#528 Multiple Integer Overflows

Feature Request

CVE-2015-1283: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283 for complete description. See https://codereview.chromium.org/1224303003 for patch.


  • Sebastian Pipping

    • status: open --> closed-fixed
  • Sebastian Pipping

    Fixed by commit ba0f9c3b40c264b8dd392e02a7a060a8fa54f032, included with next release, closing.

  • David Dillard

    David Dillard - 2016-03-14

    The existing CVE only lists Google Chrome as being affected and I want a CVE that lists expat as being affected too so is the expat team planning on getting a CVE for this issue? If not, I'll work with US CERT to get a CVE assigned.

  • Sebastian Pipping

    Hello David,

    looking at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283 I read "Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products". If one other product uses Expat unmodified, vanilla Expat is included implicitly, in my eyes. I don't mind another CVE but I don't think it's needed. We have CVE-2015-1283 and CVE-2015-2716 already.

    What do you think?

  • David Dillard

    David Dillard - 2016-03-14

    Hi Sebastian,

    That doesn't handle what I'm looking for. If you go to the NVD page and scroll down to "Vulnerable software and versions" you'll see it lists Google Chrome, but not expat. My company (and many others) use automated software that looks at that field and alerts users to vulnerabilities in software they're using/requesting to use. If expat isn't listed there then that software won't notify the user of the vulnerability, potentially letting software with known vulnerabilities be used.

    I'd be ok with updating the existing CVE entry to list expat as being affected, but I've tried having that done before and neither Mitre nor US CERT were willing to do it. Unfortunately, it seems that just getting a new CVE is easier. As I said, I'm happy to do it or you or someone on the expat team can do it, I just want to make sure it gets done.


  • Sebastian Pipping

    Thanks for that explanation. I would accept your offer to go forward getting Expat added or getting a new dedicated CVE, whichever works.

  • David Dillard

    David Dillard - 2016-03-16

    I think I've actually gotten the existing CVE updated to reflect that expat 2.1.0 and earlier are affected. Apparently, I wasn't talking to the right people before and nobody bothered to tell me that. I'll verify in a few days when the update should be out.

  • Paul Duffin

    Paul Duffin - 2016-05-18

    While applying these changes to expat 2.1.1 I checked to make sure that there wasn't any other code that followed a similar pattern to the code that was changed. Unfortunately, I noticed that there was.

    In expat/lib/xmlparse.c at line 2661 there is a use of XmlConvert that does not check the return value. I'm no expert but it seems like it should check the return type just like other usages. If not a comment as to why not would be useful.

    In expat/lib/xmltok.c a number of usages of "if (ptr == end) ...." were changed to "if (ptr >= end)" but there are still quite a few of those left, e.g. in parsePseudoAttribute.

    This is my first time doing anything with expat so apologies if I'm not following the correct procedures.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks