GNOME Bugzilla – Bug 764427
CVE-2016-2073 Buffer overread in xmlDictLookup with POC
Last modified: 2016-06-16 19:29:47 UTC
Created attachment 325104 [details] Put under doc/examples, "make io2" and "./io2" to see the seg fault Hi, I don't see any bug filed specifically for CVE-2016-2073: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073 This one needs the name to be after DOCTYPE: https://bugzilla.gnome.org/show_bug.cgi?id=749115 and this one is too vague: https://bugzilla.gnome.org/show_bug.cgi?id=763686 Summary: htmlParserNameComplex in HTMLparser.c is doing return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); however, ctxt->input->cur is sometimes relocated and the pointer arithmetic is incorrect, pointing to the left of an allocated block. Steps to reproduce: The poc in the CVE requires to be run with Address Sanitizer in order to expose the issue, but I've managed to get a Segmentation Fault by allocating a huge chunk of the stack, so it can be reproduced without instrumentation. Just override io2.c in the doc/examples directory with the one attached and you'll probably see the segfault unless by chance it hits a valid memory location... Best, Sergio
Created attachment 329909 [details] PoC To reproduce with an ASan build: ./xmllint --html bug-764427-poc.html
Using git bisect, I verified this was fixed by: <https://bugzilla.gnome.org/show_bug.cgi?id=758605> <https://git.gnome.org/browse/libxml2/commit/?id=a820dbeac29d330bae4be05d9ecd939ad6b4aa33> That commit was part of libxml2 v2.9.4. Thanks for posting this bug! *** This bug has been marked as a duplicate of bug 758605 ***