[xml/sgml-pkgs] Bug#378411: Buffer overflow in XML::Parser::Expat
triggered by utf8
Joris van Rantwijk
rantwijk at science.uva.nl
Sun Jul 16 06:58:21 UTC 2006
Package: libxml-parser-perl
Version: 2.34-4
Severity: grave
A heap overflow can be triggered in the Expat library wrapper
when running on an input stream in non-raw mode. This bug has
also been reported at CPAN:
http://rt.cpan.org/Ticket/Display.html?id=19859
The following example program will crash with a segmentation fault
on certain input:
--
use strict;
use encoding 'utf8';
use XML::Parser;
my $parser = XML::Parser->new();
$parser->parse(\*STDIN);
--
The following program generates example input on which the above
program crashes:
--
binmode(STDOUT, ':bytes');
print "<s>\n";
for (my $i = 0; $i < 40000; $i++) { print chr(0xc3) . chr(0xa9); }
print "\n</s>\n";
--
The overflow occurs in libxml-parser-perl-2.34/Expat/Expat.xs, line 388:
Copy(tb, buffer, br, char)
At this point, the Expat wrapper assumes that the number of bytes
copied (br), can not exceed the number of characters read from the
input (buffsize). This assumption is incorrect if the input stream is
in a non-raw mode.
The best solution is to have the Perl programmer set the stream
to raw mode, since libexpat expects raw bytes anyway. In the example
program above, this could be accomplished either by removing the
statement "use encoding 'utf8'" or by adding the statement
"binmode(STDIN,':bytes')".
I think, however, that a segmentation fault is not a good way
to inform a Perl programmer that he made a mistake. So this
buffer overflow must still be fixed.
Since it involves an input-triggered heap overflow, this is
technically a security vulnerability.
Joris.
More information about the debian-xml-sgml-pkgs
mailing list