Stability regression in v0.39.2: `attempt to subtract with overflow`

[alex-security-guy]

Good day :)

I am a security researcher with X41, and our team has recently performed a security review of Routinator, which uses your project.
During this review we were performing some fuzz testing, and found what seems to be a stability regression from version v.038.3 to v0.39.2.
The old version will respond to parsing the attached input with an Error occurred Xml(Syntax(UnclosedDoctype)), whereas the new version will panic with the aforementioned attempt to subtract with overflow.

The Routinator team was kind enough to extract only the quick-xml code, a minimal main of which you can find below:

use quick_xml::events::Event;
use quick_xml::reader::Reader;
use std::fs::File;
use std::io::BufReader;

fn main() {
    let f = File::open("crashing_notification.xml").unwrap();
    let reader = BufReader::new(f);
    let mut reader = Reader::from_reader(reader);
    let mut buf = Vec::new();
    loop {
        match reader.read_event_into(&mut buf) {
            Ok(Event::Eof) => break,
            _ => (),
        }
        buf.clear();
    }
}

And the crashing input you can find here: crashing_notification.xml

Hopefully this helps, I hope you have a nice day 😊

[Mingun]

Minimal reproducible example:

/// Regression test for https://github.com/tafia/quick-xml/issues/950
#[test]
fn issue950() {
    let reader = BufReader::with_capacity(8, "<!d[<>23456789".as_bytes());
    //                                chunks: ________--------
    let mut reader = Reader::from_reader(reader);
    let mut buf = Vec::new();
    reader.read_event_into(&mut buf).unwrap();
}

Key point is that DTD skip code tries to read at least 10 characters before it would attempt to skip unknown markup, but that markup (<> here) is ended inside that 10-byte chunk:

• <!d[<>12 -- the first chunk from BufReader, <>12 is skipped as UndecidedMarkup(3). Actually, unknown markup already read, but we wait at least 10 bytes to check if it is <!NOTATION (the longest possible valid markup in DTD)
• >34567 -- the second chunk from BufReader, <>23456789 is 10 bytes, it is not <!NOTATION, so some unknown markup. We expect, that > will be after those bytes, but it was inside. We try to deside how much bytes we need to skip in additional to already skipped >23 and fail.