Segmentation Fault in cv::FileStorage When Parsing XML File

[iamjimyes]

System Information

OpenCV version: 4.8.0
Operating System / Platform: 22.04.4 LTS (Jammy Jellyfish)
Compiler & compiler version: clang 15.0.7 (c++14)

Detailed description

Using OpenCV's cv::FileStorage to parse XML data results in a segmentation fault. The issue occurs when the XML data provided is either corrupted or malformed.
Code to trigger segmentation fault is like.

//minimized_poc.cc
#include <opencv2/core/core.hpp>
#include <opencv2/opencv.hpp>
#include <vector>
#include <fstream>

int certain_permutation(const uint8_t *data, size_t size) {
	if(size<0) return 0;

	FILE *input_file_ptr = fopen("eingabedatei", "wb");
	if (input_file_ptr == NULL) {return 0;}
	fwrite(data, sizeof(uint8_t), size, input_file_ptr);
	fclose(input_file_ptr);

    // Sicherstellen, dass die Eingabedaten gültig sind.
    if (size == 0 || data == nullptr) {
	return 0;
	}
	

    // Verwenden Sie fmemopen, um ein FILE* aus dem Eingabe-Byte-Array zu erstellen.
    FILE *in_file = fmemopen((void *)data, size, "rb");
    if (!in_file) {
	return 0;
	}
	 // Erstellen des Dateistreams fehlgeschlagen.

    try {
        // Lesen Sie die Daten in OpenCV Mat mithilfe von FileStorage ein
        cv::FileStorage fs("eingabedatei", cv::FileStorage::READ);
        if (!fs.isOpened()) {
            throw cv::Exception(-1, "Failed to open FileStorage", __func__, "eingabedatei", 0);
        }


    } catch (const cv::Exception& e) {
        std::cerr << "OpenCV Exception: " << e.what() << std::endl;
    }
  
	return 0;
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        std::cerr << "Usage: " << argv[0] << " <input file>" << std::endl;
        return 1;
    }

    const char *filename = argv[1];

    // Datei öffnen
    std::ifstream file(filename, std::ios::binary);
    if (!file) {
        std::cerr << "Error opening file: " << filename << std::endl;
        return 1;
    }

    // Dateiinhalte in den Puffer lesen
    std::vector<unsigned char> buffer((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>());
    int size = buffer.size();

    // Übergeben Sie den Dateinhalt an die certain_permutation-Funktion
    if (size > 0) {
        certain_permutation(buffer.data(), size);
    } else {
        std::cerr << "Empty file: " << filename << std::endl;
        return 1;
    }

    return 0;
}

This issue is similar to #15127, #22791, but the segmentation fault has a different cause
Attachment: npd.zip

Steps to reproduce

0. Extract the contents of the attached archive, which includes minimized_poc.cc and minimized.xml.
1. Compile minimized_poc.cc into an executable binary.
2. Open the compiled binary in a debugger.
3. Run the binary with minimized.xml as an input (using a debugger is recommended).

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues, forum.opencv.org, Stack Overflow, etc and have not found any solution
• I updated to the latest OpenCV version and the issue is still there
• There is reproducer code and related data files (videos, images, onnx, etc)

[Kumataro]

Hello, this reason is here.

opencv/modules/core/src/persistence_xml.cpp

Lines 737 to 743 in eab21b6

	if( c != '\"' && c != '\'' )
	{
	ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG );
	if( *ptr != '\"' && *ptr != '\'' )
	CV_PARSE_ERROR_CPP( "Attribute value should be put into single or double quotes" );
	}

Sometimes skipSpaces() returns nullptr, however there are no checks.

I think it should be implemented like this.

opencv/modules/core/src/persistence_xml.cpp

Lines 729 to 734 in eab21b6

	ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG );
	if (!ptr)
	CV_PARSE_ERROR_CPP("Invalid attribute");
	if( *ptr != '=' )
	CV_PARSE_ERROR_CPP( "Attribute name should be followed by \'=\'" );
	}