Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-42260: TinyXML / Bugs / #141 TIXML_UTF_LEAD_0 can cause TinyXML DoS

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.

CVE
#vulnerability#dos

This vulnerability is caused by the following code(tinyxmlparser.cpp#212L) which has no op to p

while ( p < now ) { // Treat p as unsigned, so we have a happy compiler. const unsigned char* pU = (const unsigned char*)p;

    // Code contributed by Fletcher Dunn: (modified by lee)
    switch (\*pU) {
    // ...
        case TIXML\_UTF\_LEAD\_0:
            if ( encoding \== TIXML\_ENCODING\_UTF8 )
            {
                if ( \*(p+1) && \*(p+2) )
                {
                    // In these cases, don't advance the column. These are
                    // 0\-width spaces.
                    if ( \*(pU+1)\==TIXML\_UTF\_LEAD\_1 && \*(pU+2)\==TIXML\_UTF\_LEAD\_2 )
                        p += 3; 
                    else if ( \*(pU+1)\==0xbfU && \*(pU+2)\==0xbeU )
                        p += 3; 
                    else if ( \*(pU+1)\==0xbfU && \*(pU+2)\==0xbfU )
                        p += 3; 
                    else
                        { p +=3; ++col; }   // A normal character.
                }
            }
            else
            {
                ++p;
                ++col;
            }
            break;
            // ...
    }

}

My test program:

#include “tinyxml.h” #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h>

int main(int argc, char*argv[]){

if(argc < 2){
    printf("args error\\n");
    return 0;
}

int fd \= open(argv\[1\], O\_RDWR | O\_APPEND);
if(!fd){
    printf("open failed\\n");
    return \-1;
}

int bytes \= 1024 \* 1024;
char \*buffer \= (char\*)malloc(bytes);

int n \= read(fd, buffer, bytes\-1);
printf("read %d bytes\\n", n);

TiXmlDocument doc;
doc.Parse(buffer);

close(fd);
free(buffer);
return 0;

}

And my test case is in the attachment

Related news

Ubuntu Security Notice USN-6542-1

Ubuntu Security Notice 6542-1 - Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

CVE-2021-42260: TinyXML / Bugs / #141 TIXML_UTF_LEAD_0 can cause TinyXML DoS

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907