(CVE-2021-3517) heap-buffer-overflow in entities.c:621
Hi, I found a vulnerability in current master 1358d157. There is a heap-buffer-overflow read in entities.c:621 in xmlEncodeEntitiesInternal.
build
CFLAGS="-ggdb -fsanitize=address" ./configurePOC
reproduce :
xmllint --recover --postvalid ./poc2Asan report
=================================================================
==94070==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000236 at pc 0x7f2cd187cffb bp 0x7ffd1ad80120 sp 0x7ffd1ad80110
READ of size 1 at 0x602000000236 thread T0
#0 0x7f2cd187cffa in xmlEncodeEntitiesInternal /home/sqlab/libxml2/entities.c:621
#1 0x7f2cd187d150 in xmlEncodeAttributeEntities /home/sqlab/libxml2/entities.c:798
#2 0x7f2cd1913ad0 in xmlNodeListGetString__internal_alias /home/sqlab/libxml2/tree.c:1718
#3 0x7f2cd1978a62 in xmlValidateElement__internal_alias /home/sqlab/libxml2/valid.c:6482
#4 0x7f2cd1978ce3 in xmlValidateElement__internal_alias /home/sqlab/libxml2/valid.c:6501
#5 0x7f2cd197b07c in xmlValidateDocument__internal_alias /home/sqlab/libxml2/valid.c:6941
#6 0x564b9c1f68b0 in parseAndPrintFile /home/sqlab/libxml2/xmllint.c:2814
#7 0x564b9c1fcf56 in main /home/sqlab/libxml2/xmllint.c:3753
#8 0x7f2cd16200b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#9 0x564b9c1ecb2d in _start (/home/sqlab/libxml2/.libs/xmllint+0xfb2d)
0x602000000236 is located 0 bytes to the right of 6-byte region [0x602000000230,0x602000000236)
allocated by thread T0 here:
#0 0x7f2cd1db3bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f2cd1a5788d in xmlBufResize /home/sqlab/libxml2/buf.c:827
#2 0x7f2cd1a57fb3 in xmlBufAdd /home/sqlab/libxml2/buf.c:902
#3 0x7f2cd1912955 in xmlStringLenGetNodeList__internal_alias /home/sqlab/libxml2/tree.c:1465
#4 0x7f2cd1b842e2 in xmlSAX2AttributeNs /home/sqlab/libxml2/SAX2.c:2027
#5 0x7f2cd1b86acc in xmlSAX2StartElementNs__internal_alias /home/sqlab/libxml2/SAX2.c:2397
#6 0x7f2cd18e378d in xmlParseStartTag2 /home/sqlab/libxml2/parser.c:9612
#7 0x7f2cd18e7c38 in xmlParseElementStart /home/sqlab/libxml2/parser.c:9982
#8 0x7f2cd18e70d3 in xmlParseContent__internal_alias /home/sqlab/libxml2/parser.c:9882
#9 0x7f2cd18e7528 in xmlParseElement__internal_alias /home/sqlab/libxml2/parser.c:9932
#10 0x7f2cd18f06f1 in xmlParseDocument__internal_alias /home/sqlab/libxml2/parser.c:10768
#11 0x7f2cd190b48e in xmlDoRead /home/sqlab/libxml2/parser.c:15122
#12 0x7f2cd190b6a2 in xmlReadFile__internal_alias /home/sqlab/libxml2/parser.c:15184
#13 0x564b9c1f4cae in parseAndPrintFile /home/sqlab/libxml2/xmllint.c:2403
#14 0x564b9c1fcf56 in main /home/sqlab/libxml2/xmllint.c:3753
#15 0x7f2cd16200b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sqlab/libxml2/entities.c:621 in xmlEncodeEntitiesInternal
Shadow bytes around the buggy address:
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 06 fa fa fa 00 01 fa fa 00 01 fa fa 07 fa
0x0c047fff8010: fa fa 00 03 fa fa 06 fa fa fa 00 01 fa fa 05 fa
0x0c047fff8020: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 04 fa
0x0c047fff8030: fa fa 00 03 fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fff8040: fa fa 04 fa fa fa[06]fa fa fa fd fd fa fa fd fa
0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8060: fa fa 07 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==94070==ABORTING