Libexpat Project ≫ Libexpat

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.