XML::Parser Buffer Overflow Vulnerability in Perl Expat Wrapper

A buffer overflow vulnerability has been identified in XML::Parser versions prior to 2.47 for Perl. This issue arises in the Expat.xs file, specifically within the parse_stream() function, when a filehandle is opened with a :utf8 PerlIO layer. Under these conditions, Perl's read() function returns decoded characters, while SvPV() provides multi-byte UTF-8 bytes that can exceed the size of the pre-allocated XML input buffer. This discrepancy leads to heap corruption, causing a double free or corruption error, and crashes the Perl interpreter.

Impact

Exploitation of this vulnerability causes a heap corruption, leading to a double free or corruption error, which is detected by the GNU C Library and causes the Perl interpreter to crash.

Reproduction

The vulnerability can be reproduced by using XML::Parser to parse a UTF-8 encoded XML file that contains multi-byte characters, such as Chinese characters. The filehandle must be opened with the :utf8 layer, which triggers the buffer overflow by causing the byte count to exceed the capacity of the pre-allocated buffer. This can be automated with a Perl script that writes raw UTF-8 bytes into a temporary file, then reads and parses the file with XML::Parser while the filehandle is set to :utf8.

Remediation

Users can update to XML::Parser version 2.47 or later, where this vulnerability has been fixed.