Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Nov 2016 10:04:30 -0300
From: Gustavo Grieco <>
Subject: CVE request: Null pointer derefence parsing xml file using libxml
 2.9.4 (in recover mode)


We found a null pointer dereference when parsing a xml file using recover
mode. It was tested in libxml 2.9.4 (ArchLinux x86_64). To reproduce:

$ xmllint --recover crash-libxml2-recover.xml

==27646==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x0000004fbd88 bp 0x7ffc3345dff0 sp 0x7ffc3345dfd0 T0)
    #0 0x4fbd87 in xmlDumpElementContent
    #1 0x4fbcd5 in xmlDumpElementContent
    #2 0x4fe5ff in xmlDumpElementDecl
    #3 0x72e714 in xmlBufDumpElementDecl
    #4 0x73048f in xmlNodeDumpOutputInternal
    #5 0x72fc47 in xmlNodeListDumpOutput
    #6 0x72f6d5 in xmlDtdDumpOutput
    #7 0x73038f in xmlNodeDumpOutputInternal
    #8 0x732412 in xmlDocContentDumpOutput
    #9 0x735883 in xmlSaveDoc /home/g/Work/Code/libxml2-2.9.4/xmlsave.c:1936
    #10 0x40ba0f in parseAndPrintFile
    #11 0x411eb6 in main /home/g/Work/Code/libxml2-2.9.4/xmllint.c:3767
    #12 0x7f23dcd4c290 in __libc_start_main (/usr/lib/
    #13 0x4032b9 in _start

A reproducer is attached. It is interesting to note that the developers of
libxml2 strongly recommend not to use recover mode to parse untrusted
inputs. Please assign a CVE if suitable.


Content of type "text/html" skipped

View attachment "crash-libxml2-recover.xml" of type "text/xml" (803 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