CVE-2021-46143: Crafted XML file can cause integer overflow on m_groupSize in function doProlog · Issue #532 · libexpat/libexpat

On 2021-12-24, a member of Trend Micro Zero Day Initiative (“ZDI”) shared a vulnerability named ZDI-CAN-16157 in libexpat with me that has been discovered by an anonymous individual working with Trend Micro ZDI. I would like to thank both Trend Micro and the anonymous individual for their whitehat work on libexpat security. Thank you! 🙏

Similar to ticket #531, the issue is an integer overflow (in multiplication) near a call to realloc that takes a ~2 GiB size craft XML file, and then will cause denial of service or more. The issue exists since commit 347e19a and hence affects even the oldest (pre-)releases.

– CVSS -----------------------------------------

8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

[…]

Analysis

This is an integer overflow vulnerability that exists in expat library. The vulnerable function is doProlog

doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
         int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
         XML_Bool allowClosingDoctype, enum XML_Account account) {
#ifdef XML_DTD
  static const XML_Char externalSubsetName[] = {ASCII_HASH, '\0'};
#endif /* XML_DTD */
  static const XML_Char atypeCDATA[]
  [...]
   case XML_ROLE_GROUP_OPEN:
      if (parser->m_prologState.level >= parser->m_groupSize) {
        if (parser->m_groupSize) {
          {
            char *const new_connector = (char *)REALLOC(
                parser, parser->m_groupConnector, parser->m_groupSize *= 2);// <-------- (1)
            if (new_connector == NULL) {
              parser->m_groupSize /= 2;
              return XML_ERROR_NO_MEMORY;
            }
            parser->m_groupConnector = new_connector;
          }

• At (1), integer overflow occurs if the value of m_groupSize is greater than 0x7FFFFFFF.

A pull request and likely a CVE are upcoming, and there will be a soon release 2.4.3.

Best, Sebastian