Wrongly using libxml2 APIs can cause DoS (#17985) · Issues · VTK / VTK

Wrongly using libxml2 APIs can cause DoS

Hi, developers:

We found a few bugs in the source code(version 10e139ec).

According to the libxml2 Documentation , it's up to the caller to free the returned memory of xmlNodeGetContent() with xmlFree(). If missing the xmlFree(), it might cause a DoS.

This bug results in memory leak. In some cases, the memory consumption might be huge, which may cause the process to corrupt.

There are two places related to this issue.

ThirdParty/libxml2/vtklibxml2/relaxng.c:5306

 5283 static xmlRelaxNGDefinePtr
 5284 xmlRelaxNGParseNameClass(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node,
 5285                          xmlRelaxNGDefinePtr def)
 ...
 5305     if (IS_RELAXNG(node, "name")) {
 5306         val = xmlNodeGetContent(node);
 5307         xmlRelaxNGNormExtSpace(val);
 5308         if (xmlValidateNCName(val, 0)) {
 ...
 5318         ret->name = val;
 ...
 5416     return (ret);
 5417 }

The returned val is assigned to ret->name, and ret is returned by xmlRelaxNGParseNameClass function. xmlRelaxNGParseNameClass function is called at line 5259, and the returned value is not handled or freed, which causes information leakage.

 5259         if (xmlRelaxNGParseNameClass(ctxt, child, cur) != NULL) {

ThirdParty/libxml2/vtklibxml2/relaxng.c:3597

 3536 static xmlRelaxNGDefinePtr
 3537 xmlRelaxNGParseValue(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node)
 3538 {
 ...
 3596     } else if (def != NULL) {
 3597         def->value = xmlNodeGetContent(node);
 3598         if (def->value == NULL) {
 3599             xmlRngPErr(ctxt, node, XML_RNGP_VALUE_NO_CONTENT,
 3600                        "Element <value> has no content\n", NULL, NULL);
 ...
 3616     return (def);
 3617 }

The returned def->value of libxml2 API is returned by this function xmlRelaxNGParseValue.

Then, xmlRelaxNGParseValue is called at line 4985 by function xmlRelaxNGParsePattern and def is returned.

Next, xmlRelaxNGParsePattern is called at line 5569 by function xmlRelaxNGParsePatterns and def is returned.

Finally, xmlRelaxNGParsePatterns is called at line 4646

 4645             def->content =
 4646                 xmlRelaxNGParsePatterns(ctxt, node->children, 0);

If line 4561 is true, def is not handled or freed.

 4651         if (ctxt->grammar->defs == NULL) {
 4652             xmlRngPErr(ctxt, node, XML_RNGP_DEFINE_CREATE_FAILED,
 4653                        "Could not create definition hash\n", NULL, NULL);
 4654             ret = -1;

Hi, developers:

We found a few bugs in the source code(version 10e139ec41).

According to the [libxml2 Documentation](http://www.xmlsoft.org/html/libxml-tree.html) , it's up to the caller to free the returned memory of `xmlNodeGetContent()`  with `xmlFree()`. If missing the  `xmlFree()`, it might cause a DoS.

This bug results in memory leak. In some cases, the memory consumption might be huge, which may cause the process to corrupt.

There are two places related to this issue.

1. `ThirdParty/libxml2/vtklibxml2/relaxng.c:5306`

```cpp
 5283 static xmlRelaxNGDefinePtr
 5284 xmlRelaxNGParseNameClass(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node,
 5285                          xmlRelaxNGDefinePtr def)
 ...
 5305     if (IS_RELAXNG(node, "name")) {
 5306         val = xmlNodeGetContent(node);
 5307         xmlRelaxNGNormExtSpace(val);
 5308         if (xmlValidateNCName(val, 0)) {
 ...
 5318         ret->name = val;
 ...
 5416     return (ret);
 5417 }
```

The returned `val` is assigned to `ret->name`, and `ret` is returned by `xmlRelaxNGParseNameClass` function. `xmlRelaxNGParseNameClass` function is called at line 5259, and the returned value is not handled or freed, which causes information leakage.

```cpp
 5259         if (xmlRelaxNGParseNameClass(ctxt, child, cur) != NULL) {
```

2. `ThirdParty/libxml2/vtklibxml2/relaxng.c:3597`

```cpp
 3536 static xmlRelaxNGDefinePtr
 3537 xmlRelaxNGParseValue(xmlRelaxNGParserCtxtPtr ctxt, xmlNodePtr node)
 3538 {
 ...
 3596     } else if (def != NULL) {
 3597         def->value = xmlNodeGetContent(node);
 3598         if (def->value == NULL) {
 3599             xmlRngPErr(ctxt, node, XML_RNGP_VALUE_NO_CONTENT,
 3600                        "Element <value> has no content\n", NULL, NULL);
 ...
 3616     return (def);
 3617 }
```
The returned `def->value` of libxml2 API is returned by this function `xmlRelaxNGParseValue`.

Then, `xmlRelaxNGParseValue` is called at line 4985 by function `xmlRelaxNGParsePattern` and `def` is returned.

Next, `xmlRelaxNGParsePattern` is called at line 5569 by function `xmlRelaxNGParsePatterns` and `def` is returned.

Finally, `xmlRelaxNGParsePatterns` is called at line 4646

```cpp
 4645             def->content =
 4646                 xmlRelaxNGParsePatterns(ctxt, node->children, 0);
```

If line 4561 is true, `def` is not handled or freed.

```cpp
 4651         if (ctxt->grammar->defs == NULL) {
 4652             xmlRngPErr(ctxt, node, XML_RNGP_DEFINE_CREATE_FAILED,
 4653                        "Could not create definition hash\n", NULL, NULL);
 4654             ret = -1;
```

Edited Aug 22, 2020 by Zero0one1