XML Entity Expansion (XXE) attack due to missing use XML_BUFFER_ALLOC_BOUNDED in function xmlBufferSetAllocationScheme, xmlBufferGrow, xmlBufferResize, xmlBufferAdd and xmlBufferAddHead of tree.c.
There are several missing use XML_BUFFER_ALLOC_BOUNDED and missing check for size in function xmlBufferSetAllocationScheme, xmlBufferGrow, xmlBufferResize, xmlBufferAdd and xmlBufferAddHead of tree.c.
For example (function xmlBufferGrow of tree.c):
7264 int
7265 xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
7266 int size;
7267 xmlChar *newbuf;
7268
7269 if (buf == NULL) return(-1);
7270
7271 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
7272 if (len + buf->use < buf->size) return(0);
7273
7274 /*
7275 * Windows has a BIG problem on realloc timing, so we try to double
7276 * the buffer size (if that's enough) (bug 146697)
7277 * Apparently BSD too, and it's probably best for linux too
7278 * On an embedded system this may be something to change
7279 */
7280 #if 1
7281 if (buf->size > len)
7282 size = buf->size * 2;
7283 else
7284 size = buf->use + len + 100;
7285 #else
7286 size = buf->use + len + 100;
7287 #endif
7288
7289 if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
7290 size_t start_buf = buf->content - buf->contentIO;
7291
7292 newbuf = (xmlChar *) xmlRealloc(buf->contentIO, start_buf + size);
7293 if (newbuf == NULL) {
7294 xmlTreeErrMemory("growing buffer");
7295 return(-1);
7296 }
7297 buf->contentIO = newbuf;
7298 buf->content = newbuf + start_buf;
7299 } else {
7300 newbuf = (xmlChar *) xmlRealloc(buf->content, size);
before line 7289, we should check buf->alloc equals to XML_BUFFER_ALLOC_BOUNDED or not and add check between size and XML_MAX_TEXT_LENGTH.
The attachment is the proposal patch for these functions. 0001-Introduce-a-new-allocation-type-for-the-buffers.patch