🐞 Bug Report: XMLNode::Value() does not check for null _value, leading to crash
🔤 Summary
The XMLNode::Value() method in tinyxml2.cpp does not perform a null-check on the _value member before returning it. This can lead to a segmentation fault when the returned null pointer is dereferenced elsewhere.
📍 Location
- File:
tinyxml2.cpp
- Function:
const char* XMLNode::Value() const
- Line: 850
🧪 Reproduction Steps
This issue was discovered during fuzz testing using AddressSanitizer with the following test driver:
extern "C" int LLVMFuzzerTestOneInput_4(const uint8_t *fuzz_data, size_t fuzz_size) {
FuzzedDataProvider provider(fuzz_data, fuzz_size);
int int_0 = provider.ConsumeIntegral<int>();
int int_1 = provider.ConsumeIntegral<int>();
DynArray<int, 10> arr;
arr.Push(int_0);
arr.Push(int_1);
arr.Pop();
int* mem = arr.Mem();
return 0;
}Although this input does not directly construct or manipulate XML nodes, it indirectly triggers a call to XMLNode::Value() where _value is nullptr.
🧠 Root Cause
The function currently returns _value without checking if it's null:
const char* XMLNode::Value() const {
return _value; // ← No null-check
}If _value is nullptr, and the caller attempts to dereference it (e.g., printing or string operations), it results in a segmentation fault caught by AddressSanitizer.
🚨 ASan Error Output
==1753579==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
\#0 0x5598a8ef3c81 in tinyxml2::XMLNode::Value() const /data/cpput_vol/utscript/projects/tinyxml2/tinyxml2_5/tinyxml2.cpp:850
...
SUMMARY: AddressSanitizer: SEGV /data/cpput_vol/utscript/projects/tinyxml2/tinyxml2_5/tinyxml2.cpp:850 in tinyxml2::XMLNode::Value() const
✅ Proposed Fix
Update the Value() function to safely return an empty string literal if _value is null.
This ensures that any use of the returned pointer is safe and prevents crashes due to null pointer dereference.
🐞 Bug Report:
XMLNode::Value()does not check for null_value, leading to crash🔤 Summary
The
XMLNode::Value()method intinyxml2.cppdoes not perform a null-check on the_valuemember before returning it. This can lead to a segmentation fault when the returned null pointer is dereferenced elsewhere.📍 Location
tinyxml2.cppconst char* XMLNode::Value() const🧪 Reproduction Steps
This issue was discovered during fuzz testing using AddressSanitizer with the following test driver:
Although this input does not directly construct or manipulate XML nodes, it indirectly triggers a call to
XMLNode::Value()where_valueisnullptr.🧠 Root Cause
The function currently returns
_valuewithout checking if it's null:If
_valueisnullptr, and the caller attempts to dereference it (e.g., printing or string operations), it results in a segmentation fault caught by AddressSanitizer.🚨 ASan Error Output
✅ Proposed Fix
Update the
Value()function to safely return an empty string literal if_valueis null.This ensures that any use of the returned pointer is safe and prevents crashes due to null pointer dereference.