libxml2 - DoS - null deref - xmlXPathCompOpEval
Vulnerability class: Null deref, Denial of Service.
Description: There are two bugs in the xpath implementation in libxml2 in the file: https://github.com/GNOME/libxml2/blob/master/xpath.c
function name: xmlXPathCompOpEval (2 bugs in this function)
inside the big switch clause there are 2 bugs:
in case XPATH_OP_AND - there is no check in the following code: arg1 = valuePop(ctxt); //this could result in null. arg1->boolval &= arg2->boolval; //and then the application //is crashing here resulting in a Denial of Service condition.
in case XPATH_OP_OR: - there is no check in the following code: arg1 = valuePop(ctxt); //can result in null arg1->boolval |= arg2->boolval; //crashing here due to arg1 being null
Exploitability: The complexity is fairly low, as the following xpath expressions are likely to be easily given by attackers remotely:
- true() and format-number(1, "", "")
- false() or format-number(1, "", "")
Proposed Fix: The fix should be easy, just check for null values in arg1 before dereferencing in both cases.
I've verified this bug is affecting latest PHP 5.6 with xml module which can cause a denial of service for applications accepting xpath/xslt. It also affects chrome (and I assume safari too), but it's only a client side tab crash for browsers.
I've added reproducers for both bugs in browsers and in php.
For browser reproduction open the html reproducers with your target browser (chrome/safari).
For php reproduction run the following (php needs the xml module for DOM): make sure the php files and .xsl files reside in same directory and run the following commands: php -f xpath_or.php php -f xpath_and.php