New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2019-15903] Heap overflow in XML_GetCurrentLineNumber #317
Comments
Hi @yuweol, thanks for the report! A closer look might take a few days. |
My analysis so far: Cause of this very crash
Underlying issueA minified version of the trouble input is this: <!DOCTYPE d [
<!ENTITY % e "]><d">
%e; When A simplified call tree for this situation would look like this:
This file <!DOCTYPE doc [
<!ENTITY % foo "]><doc/>">
%foo; … when # xmlwf -p <<<$'<!DOCTYPE doc [\n<!ENTITY % foo "]><doc/>">\n%foo;' # needs Bash
<no error output> The same can be observed in Firefox (e.g. version 66.0.3). Towards a fixTo my understanding, Expat should reject prolog termination I'm grateful for comments about this understanding and direction for a fix. |
Deny internal entities closing the doctype (for #317)
Quick update: I have requested a CVE for this from MITRE a few minutes ago. |
Merged by now, closing. |
Hello,
Heap overflow found when I call below apis with a crafted input value.
parser = XML_ParserCreate(NULL);
XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
if (XML_Parse(parser, input, (int)strlen(input), XML_TRUE) != XML_STATUS_SUSPENDED) {
fprintf(stderr, "%d", XML_GetCurrentLineNumber(parser));
}
Attached file has both a source code to replay this bug and the bug report of address sanitizer.
This bug found R_2_2_6, R_2_2_7.
I used following commands to build libexpat and build the source code for replaying the bug.
[1] ./configure CC=clang CXX=clang++ CFLAGS="-m32 -fsanitize=address -g" CXXFLAGS="-m32 -fsanitize=address" LDFLAGS="-m32 -fsanitize=address"
[2] make
[3] clang -DHAVE_CONFIG_H -I. -I.. -I./../lib -DHAVE_EXPAT_CONFIG_H -m32 -fsanitize=address -g -Wall -Wmissing-prototypes -Wstrict-prototypes -fexceptions -fno-strict-aliasing -o bug bug.c lib/.libs/libexpat.a && ./bug
I hope this report help expat to be secured.
expat.zip
The text was updated successfully, but these errors were encountered: