[CVE-2021-46143] Crafted XML file can cause integer overflow on m_groupSize in function doProlog

[hartwork]

On 2021-12-24, a member of Trend Micro Zero Day Initiative ("ZDI") shared a vulnerability named ZDI-CAN-16157 in libexpat with me that has been discovered by an anonymous individual working with Trend Micro ZDI. I would like to thank both Trend Micro and the anonymous individual for their whitehat work on libexpat security. Thank you! 🙏

Similar to ticket #531, the issue is an integer overflow (in multiplication) near a call to realloc that takes a ~2 GiB size craft XML file, and then will cause denial of service or more. The issue exists since commit 347e19a and hence affects even the oldest (pre-)releases.

-- CVSS -----------------------------------------

8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

[..]

Analysis

This is an integer overflow vulnerability that exists in expat library. The vulnerable function is doProlog

doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
         int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
         XML_Bool allowClosingDoctype, enum XML_Account account) {
#ifdef XML_DTD
  static const XML_Char externalSubsetName[] = {ASCII_HASH, '\0'};
#endif /* XML_DTD */
  static const XML_Char atypeCDATA[]
  [...]
   case XML_ROLE_GROUP_OPEN:
      if (parser->m_prologState.level >= parser->m_groupSize) {
        if (parser->m_groupSize) {
          {
            char *const new_connector = (char *)REALLOC(
                parser, parser->m_groupConnector, parser->m_groupSize *= 2);// <-------- (1)
            if (new_connector == NULL) {
              parser->m_groupSize /= 2;
              return XML_ERROR_NO_MEMORY;
            }
            parser->m_groupConnector = new_connector;
          }

• At (1), integer overflow occurs if the value of m_groupSize is greater than 0x7FFFFFFF.

A pull request and likely a CVE are upcoming, and there will be a soon release 2.4.3.

Best, Sebastian

[carnil]

CVE-2021-46143 is asigned for this issue.

[hartwork]

FYI @carnil one more CVE before 2.4.3 is likely, release in a few days is still planned.

[ddillard]

I see six CVEs published now, three criticals and three highs. Is there an ETA on the new release?

[hartwork]

Hi @ddillard, it's 8 CVEs in total, 3 pull request, all related to fixed size integer math near memory allocation. Current ETA for release 2.4.3 is Sunday January 16th, two days from now, see pull request #543 . If you like, you can watch the repository for releases (using the watch button near the top right of the page) and then every future Git tag will have GitHub send e-mail to you. Thanks for your interest in libexpat security.