https://sourceforge.net/p/ezxml/bugs/18/Recent changes to 18: NULL pointer defererence (ezxml_decode)enMon, 25 Oct 2021 08:37:22 -0000https://sourceforge.net/p/ezxml/bugs/18/?limit=25#a931<div class="markdown_content"><p>The issue is due to bogus input data where an entity reference does not end in a ';'. The proposed patch addresses this.</p></div>Egbert EichMon, 25 Oct 2021 08:37:22 -0000https://sourceforge.net544eb268a166ce1fbffbde885255faa0b9870f65https://sourceforge.net/p/ezxml/bugs/18/<div class="markdown_content"><p>Function ezxml_decode() while parsing crafted XML file performs incorrect memory handling leading to heap buffer overread while running strlen() on NULL pointer.</p> <p>=================================================================<br/> ==21303==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5b350b1746 bp 0x7fff4cc8acd0 sp 0x7fff4cc8a458 T0)<br/> 0 0x7f5b350b1745 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b745)<br/> 1 0x7f5b354601a5 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x701a5)<br/> 2 0x40635b in ezxml_decode ezxml_0.8.6/ezxml.c:196<br/> 3 0x415d2b in ezxml_parse_str ezxml_0.8.6/ezxml.c:525<br/> 4 0x417a7a in ezxml_parse_fd ezxml_0.8.6/ezxml.c:641<br/> 5 0x417d00 in ezxml_parse_file ezxml_0.8.6/ezxml.c:659<br/> 6 0x401972 in main ezxml_0.8.6/test_ezxml.c:113<br/> 7 0x7f5b3504682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)<br/> 8 0x401c78 in _start (ezxml_0.8.6/test_ezxml_asan.exe+0x401c78)</p> <p>AddressSanitizer can not provide additional info.<br/> SUMMARY: AddressSanitizer: SEGV ??:0 strlen<br/> ==21303==ABORTING</p> <p>Reproduction:</p> <p>Sample XML file leading to crash:</p> <p>crash_009_SEGV_ezxml_decode_strlen.raw</p> <p>Code snippet for reproduction:<br/> ezxml_t result = ezxml_parse_file("crash_009_SEGV_ezxml_decode_strlen.raw");</p></div>CVE ReportingMon, 30 Dec 2019 19:32:59 -0000https://sourceforge.netf5b2f0a9bea508ac3d332ca9f97d33f358dfbfd6