Re: Out-of-bounds Read in the libxml2's htmlParseNameComplex() function

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> HTMLparser.c line:2517 :
>
>        return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
>
> "ctxt->input->cur - len"  cause Out-of-bounds Read.
>
> heap-buffer-overflow
> READ of size 1

Use CVE-2016-2073.


> From: Salvatore Bonaccorso
>
> While checking upstream bugzilla to see if that was reported I noticed
>
> https://bugzilla.gnome.org/show_bug.cgi?id=749115
>
> Does this have the same root cause?

The CVE-2016-2073 PoC is an '&' followed by three characters, one of
which is a 0273 character. The PoC in 749115 has an unexpected
character immediately after a "<!DOCTYPE html" substring. We feel that
the CVE-2016-2073 report can have that unique ID on the basis of (at
least) a different attack methodology. CVE assignment for 749115 is
also possible unless 749115 already has a CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWp7B+AAoJEL54rhJi8gl5DrYP/210C002flIvBM/PY66OYkJw
BXYc5DDLMANTpXaXoaHqYGODfRtwQjZF/sFYUgtOxFTYi3UCHxOpRNjhU77OOlQA
7aNSZ+PU/Tl15dt7PEJWdNuK0mD9Lofzg6HhxkJD6F6EQHarH0NHIbdEGV6WKGGR
c2hACkO8WLCQxd+914f5YJBPsd+pKmWADKcmjV3yQMSr+6irHfzp+9UEDX/ma/3b
9yRwy+7Ubse2t5GNq/F4lepT2fF/lTLweNhSJgdzPg59/NGjf9ZBD14d/RmrRCgR
KLlIjavWH8fGOAecBcyz7zVJAadQFOVy4DuCyOrvcVMJ6cCPjfv+oZD1r2COhPHW
9kYlHo5icgJQU8m796+H4pC9a71ckCFZ2EZ7uy8nWS1SG7WmUMJjE5lryt4O9MFt
8mmiJFXZGpX1gfaq2xHLkptGNMoaTkl+id2Vr/j2ATSCXHV3oNs4+IQLThp9vZ0Y
q+fajmn0Yp0sO34/vWmDzoxvNWTuwf+LgPjFNsirG80a1Ivv2XtHaxh8G2xTCZh4
L6gv9PT3ha/UK2RKQxB7atIt/LS2I+DqD72TckY69JygqFg43Q+QAdGQKn1YP2tA
pgs1SmgAtfOCPoph+4BYZAyIvmMzVDfAI4kjJE7AlZqAIwO3mIxaDFEd1OW3u/JY
fYAMTYnQVg9Ld8+b+XPY
=QCuy
-----END PGP SIGNATURE-----