oss-sec mailing list archives

Re: CVE requested: two stack exhaustation parsing xml files using mxml

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Wed, 11 May 2016 22:44:13 +0200

2016-05-10 1:25 GMT+02:00  <cve-assign () mitre org>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

We found two stack exhaustion conditions that can easily crash mxml
when parsing an xml.


(The two example XML documents seem dissimilar. For example,
stack-exhaustion-2.xml starts with "<?xml" whereas
stack-exhaustion-1.xml does not.)

Recursion using mxmlDelete at mxml-node.c:217 (stack-exhaustion-1.xml)


Use CVE-2016-4570.

Recursion using mxml_write_node at mxml-file.c:2739 (stack-exhaustion-2.xml)


Use CVE-2016-4571.


Thanks!

The report of these stack exhaustions is here:

http://www.msweet.org/bugs.php?U549 (but you need to register)

Just to clarify, since we compiled testmxml with ASAN, in order to
reproduce  using the attached files in the original binary it is
necessary to reduce a little the stack size, for instance:

$ ulimit -s 4000

The stack exhaustations are still possible with the original testmxml
binary, but it requires slightly bigger files.

Current thread:

CVE requested: two stack exhaustation parsing xml files using mxml Gustavo Grieco (May 07)
- Re: CVE requested: two stack exhaustation parsing xml files using mxml Gustavo Grieco (May 08)
- Re: CVE requested: two stack exhaustation parsing xml files using mxml cve-assign (May 09)
  - Re: CVE requested: two stack exhaustation parsing xml files using mxml Gustavo Grieco (May 11)