CVE request: DoS in libxml2 if xz is enabled

[Gustavo Grieco <gustavo.grieco () gmail com>]

Hello,

We found a denegation of service parsing a specially crafted xml in libxml2
if xz support is enabled. It affects version 2.9.1 and probably others.
Find attached a xml that never finishes the parsing process:

gdb --quiet --args xmllint /tmp/test.xz
Reading symbols from xmllint...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/xmllint /tmp/test.xz
^C
Program received signal SIGINT, Interrupt.
0xb7f3e63c in xz_decomp (state=state@entry=0x8001cff0) at ../../xzlib.c:509
509 ../../xzlib.c: No such file or directory.
(gdb) bt
#0  0xb7f3e63c in xz_decomp (state=state@entry=0x8001cff0) at
../../xzlib.c:509
#1  0xb7f3ea25 in xz_make (state=<optimized out>) at ../../xzlib.c:603
#2  0xb7f3f3e7 in __libxml2_xzread (file=file@entry=0x8001cff0,
buf=buf@entry=0x8001d190, len=len@entry=4000) at ../../xzlib.c:694
#3  0xb7e87dfb in xmlXzfileRead (context=0x8001cff0, buffer=0x8001d190 "",
len=4000) at ../../xmlIO.c:1421
#4  0xb7e89aaa in xmlParserInputBufferGrow__internal_alias (in=0x8001d140,
len=4000, len@entry=250) at ../../xmlIO.c:3317
#5  0xb7e5af21 in xmlParserInputGrow__internal_alias (in=0x8001f198,
len=len@entry=250) at ../../parserInternals.c:320
#6  0xb7e60581 in xmlGROW (ctxt=ctxt@entry=0x8001c258) at
../../parser.c:2075
#7  0xb7e72d49 in xmlParseDocument__internal_alias (ctxt=ctxt@entry=0x8001c258)
at ../../parser.c:10672
#8  0xb7e731a0 in xmlDoRead (ctxt=0x8001c258, URL=0x0, encoding=0x0,
options=4259840, reuse=0) at ../../parser.c:15242
#9  0x80009fc8 in ?? ()
#10 0x80006887 in main ()

Upstream is working to fix this issue. This test case was found using afl.
Thanks!

Attachment: test.xz
Description: