DoS in libxml2 if lzma is enabled [CVE-2018-14567]

Dear all,

the following DoS was found by a modified version of the kAFL fuzzer (https://github.com/RUB-SysSec/kAFL).
I have attached the .libs directory (libs.zip) and the dos_file.

To reproduce the issue compile libxml2 with liblzma and open the dos_file:

$ git clone git://git.gnome.org/libxml2 && cd libxml2/
$ ./autogen.sh
$ make
$ LD_LIBRARY_PATH=.libs/ ldd .libs/xmllint
	[...]
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007faba9dd0000)
$ LD_LIBRARY_PATH=.libs/ .libs/xmllint dos_file

We can verify the issue against commit 35e83488.

Credits: Simon Wörner, Sergej Schumilo, Cornelius Aschermann (all of Ruhr-Universität Bochum)

Edited Jul 23, 2018 by Ghost User