"Uncaught Python exception: KeyError: None" in lxml.isoschematron
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxml |
New
|
Undecided
|
Unassigned |
Bug Description
I have been experimenting with fuzzing Python libraries using the OSS-Fuzz project and I saw that this project has some fuzz targets integrated into OSS-Fuzz[0], but the build was broken and some of the fuzz tests could be improved.
While working to improve some of the fuzz tests, I believe I identified a possible bug.
## Summary of the bug:
An uncaught Python exception can be triggered in `lxml.isoschema
```
#!/usr/bin/env python3
# Assume file name is: isoschematron_
import io
from lxml import isoschematron, etree
data = io.BytesIO(
poc_schema = etree.parse(data)
schematron = isoschematron.
```
The above should output something similar to the following:
```
Traceback (most recent call last):
File "<some_
schematron = isoschematron.
File "<some_
schematron = self._extract(root)
File "<some_
elif element.
KeyError: None
```
## Environment Info:
I tested this:
- In two environments (macOS & Ubuntu)
- With two versions of Python (3.12.1 (venv) and 3.8)
- With lxml 5.0.1 installed from pip as well compiled from source with C extensions.
The following is from my local environment where the attached POC script was run:
```
Python : sys.version_
lxml.etree : (5, 1, 0, 0)
libxml used : (2, 12, 3)
libxml compiled : (2, 12, 3)
libxslt used : (1, 1, 39)
libxslt compiled : (1, 1, 39)
```
Additional info:
```
Python Version: 3.12.1 (main, Feb 5 2024, 16:23:00) [Clang 15.0.0 (clang-
OS Information: macOS-14.
Installed Packages:
Package Version
------- -------
lxml 5.1.0
pip 24.0
```
And this is from the OSS-Fuzz container environment I discovered the issue in (running it locally):
```
Python : sys.version_
lxml.etree : (5, 1, 0, 0)
libxml used : (2, 10, 3)
libxml compiled : (2, 10, 3)
libxslt used : (1, 1, 37)
libxslt compiled : (1, 1, 37)
```
Additional info:
```
Python Version: 3.8.3 (default, Mar 17 2024, 03:21:27)
[Clang 15.0.0 (https:/
OS Information: Linux-6.
Installed Packages:
Package Version
-------
altgraph 0.17.4
atheris 2.3.0
coverage 6.3.2
Cython 3.0.9
importlib_metadata 7.0.2
lxml 5.1.0
packaging 24.0
pip 24.0
pyinstaller 6.5.0
pyinstaller-
setuptools 69.2.0
six 1.15.0
zipp 3.18.1
```
### Fuzz test output
Below is the output of the OSS-Fuzz test run that I discovered this with (note: I haven't pushed the fuzz test itself to a public repo yet but I expect to shortly and I'm happy to share a link here when I do.)
```
=== Uncaught Python exception: ===
KeyError: None
Traceback (most recent call last):
File "fuzz_schematro
File "lxml/isoschema
File "lxml/isoschema
KeyError: None
==20== ERROR: libFuzzer: fuzz target exited
#0 0x7f712245d694 in __sanitizer_
#1 0x7f71223def48 in fuzzer:
#2 0x7f71223c3cdc in fuzzer:
#3 0x7f712219c8a6 (/lib/x86_
#4 0x7f712219ca5f in exit (/lib/x86_
#5 0x7f712194dc78 in Py_Exit /tmp/Python-
#6 0x7f71219526cf in handle_system_exit /tmp/Python-
#7 0x7f71219526cf in _PyErr_PrintEx /tmp/Python-
#8 0x403d90 (/out/fuzz_
#9 0x404003 (/out/fuzz_
#10 0x7f712217a082 in __libc_start_main (/lib/x86_
#11 0x40259d (/out/fuzz_
DEDUP_TOKEN: __sanitizer_
SUMMARY: libFuzzer: fuzz target exited
MS: 2 ChangeByte-
0x3c,0x72,
<rr/>\000
artifact_
Base64: PHJyLz4A
```
[0]: https:/