XMLEventReader causes OutOfMemoryError with invalid XML declaration

[dancek]

I initially noticed this bug because a third-party REST API returns malformed XML on some occasions, which causes our server to run out of memory.

After a lot of head-scratching I found that an unclosed attribute string in the XML declaration causes this systematically. Here's the simplest example of reproducing the bug that I've found:

import scala.xml.pull.XMLEventReader
import scala.io.Source

object XMLEventReader_OutOfMemory {
    def main(args: Array[String]): Unit = {
        val src = Source.fromString("<?xml x=\"")
        new XMLEventReader(src)
    }
}

Running the code causes an OutOfMemoryException:

$ scalac XMLEventReader_OutOfMemory.scala && scala XMLEventReader_OutOfMemory
Exception in thread "XMLEventReader" java.lang.OutOfMemoryError: Java heap space
    at java.util.Arrays.copyOf(Arrays.java:3332)
    at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:137)
    at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:121)
    at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:622)
    at java.lang.StringBuilder.append(StringBuilder.java:202)
    at scala.collection.mutable.StringBuilder.append(StringBuilder.scala:267)
    at scala.xml.parsing.MarkupParserCommon.xAttributeValue(MarkupParserCommon.scala:70)
    at scala.xml.pull.XMLEventReader$Parser.xAttributeValue(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParserCommon.xAttributeValue(MarkupParserCommon.scala:78)
    at scala.xml.pull.XMLEventReader$Parser.xAttributeValue(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.xAttributes(MarkupParser.scala:318)
    at scala.xml.pull.XMLEventReader$Parser.xAttributes(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.xmlProcInstr(MarkupParser.scala:143)
    at scala.xml.pull.XMLEventReader$Parser.xmlProcInstr(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.prologOrTextDecl(MarkupParser.scala:159)
    at scala.xml.parsing.MarkupParser.prolog(MarkupParser.scala:209)
    at scala.xml.pull.XMLEventReader$Parser.prolog(XMLEventReader.scala:60)
    at scala.xml.parsing.MarkupParser.document(MarkupParser.scala:239)
    at scala.xml.pull.XMLEventReader$Parser.document(XMLEventReader.scala:60)
    at scala.xml.pull.XMLEventReader$Parser.scala$xml$pull$XMLEventReader$Parser$$$anonfun$2(XMLEventReader.scala:96)
    at scala.xml.pull.XMLEventReader$Parser$$Lambda$93/1925707867.apply(Unknown Source)
    at scala.xml.pull.ProducerConsumerIterator.interruptibly(XMLEventReader.scala:125)
    at scala.xml.pull.XMLEventReader.interruptibly(XMLEventReader.scala:27)
    at scala.xml.pull.XMLEventReader$Parser.run(XMLEventReader.scala:96)
    at java.lang.Thread.run(Thread.java:745)

[biswanaths]

Thanks @dancek for reporting this. This looks serious to me.

[lespea]

This was already reported here: #35 with a fix provided in #92

I have a fork where I merged this and a few other pull requests here: https://github.com/lespea/scala-xml

[dancek]

@lespea thanks, good to know. We'll need to discuss either using your fork in production or starting our own fork of scala-xml.

I'm sure you all know it, but this bug is an extremely effective DoS attack vector.

[lespea]

@dancek if you encounter any problems feel free to send me pull requests; I'd like to maintain my fork at least a little bit until this gets attention by the maintainers.