Crash when multiple <!DOCTYPE are attached #29
Labels
Comments
|
My understanding is that this is not an infinite recursion - it's just that there are enough DOCTYPE nodes to cause a stack overflow. The crash is in the function prologue. DOCTYPE parsing is the only parsing component that is recursive. I'll try to make it stackless. |
|
Please let me know if the commit mentioned above fixes the issue for you. You can either update to trunk or just copy new parse_doctype_ignore and parse_doctype_group implementations into your version. |
|
it seems to work properly, quick test with the same input. I'll generate a new, proper build with this version on it, and pass codenomicon again. Will let you know on anything I could find. |
zeux
added a commit
that referenced
this issue
Mar 11, 2015
This prevents malformed input XML with very deeply recursive DOCTYPE sections from crashing the parser. Fixes #29.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We use pugixml in our product, and during a security testing with Codenomicon this was found. Test is really easy: Codenomicon sends a malformed XML block with multiple <!DOCTYPE blocks with no ending:
', toplevel=false)#1 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#2 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#3 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#4 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#5 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#6 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#7 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#8 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#9 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#10 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#11 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#12 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#13 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#14 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#15 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#16 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#17 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
#18 0x00000000005af14e in (anonymous namespace)::xml_parser::parse_doctype_group (this=0x7fffbb5fc190, s=, endch=62 '>',
toplevel=false) at /home/curroa/Work/myproject/branches/CQ1857211_odd_xml_soap_request_crash/pugixml/src/pugixml.cpp:1985
[...]
The text was updated successfully, but these errors were encountered: