Recent changes to 20: Stack overflow (uncontrolled recursion) - ezxml_ent_okhttps://sourceforge.net/p/ezxml/bugs/20/Recent changes to 20: Stack overflow (uncontrolled recursion) - ezxml_ent_okenMon, 25 Oct 2021 09:16:35 -0000#20 Stack overflow (uncontrolled recursion) - ezxml_ent_okhttps://sourceforge.net/p/ezxml/bugs/20/?limit=25#fcf8<div class="markdown_content"><p>For me, this issue is resolved by the fix for <a class="" href="https://sourceforge.net/p/ezxml/bugs/26/">bug 26</a>.<br/> Check my <a class="" href="https://sourceforge.net/p/ezxml/bugs/26/#7b82">comment</a> there.</p></div>Egbert EichMon, 25 Oct 2021 09:16:35 -0000https://sourceforge.net5ac439ea1a3b25db827aa52513effba782235cd4Stack overflow (uncontrolled recursion) - ezxml_ent_okhttps://sourceforge.net/p/ezxml/bugs/20/<div class="markdown_content"><p>Function ezxml_ent_ok() is using recursion and for a crafted XML file it fails to stop consecutive executions leading to filling the execution stack and crashing the application.</p> <p>Crash report from ASAN:</p> <div class="codehilite"><pre><span></span><span class="p">.</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span> <span class="n">crash_012_stack_ezxml_ent_ok</span><span class="p">.</span><span class="n">raw</span> <span class="n">ASAN</span><span class="p">:</span><span class="n">DEADLYSIGNAL</span> <span class="o">=================================================================</span> <span class="o">==</span><span class="mi">29237</span><span class="o">==</span><span class="n">ERROR</span><span class="p">:</span> <span class="n">AddressSanitizer</span><span class="p">:</span> <span class="n">stack</span><span class="o">-</span><span class="n">overflow</span> <span class="k">on</span> <span class="n">address</span> <span class="mi">0</span><span class="n">x7fff9aa94f88</span> <span class="p">(</span><span class="n">pc</span> <span class="mi">0</span><span class="n">x0000004361d7</span> <span class="n">bp</span> <span class="mi">0</span><span class="n">x7fff9aa957f0</span> <span class="n">sp</span> <span class="mi">0</span><span class="n">x7fff9aa94f90</span> <span class="n">T0</span><span class="p">)</span> <span class="mi">0</span> <span class="mi">0</span><span class="n">x4361d6</span> <span class="k">in</span> <span class="n">__interceptor_strlen</span><span class="p">.</span><span class="n">part</span><span class="p">.</span><span class="mi">45</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4361d6</span><span class="p">)</span> <span class="mi">1</span> <span class="mi">0</span><span class="n">x4ed796</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed796</span><span class="p">)</span> <span class="mi">2</span> <span class="mi">0</span><span class="n">x4ed973</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed973</span><span class="p">)</span> <span class="mi">3</span> <span class="mi">0</span><span class="n">x4ed973</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed973</span><span class="p">)</span> <span class="mi">4</span> <span class="mi">0</span><span class="n">x4ed973</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed973</span><span class="p">)</span> <span class="mi">5</span> <span class="mi">0</span><span class="n">x4ed973</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed973</span><span class="p">)</span> <span class="p">...</span> <span class="mi">250</span> <span class="mi">0</span><span class="n">x4ed973</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed973</span><span class="p">)</span> <span class="mi">251</span> <span class="mi">0</span><span class="n">x4ed973</span> <span class="k">in</span> <span class="n">ezxml_ent_ok</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4ed973</span><span class="p">)</span> <span class="n">SUMMARY</span><span class="p">:</span> <span class="n">AddressSanitizer</span><span class="p">:</span> <span class="n">stack</span><span class="o">-</span><span class="n">overflow</span> <span class="p">(</span><span class="n">ezxml</span><span class="o">-</span><span class="mi">0</span><span class="p">.</span><span class="mi">8</span><span class="p">.</span><span class="mi">6</span><span class="o">/</span><span class="n">ezxml_asan</span><span class="p">.</span><span class="n">exe</span><span class="o">+</span><span class="mi">0</span><span class="n">x4361d6</span><span class="p">)</span> <span class="k">in</span> <span class="n">__interceptor_strlen</span><span class="p">.</span><span class="n">part</span><span class="p">.</span><span class="mi">45</span> <span class="o">==</span><span class="mi">29237</span><span class="o">==</span><span class="n">ABORTING</span> </pre></div> <p>Reproduction:</p> <p>Sample XML file leading to crash:</p> <p>crash_012_stack_ezxml_ent_ok.raw </p> <p>Code snippet for reproduction:<br/> ezxml_t result = ezxml_parse_file("crash_012_stack_ezxml_ent_ok.raw ");</p></div>CVE ReportingTue, 31 Dec 2019 15:13:30 -0000https://sourceforge.net2a65b961034af844a6ac8cd3f418128ab2ca8523