer::doctype_finishing
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:485:57
4: xml::reader::lexer::Lexer::dispatch_char
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:372:54
5: xml::reader::lexer::Lexer::read_next_token
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:353:19
6: xml::reader::lexer::Lexer::next_token
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/lexer.rs:311:24
7: xml::reader::parser::PullParser::next
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/parser/mod.rs:262:19
8: xml::reader::EventReader<R>::next
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:52:9
9: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
at /home/jess/.cargo/git/checkouts/xml-rs-e282a4b471dd20cf/df46cd4/src/reader/mod.rs:113:22
10: scratchi0Wd3V0pt::main
at ./main.rs:10:14
11: core::ops::function::FnOnce::call_once
at /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
Had a brief look at the code, and it looks like we could return an error if we have too many open brackets in a row? Seems very unlikely that a valid XML document would do that.
The text was updated successfully, but these errors were encountered:
Found through fuzzing and minimized the test case manually.
Sample program (Tested against 0.8.3 on crates.io as well as the latest version from git (df46cd4))
Stack trace:
Had a brief look at the code, and it looks like we could return an error if we have too many open brackets in a row? Seems very unlikely that a valid XML document would do that.
The text was updated successfully, but these errors were encountered: