Skip to content

[CVE-2022-40674] Ensure raw tagnames are safe exiting internalEntityParser #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 11, 2022

Conversation

RMJ10
Copy link
Contributor

@RMJ10 RMJ10 commented Aug 18, 2022

It is possible to concoct a situation in which parsing is suspended while substituting in an internal entity, so that XML_ResumeParser directly uses internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawNames to ensure that the raw versions of the tag names are stored in memory other
than the parse buffer itself. If the parse buffer is then changed or reallocated (for example if processing a file line by line), badness will ensue.

This patch ensures storeRawNames is always called when needed after calling doContent. The earlier call to doContent does not need the same protection; it only deals with entity substitution, which cannot leave unbalanced tags, and in any case the raw names will be pointing into the stored entity value (memory that is going to stick around) not the parse buffer.

It is possible to concoct a situation in which parsing is
suspended while substituting in an internal entity, so that
XML_ResumeParser directly uses internalEntityProcessor as
its processor.  If the subsequent parse includes some unclosed
tags, this will return without calling storeRawNames to ensure
that the raw versions of the tag names are stored in memory other
than the parse buffer itself.  If the parse buffer is then changed
or reallocated (for example if processing a file line by line),
badness will ensue.

This patch ensures storeRawNames is always called when needed
after calling doContent.  The earlier call do doContent does
not need the same protection; it only deals with entity
substitution, which cannot leave unbalanced tags, and in any
case the raw names will be pointing into the stored entity
value not the parse buffer.
Copy link
Member

@hartwork hartwork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RMJ10 many thanks!

@hartwork hartwork merged commit dde178b into libexpat:master Sep 11, 2022
@hartwork hartwork added this to the 2.4.9 milestone Sep 11, 2022
@hartwork hartwork changed the title Ensure raw tagnames are safe exiting internalEntityParser [CVE-2022-40674] Ensure raw tagnames are safe exiting internalEntityParser Sep 14, 2022
hartwork added a commit that referenced this pull request Sep 14, 2022
[CVE-2022-40674] tests: Cover heap use-after-free issue in doContent (follow-up to #629)
algitbot pushed a commit to alpinelinux/aports that referenced this pull request Sep 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants