[From nobody Sat Mar 21 09:21:08 2026 Received: (at submit) by bugs.debian.org; 16 Jul 2006 07:11:17 +0000 Return-path: <rantwijk@science.uva.nl> Received: from imap.science.uva.nl ([146.50.4.51] ident=root) by spohr.debian.org with esmtp (Exim 4.50) id 1G20mb-0002TN-5M for submit@bugs.debian.org; Sun, 16 Jul 2006 00:11:17 -0700 Received: from newcastle.science.uva.nl [146.50.0.46] by imap.science.uva.nl with ESMTP (sendmail 8.11.6p2/config 11.36). id k6G7BDc20735; Sun, 16 Jul 2006 09:11:13 +0200 X-Organisation: Faculty of Science, University of Amsterdam, The Netherlands X-URL: http://www.science.uva.nl/ Received: by newcastle.science.uva.nl (Postfix, from userid 15647) id 6751354378; Sun, 16 Jul 2006 09:11:11 +0200 (CEST) Date: Sun, 16 Jul 2006 09:11:10 +0200 From: Joris van Rantwijk <rantwijk@science.uva.nl> To: submit@bugs.debian.org Subject: Buffer overflow in XML::Parser::Expat triggered by deep nesting Message-ID: <20060716071110.GB6087@newcastle.science.uva.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new Delivered-To: submit@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_01,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: libxml-parser-perl Version: 2.34-4 Severity: grave A heap overflow in the Expat library wrapper can be triggered by XML input with deeply nested elements. This bug has also been reported to CPAN: http://rt.cpan.org/Ticket/Display.html?id=19860 The error is caused at libxml-parser-perl-2.34/Expat/Expat.xs, line 498: if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) { unsigned int newsize = cbv->st_serial_stacksize + 512; Renew(cbv->st_serial_stack, newsize, unsigned int); cbv->st_serial_stacksize = newsize; } cbv->st_serial_stack[++cbv->st_serial_stackptr] = cbv->st_serial; Note that in the case that stackptr == stacksize-1, this code decides to NOT expand the stack and subsequently writes a value just outside the allocated buffer. Because the buffer is overflowed by only 4 bytes, this does not cause a segmentation fault. But the overflow is detected by Valgrind when parsing an XML file with elements nested deeper than 512 levels. Since it involves an input-triggered heap overflow, this is technically a security vulnerability. Joris. ]