CVE-2006-10003: XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack

[Timothy Legge <timlegge () cpansec org>]

========================================================================
CVE-2006-10003                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2006-10003
  Distribution:  XML-Parser
      Versions:  through 2.47

      MetaCPAN:  https://metacpan.org/dist/XML-Parser
      VCS Repo:  http://github.com/toddr/XML-Parser


XML::Parser versions through 2.47 for Perl has an off-by-one heap
buffer overflow in st_serial_stack

Description
-----------
XML::Parser versions through 2.47 for Perl has an off-by-one heap
buffer overflow in st_serial_stack.

In the case (stackptr == stacksize - 1), the stack will NOT be
expanded. Then the new value will be written at location (++stackptr),
which equals stacksize and therefore falls just outside the allocated
buffer.

The bug can be observed when parsing an XML file with very deep element
nesting

Problem types
-------------
- CWE-193 Off-by-one Error
- CWE-122 Heap-based Buffer Overflow

Workarounds
-----------
Apply the patch that has been publicly available since 2006-06-13.


Solutions
---------
Apply the patch that has been publicly available since 2006-06-13 or
upgrade to version 2.48 or later when it is released.


References
----------
https://rt.cpan.org/Ticket/Display.html?id=19860
https://github.com/cpan-authors/XML-Parser/issues/39
https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch

Timeline
--------
- 2006-06-13: Issue logged and patch provided in Request Tracker for
  XML::Parser
- 2019-09-23: Issue migrated to github issue tracker
- 2019-09-24: Patch provided in github issue tracker
- 2026-03-16: PR created and commit merged to git repo