CVE-2026-8829— HTML::Parser 安全漏洞

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.

N/A

释放后使用

HTML::Parser 安全漏洞

HTML::Parser是libwww-perl开源的一款HTML文档解析与标记分离工具。 HTML::Parser 3.84之前版本存在安全漏洞，该漏洞源于_decode_entities的XS例程缓存指向entity2char哈希中SV的指针，当输入SV与哈希中值SV相同时，后续grow_gap调用重新分配SV的PV缓冲区并释放repl指向的内存，导致从释放内存读取数据，可能泄露相邻堆内容。

N/A

N/A