Unrated severityNVD Advisory· Published Oct 29, 2009· Updated Apr 23, 2026
CVE-2009-3627
CVE-2009-3627
Description
The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character.
Affected products
10cpe:2.3:a:derrick_oswald:html-parser:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:derrick_oswald:html-parser:*:*:*:*:*:*:*:*range: <=3.54
- cpe:2.3:a:derrick_oswald:html-parser:1.00:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.41:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.42:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:derrick_oswald:html-parser:1.6:*:*:*:*:*:*:*
Patches
1b9aae1e43eb2decode_entities confused by trailing incomplete entity
2 files changed · +9 −7
t/entities.t+3 −1 modified@@ -1,6 +1,6 @@ use HTML::Entities qw(decode_entities encode_entities encode_entities_numeric); -use Test::More tests => 16; +use Test::More tests => 17; $a = "Våre norske tegn bør æres"; @@ -71,6 +71,8 @@ is(decode_entities("abc&def&ghi&abc;&def;"), "abc&def&ghi&abc;&def;"); is(decode_entities("'"), "'"); is(encode_entities("'", "'"), "'"); +is(decode_entities("Attention Homeοωnөrs...1ѕt Tімe Eνөг"), + "Attention Home\x{3BF}\x{3C9}n\x{4E9}rs...1\x{455}t T\x{456}\x{43C}e E\x{3BD}\x{4E9}\x{433}"); __END__ # Quoted from rfc1866.txt
util.c+6 −6 modified@@ -94,14 +94,14 @@ decode_entities(pTHX_ SV* sv, HV* entity2char, bool expand_prefix) ent_start = s; repl = 0; - if (*s == '#') { + if (s < end && *s == '#') { UV num = 0; UV prev = 0; int ok = 0; s++; - if (*s == 'x' || *s == 'X') { + if (s < end && (*s == 'x' || *s == 'X')) { s++; - while (*s) { + while (s < end) { char *tmp = strchr(PL_hexdigit, *s); if (!tmp) break; @@ -117,7 +117,7 @@ decode_entities(pTHX_ SV* sv, HV* entity2char, bool expand_prefix) } } else { - while (isDIGIT(*s)) { + while (s < end && isDIGIT(*s)) { num = num * 10 + (*s - '0'); if (prev && num < prev) { /* overflow */ @@ -180,7 +180,7 @@ decode_entities(pTHX_ SV* sv, HV* entity2char, bool expand_prefix) } else { char *ent_name = s; - while (isALNUM(*s)) + while (s < end && isALNUM(*s)) s++; if (ent_name != s && entity2char) { SV** svp; @@ -216,7 +216,7 @@ decode_entities(pTHX_ SV* sv, HV* entity2char, bool expand_prefix) if (repl) { char *repl_allocated = 0; - if (*s == ';') + if (s < end && *s == ';') s++; t--; /* '&' already copied, undo it */
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
8- www.openwall.com/lists/oss-security/2009/10/23/9nvdPatch
- www.securityfocus.com/bid/36807nvdPatch
- www.vupen.com/english/advisories/2009/3022nvdPatchVendor Advisory
- issues.apache.org/SpamAssassin/show_bug.cginvdPatch
- secunia.com/advisories/37155nvdVendor Advisory
- github.com/gisle/html-parser/commit/b9aae1e43eb2c8e989510187cff0ba3e996f9a4cnvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/53941nvd
News mentions
0No linked articles in our index yet.