When fuzzing FuzzXML at 4f496e9, I discovered a potential mishandling of pathological input.
<!DOCTYPE x[<!ELEMENT x ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
The execution time doubles every time a new ( is appended to the input buffer. For example, the above 119-byte input takes more than 60 seconds and 2GiB of memory to run.
It seems that the recursive descent parser takes too many time trying the choices. Ideally, a one-pass LR parser could be used.
#460 operator() ()
at /root/build/serenity/Userland/Libraries/LibXML/Parser/Parser.cpp:1285
1285 if (auto result = parse_choice(); !result.is_error())
(gdb) up
#461 operator() ()
at /root/build/serenity/Userland/Libraries/LibXML/Parser/Parser.cpp:1300
1300 auto sub_entry = TRY(parse_cp_init());
(gdb)
#462 0x0000555555680b49 in operator() ()
at /root/build/serenity/Userland/Libraries/LibXML/Parser/Parser.cpp:1316
1316 choices.append(TRY(parse_cp()));
(gdb)
#463 call () at /root/build/serenity/Meta/Lagom/../../AK/Function.h:173
173 return m_callable(forward<In>(in)...);
(gdb)
#464 0x000055555566e537 in operator() ()
at /root/build/serenity/Meta/Lagom/../../AK/Function.h:111
111 return wrapper->call(forward<In>(in)...);
(gdb)
#465 parse_content_spec ()
at /root/build/serenity/Userland/Libraries/LibXML/Parser/Parser.cpp:1368
1368 if (auto result = parse_choice(); !result.is_error()) {
SerenityOSΒ /Β serenity
The Serenity Operating System π
30.6k
Contributors get 100% of received funds after fees
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too