Wrongly using libxml2 APIs can cause DoS
Hi, developers:
We found a few bugs in the source code(version 10e139ec).
According to the libxml2 Documentation , it's up to the caller to free the returned memory of xmlNodeGetContent()
with xmlFree()
. If missing the xmlFree()
, it might cause a DoS.
This bug results in memory leak. In some cases, the memory consumption might be huge, which may cause the process to corrupt.
There are two places related to this issue.
ThirdParty/libxml2/vtklibxml2/relaxng.c:5306
5283 static xmlRelaxNGDefinePtr
5284 xmlRelaxNGParseNameClass(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node,
5285 xmlRelaxNGDefinePtr def)
...
5305 if (IS_RELAXNG(node, "name")) {
5306 val = xmlNodeGetContent(node);
5307 xmlRelaxNGNormExtSpace(val);
5308 if (xmlValidateNCName(val, 0)) {
...
5318 ret->name = val;
...
5416 return (ret);
5417 }
The returned val
is assigned to ret->name
, and ret
is returned by xmlRelaxNGParseNameClass
function. xmlRelaxNGParseNameClass
function is called at line 5259, and the returned value is not handled or freed, which causes information leakage.
5259 if (xmlRelaxNGParseNameClass(ctxt, child, cur) != NULL) {
ThirdParty/libxml2/vtklibxml2/relaxng.c:3597
3536 static xmlRelaxNGDefinePtr
3537 xmlRelaxNGParseValue(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node)
3538 {
...
3596 } else if (def != NULL) {
3597 def->value = xmlNodeGetContent(node);
3598 if (def->value == NULL) {
3599 xmlRngPErr(ctxt, node, XML_RNGP_VALUE_NO_CONTENT,
3600 "Element <value> has no content\n", NULL, NULL);
...
3616 return (def);
3617 }
The returned def->value
of libxml2 API is returned by this function xmlRelaxNGParseValue
.
Then, xmlRelaxNGParseValue
is called at line 4985 by function xmlRelaxNGParsePattern
and def
is returned.
Next, xmlRelaxNGParsePattern
is called at line 5569 by function xmlRelaxNGParsePatterns
and def
is returned.
Finally, xmlRelaxNGParsePatterns
is called at line 4646
4645 def->content =
4646 xmlRelaxNGParsePatterns(ctxt, node->children, 0);
If line 4561 is true, def
is not handled or freed.
4651 if (ctxt->grammar->defs == NULL) {
4652 xmlRngPErr(ctxt, node, XML_RNGP_DEFINE_CREATE_FAILED,
4653 "Could not create definition hash\n", NULL, NULL);
4654 ret = -1;