| Subject: | Buffer overflow in Expat.xs (patch) |
While looking through the Expat.xs code, I noticed a potential heap
buffer overflow:
Expat.xs, line 498:
if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
unsigned int newsize = cbv->st_serial_stacksize + 512;
Renew(cbv->st_serial_stack, newsize, unsigned int);
cbv->st_serial_stacksize = newsize;
}
cbv->st_serial_stack[++cbv->st_serial_stackptr] = cbv->st_serial;
Note that in the case (stackptr == stacksize - 1), the stack will NOT be
expanded. Then the new value will be written at location (++stackptr),
which equals stacksize and therefore falls just outside the allocated
buffer.
The bug can be observed using Valgrind when parsing an XML file with
very deep element nesting
A simple fix is to change the test to:
if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
Package: XML-Parser-2.34
Perl version: v5.8.5 built for i386-linux-thread-multi
OS: Fedora Core release 3
Bye,
Joris.
| Subject: | XML-Parser-2.34-stackoveflow.patch |
diff -urN -U 5 XML-Parser-2.34.orig/Expat/Expat.xs XML-Parser-2.34/Expat/Expat.xs
--- XML-Parser-2.34.orig/Expat/Expat.xs 2003-07-28 16:41:10.000000000 +0200
+++ XML-Parser-2.34/Expat/Expat.xs 2006-06-13 11:23:40.000000000 +0200
@@ -493,11 +493,11 @@
resume_callbacks(cbv);
cbv->skip_until = 0;
}
}
- if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
+ if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
unsigned int newsize = cbv->st_serial_stacksize + 512;
Renew(cbv->st_serial_stack, newsize, unsigned int);
cbv->st_serial_stacksize = newsize;
}