Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[CVE-2019-15903] Heap overflow in XML_GetCurrentLineNumber #317
Heap overflow found when I call below apis with a crafted input value.
parser = XML_ParserCreate(NULL);
Attached file has both a source code to replay this bug and the bug report of address sanitizer.
I used following commands to build libexpat and build the source code for replaying the bug.
 ./configure CC=clang CXX=clang++ CFLAGS="-m32 -fsanitize=address -g" CXXFLAGS="-m32 -fsanitize=address" LDFLAGS="-m32 -fsanitize=address"
I hope this report help expat to be secured.
My analysis so far:
Cause of this very crash
A minified version of the trouble input is this:
<!DOCTYPE d [ <!ENTITY % e "]><d"> %e;
A simplified call tree for this situation would look like this:
<!DOCTYPE doc [ <!ENTITY % foo "]><doc/>"> %foo;
# xmlwf -p <<<$'<!DOCTYPE doc [\n<!ENTITY % foo "]><doc/>">\n%foo;' # needs Bash <no error output>
The same can be observed in Firefox (e.g. version 66.0.3).
Towards a fix
To my understanding, Expat should reject prolog termination
I'm grateful for comments about this understanding and direction for a fix.