Bug 317447 – invalid write in xmlStringLenDecodeEntities()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 317447 - invalid write in xmlStringLenDecodeEntities()


Summary:	invalid write in xmlStringLenDecodeEntities()


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	2.6.22
Hardware:	Other All

Importance:	High critical
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2005-09-28 15:51 UTC by massimo morara
Modified:	2005-09-28 21:43 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description massimo morara 2005-09-28 15:51:39 UTC

Steps to reproduce:
I get a 'core' running the following simple program.

--- begin "test.cpp" ---

#include <string>
#include <iostream>

#include <libxml/parser.h>
#include <libxml/parserInternals.h>


int main (int     argc,
          char *  argv[])
 {
   int               i, ret(1);
   std::string       str("&quot;");
   xmlChar *         out(NULL);
   xmlFreeFunc       xmlFreeFn(NULL);
   xmlParserCtxtPtr  ctxt(NULL);


   for ( i = 0 ; i < 16 ; ++i )
      str += str;

   xmlInitParser();

   ctxt = xmlNewParserCtxt();

   if (    (0 == xmlMemGet(&xmlFreeFn, NULL, NULL, NULL))
        && xmlFreeFn
        && ctxt )
    {
      out = xmlStringLenDecodeEntities(ctxt, (xmlChar *)str.c_str(),
                                       str.size(), XML_SUBSTITUTE_REF,
                                       0, 0, 0);

      if ( out )
       {
         ret = 0;

         xmlFreeFn(out);
       }

      std::cout << "decode: " << (ret ? "ERROR" : "OK") << std::endl;

      xmlFreeParserCtxt(ctxt);
    }

   xmlCleanupParser();

   return( ret ? EXIT_FAILURE : EXIT_SUCCESS );
 }

--- end "test.cpp" ---

I suppose the problem is that xmlStringLenDecodeEntities() don't check the
buffer dimension (and don't realloc it) in a couple of cases: internal
predefined entities and numerical entities.

I propose the following patch:

--- init proposed patch ---

--- parser-2.6.22.c     2005-09-28 17:21:04.304772920 +0200
+++ parser.c    2005-09-28 17:24:05.711194952 +0200
@@ -2176,6 +2176,9 @@
            int val = xmlParseStringCharRef(ctxt, &str);
            if (val != 0) {
                COPY_BUF(0,buffer,nbchars,val);
+               if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+                   growBuffer(buffer);
+               }
            }
        } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
            if (xmlParserDebugEntities)
@@ -2187,6 +2190,9 @@
                (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
                if (ent->content != NULL) {
                    COPY_BUF(0,buffer,nbchars,ent->content[0]);
+                   if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+                       growBuffer(buffer);
+                   }
                } else {
                    xmlFatalErrMsg(ctxt, XML_ERR_INTERNAL_ERROR,
                            "predefined entity has no content\n");

--- end proposed patch ---

Hoping this helps.

   massimo morara



Stack trace:
From 'valgrind'

Invalid write of size 1
at 0x1B92C342: xmlCopyCharMultiByte (parserInternals.c:892)
by 0x1B930854: xmlStringLenDecodeEntities (parser.c:2189)
by 0x8048CC4: main (test.cpp:36)


Other information:

Comment 1 Daniel Veillard 2005-09-28 21:43:23 UTC

I don't know how you managed to run into this but the patch and analysis
are right, applied in CVS,

   thanks a lot !

Daniel