[xml/sgml-pkgs] Bug#378412: Buffer overflow in XML::Parser::Expat
triggered by deep nesting
Joris van Rantwijk
rantwijk at science.uva.nl
Sun Jul 16 07:11:10 UTC 2006
Package: libxml-parser-perl
Version: 2.34-4
Severity: grave
A heap overflow in the Expat library wrapper can be triggered by
XML input with deeply nested elements. This bug has also been reported
to CPAN: http://rt.cpan.org/Ticket/Display.html?id=19860
The error is caused at libxml-parser-perl-2.34/Expat/Expat.xs, line 498:
if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
unsigned int newsize = cbv->st_serial_stacksize + 512;
Renew(cbv->st_serial_stack, newsize, unsigned int);
cbv->st_serial_stacksize = newsize;
}
cbv->st_serial_stack[++cbv->st_serial_stackptr] = cbv->st_serial;
Note that in the case that stackptr == stacksize-1, this code
decides to NOT expand the stack and subsequently writes a value
just outside the allocated buffer.
Because the buffer is overflowed by only 4 bytes, this does not cause
a segmentation fault. But the overflow is detected by Valgrind when
parsing an XML file with elements nested deeper than 512 levels.
Since it involves an input-triggered heap overflow, this is technically
a security vulnerability.
Joris.
More information about the debian-xml-sgml-pkgs
mailing list