From tim at vmware.com  Wed Feb 24 01:14:13 2010
From: tim at vmware.com (Tim Boddy)
Date: Tue, 23 Feb 2010 16:14:13 -0800
Subject: [Expat-bugs] Probable bug in poolGrow in xmlparse.cpp (as of 2.0.1)
Message-ID: <86768F570902B84C95AF0F15A5F909A3019509C53A@EXCH-MBX-2.vmware.com>

poolGrow in xml.parse.cpp has the following block of code:


  if (pool->blocks && pool->start == pool->blocks->s) {
    int blockSize = (int)(pool->end - pool->start)*2;
    pool->blocks = (BLOCK *)
      pool->mem->realloc_fcn(pool->blocks,
                             (offsetof(BLOCK, s)
                              + blockSize * sizeof(XML_Char)));
    if (pool->blocks == NULL)
      return XML_FALSE;
    pool->blocks->size = blockSize;
    pool->ptr = pool->blocks->s + (pool->ptr - pool->start);
    pool->start = pool->blocks->s;
    pool->end = pool->start + blockSize;
  }
It looks like this will cause a memory leak if realloc_fcn returns NULL because pool->blocks will be overwritten but the old memory area to which it pointed won't be freed.

The other places where reallocation is done in this file (via the REALLOC macro) don't have this bug because they correctly store the result in a temporary variable.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.libexpat.org/pipermail/expat-bugs/attachments/20100223/02c8eb6d/attachment.html>

From tim at vmware.com  Wed Feb 24 20:43:01 2010
From: tim at vmware.com (Tim Boddy)
Date: Wed, 24 Feb 2010 11:43:01 -0800
Subject: [Expat-bugs] Probable bug in poolGrow in xmlparse.cpp (as of 2.0.1)
Message-ID: <86768F570902B84C95AF0F15A5F909A3019509C53F@EXCH-MBX-2.vmware.com>

poolGrow in xml.parse.cpp has the following block of code:

  if (pool->blocks && pool->start == pool->blocks->s) {
    int blockSize = (int)(pool->end - pool->start)*2;
    pool->blocks = (BLOCK *)
      pool->mem->realloc_fcn(pool->blocks,
                             (offsetof(BLOCK, s)
                              + blockSize * sizeof(XML_Char)));
    if (pool->blocks == NULL)
      return XML_FALSE;
    pool->blocks->size = blockSize;
    pool->ptr = pool->blocks->s + (pool->ptr - pool->start);
    pool->start = pool->blocks->s;
    pool->end = pool->start + blockSize;
  }
It looks like this will cause a memory leak if realloc_fcn returns NULL because pool->blocks will be overwritten but the old memory area to which it pointed won't be freed.

The other places where reallocation is done in this file (via the REALLOC macro) don't have this bug because they correctly store the result in a temporary variable.



This bug allows a serious DOS attack on a server that accepts XML-based requests if a request is seen of the following form:
<!DOCTYPE foo [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" >
<!ENTITY n "&m;&m;&m;&m;&m;&m;&m;&m;" >
]>
<foo bar="&n;"/>
When the attribute is expanded, the realloc (assuming that it bounds the size of the request) will fail, leaking the buffer from before the realloc.


This bug was also present in older versions (e.g. 1.95.8)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.libexpat.org/pipermail/expat-bugs/attachments/20100224/391056d8/attachment.html>

From noreply at sourceforge.net  Thu Feb 25 17:17:04 2010
From: noreply at sourceforge.net (SourceForge.net)
Date: Thu, 25 Feb 2010 16:17:04 +0000
Subject: [Expat-bugs] [ expat-Bugs-2958794 ] memory leak in poolGrow
Message-ID: <E1NkgOe-00054q-SL@sfs-web-8.v29.ch3.sourceforge.com>

Bugs item #2958794, was opened at 2010-02-25 08:17
Message generated for change (Tracker Item Submitted) made by timboddy
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Tim Boddy (timboddy)
Assigned to: Nobody/Anonymous (nobody)
Summary: memory leak in poolGrow

