oss-sec mailing list archives
CVE request: out-of-bounds read parsing an XML in libxml2 using recover mode
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Tue, 3 May 2016 18:36:50 +0200
Hi, We found an out-of-bounds read parsing a specially crafted xml in libxml2 if recover mode is used. It affects all versions. It was discovered before by another guy but for some reason, never reported or fixed. Since upstream is not responding, i think it is a good time to publish some details here. $ xmllint -recover ohizsmaase.xml.-6355798974422201279 ... ==2994== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000d5d3 at pc 0x73320a bp 0x7fffffffc1e0 sp 0x7fffffffc1d8 READ of size 1 at 0x60040000d5d3 thread T0 ... 0x60040000d5d3 is located 0 bytes to the right of 3-byte region [0x60040000d5d0,0x60040000d5d3) And backtrace is here: ... #7 0x000000000073320a in xmlBufAttrSerializeTxtContent (buf=0x600c0000a7c0, doc=0x601e0000ef50, attr=0x601000007ea0, string=0x60040000d5d0 <incomplete sequence \341>) at xmlsave.c:2057 #8 0x000000000072af0b in xmlAttrSerializeContent (buf=0x600c0000a820, attr=0x601000007ea0) at xmlsave.c:443 #9 0x000000000072c36c in xmlAttrDumpOutput (ctxt=0x601c0000ca60, cur=0x601000007ea0) at xmlsave.c:780 #10 0x000000000072c3b2 in xmlAttrListDumpOutput (ctxt=0x601c0000ca60, cur=0x601000007ea0) at xmlsave.c:797 #11 0x000000000072dc22 in xmlNodeDumpOutputInternal (ctxt=0x601c0000ca60, cur=0x60180000b440) at xmlsave.c:1055 #12 0x000000000072ef8a in xmlDocContentDumpOutput (ctxt=0x601c0000ca60, cur=0x601e0000ef50) at xmlsave.c:1234 #13 0x000000000073246c in xmlSaveDoc (ctxt=0x601c0000ca60, doc=0x601e0000ef50) at xmlsave.c:1936 #14 0x000000000040a238 in parseAndPrintFile (filename=0x7fffffffe759 "ohizsmaase.xml.-6355798974422201279", rectxt=0x0) at xmllint.c:2689 #15 0x000000000040fe5e in main (argc=3, argv=0x7fffffffe4a8) at xmllint.c:3739 A reproducer is available upon request. Please assign a CVE if necesary. Regards, Gustavo.
Current thread:
- CVE request: out-of-bounds read parsing an XML in libxml2 using recover mode Gustavo Grieco (May 03)
- Re: CVE request: out-of-bounds read parsing an XML in libxml2 using recover mode cve-assign (May 03)