Multiple Stack Overflows Through Embedded C Dependency

nokogiri has a copied version of the Libxml2 library. Libxml2 is susceptible to 2 stack overflow vulnerabilities. The first is CVE-2017-9047. The function xmlSnprintfElementContent in valid.c does not recursively dump the element content definition into a char buffer buf of size size. When the content->prefix is appended to buf, the content->name is written to the buffer. It checks whether the name will fit into the buffer, however it uses the len variable as the buffer length rather than the concatenated strlen(buf) variable. This only happens when content->type is XML_ELEMENT_CONTENT_ELEMENT. Failing to do this check correctly, allows attackers to write extra bytes beyond the allocated memory. The second is CVE-2017-9048. The end of the function xmlSnprintfElementContent in valid.c. Libxml2 doesn’t check that strlen(buf) +2 < size which allows the function to strcat 2 more characters.