Initial Comment:
This bug applies at least to 1.95.8, 2.0.0 and 2.0.1

poolGrow in xml.parse.cpp has the following block of code:
 
  if (pool->blocks && pool->start == pool->blocks->s) {
    int blockSize = (int)(pool->end - pool->start)*2;
    pool->blocks = (BLOCK *)
      pool->mem->realloc_fcn(pool->blocks,
                             (offsetof(BLOCK, s)
                              + blockSize * sizeof(XML_Char)));
    if (pool->blocks == NULL)
      return XML_FALSE;
    pool->blocks->size = blockSize;
    pool->ptr = pool->blocks->s + (pool->ptr - pool->start);
    pool->start = pool->blocks->s;
    pool->end = pool->start + blockSize;
  }

It looks like this will cause a memory leak if realloc_fcn returns NULL because pool->blocks will be overwritten but the old memory area to which it pointed won't be freed.
 
The other places where reallocation is done in this file (via the REALLOC macro) don't have this bug because they correctly store the result in a temporary variable.
 
 
 
This bug allows a serious DOS attack on a server that accepts XML-based requests if a request is seen of the following form:
<!DOCTYPE foo [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" >
<!ENTITY n "&m;&m;&m;&m;&m;&m;&m;&m;" >
]>
<foo bar="&n;"/>

When the attribute is expanded, the realloc (assuming that it bounds the size of the request) will fail, leaking the buffer from before the realloc.
 


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127

From noreply at sourceforge.net  Thu Feb 25 19:38:27 2010
From: noreply at sourceforge.net (SourceForge.net)
Date: Thu, 25 Feb 2010 18:38:27 +0000
Subject: [Expat-bugs] [ expat-Bugs-2958794 ] memory leak in poolGrow
Message-ID: <E1NkibT-0008Iw-05@sfs-web-9.v29.ch3.sourceforge.com>

Bugs item #2958794, was opened at 2010-02-25 11:17
Message generated for change (Comment added) made by kwaclaw
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
>Group: Test Required
Status: Open
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Tim Boddy (timboddy)
>Assigned to: Karl Waclawek (kwaclaw)
Summary: memory leak in poolGrow

Initial Comment:
This bug applies at least to 1.95.8, 2.0.0 and 2.0.1

poolGrow in xml.parse.cpp has the following block of code:
 
  if (pool->blocks && pool->start == pool->blocks->s) {
    int blockSize = (int)(pool->end - pool->start)*2;
    pool->blocks = (BLOCK *)
      pool->mem->realloc_fcn(pool->blocks,
                             (offsetof(BLOCK, s)
                              + blockSize * sizeof(XML_Char)));
    if (pool->blocks == NULL)
      return XML_FALSE;
    pool->blocks->size = blockSize;
    pool->ptr = pool->blocks->s + (pool->ptr - pool->start);
    pool->start = pool->blocks->s;
    pool->end = pool->start + blockSize;
  }

It looks like this will cause a memory leak if realloc_fcn returns NULL because pool->blocks will be overwritten but the old memory area to which it pointed won't be freed.
 
The other places where reallocation is done in this file (via the REALLOC macro) don't have this bug because they correctly store the result in a temporary variable.
 
 
 
This bug allows a serious DOS attack on a server that accepts XML-based requests if a request is seen of the following form:
<!DOCTYPE foo [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" >
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" >
<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" >
<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" >
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" >
<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" >
<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" >
<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" >
<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" >
<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" >
<!ENTITY n "&m;&m;&m;&m;&m;&m;&m;&m;" >
]>
<foo bar="&n;"/>

When the attribute is expanded, the realloc (assuming that it bounds the size of the request) will fail, leaking the buffer from before the realloc.
 


----------------------------------------------------------------------

>Comment By: Karl Waclawek (kwaclaw)
Date: 2010-02-25 13:38

Message:
Fixed in xmlparse.ca rev. 1.167.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127