CVE-2017-9047 (retired)

A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801.
The function xmlSnprintfElementContent in valid.c is supposed to
recursively dump the element content definition into a char buffer 'buf' of
size 'size'. The variable len is assigned strlen(buf). If the content->type
is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to
buf (if it actually fits) whereupon (ii) content->name is written to the
buffer. However, the check for whether the content->name actually fits also
uses 'len' rather than the updated buffer length strlen(buf). This allows
us to write about "size" many bytes beyond the allocated memory. This
vulnerability causes programs that use libxml2, such as PHP, to crash.
Upstream:released (2.9.4+dfsg1-3.1)
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.8.dfsg-5.1ubuntu4.18)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.9.1+dfsg1-3ubuntu4.10)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.9.3+dfsg1-1ubuntu0.3)
More Information

Updated: 2019-03-26 12:26:37 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)