In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XMLGetCurrentLineNumber (or XMLGetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
[ { "source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", "target": { "function": "doProlog", "file": "expat/lib/xmlparse.c" }, "digest": { "function_hash": "125271961576543742310629350504968019617", "length": 27888.0 }, "signature_version": "v1", "id": "CVE-2019-15903-0d752d8d", "signature_type": "Function", "deprecated": false }, { "source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", "target": { "function": "processInternalEntity", "file": "expat/lib/xmlparse.c" }, "digest": { "function_hash": "258898664727023212628731136448884091064", "length": 1541.0 }, "signature_version": "v1", "id": "CVE-2019-15903-3992c034", "signature_type": "Function", "deprecated": false }, { "source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", "target": { "function": "prologProcessor", "file": "expat/lib/xmlparse.c" }, "digest": { "function_hash": "320542276707726540903784573260106917696", "length": 347.0 }, "signature_version": "v1", "id": "CVE-2019-15903-4fa8a18a", "signature_type": "Function", "deprecated": false }, { "source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", "target": { "function": "internalEntityProcessor", "file": "expat/lib/xmlparse.c" }, "digest": { "function_hash": "87559746390753119708030472024368882252", "length": 1691.0 }, "signature_version": "v1", "id": "CVE-2019-15903-50a68847", "signature_type": "Function", "deprecated": false }, { "source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", "target": { "file": "expat/lib/xmlparse.c" }, "digest": { "line_hashes": [ "132983735470197785746052135782572205033", "146204224061470080606983094059913412689", "7599560151177139529648421590374092798", "43488536384691544214046994497908120940", "316924857856242392275636406882952016268", "313502711495946994497639020874340401069", "195484947523758424504813833072420643936", "66393858657853185419579310156918223010", "255221502895981869157887834697152878351", "106795823336306937525621181615350467828", "226320368211189727652238023669300150723", "120536527396395186340591214598221850705", "157897276731025067219377731738911663661", "56387941961793144568065674959231386429", "122849457964806115309741096903856490512", "175297395996681036848075065183921967929", "299387118000825267278833341847060218101", "276502891951823894309157759029430923936", "56631634594391992920425749299177991860", "128211256018775436878936886506812361210", "136991866931827280169215334671955339519", "267326537430448345157071811058789050241", "281089508152999328292147815149430177071", "266760975306673981287073430543841070947", "136991866931827280169215334671955339519", "267326537430448345157071811058789050241", "281089508152999328292147815149430177071", "145115243084578848234012712515518269345", "130000406535845302189293374835665079658", "249245281332386594223044783888918985169", "150401336559048452177710326613018819487", "41422063577574542654899415359947089205" ], "threshold": 0.9 }, "signature_version": "v1", "id": "CVE-2019-15903-52ad81f3", "signature_type": "Line", "deprecated": false }, { "source": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", "target": { "function": "externalParEntProcessor", "file": "expat/lib/xmlparse.c" }, "digest": { "function_hash": "217326096847551269990637517059988824832", "length": 878.0 }, "signature_version": "v1", "id": "CVE-2019-15903-9c136d97", "signature_type": "Function", "deprecated": false } ]