diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-08-16 09:52:37 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-08-16 09:52:37 +0000 |
| commit | 74a93b6947dda51282111815d38594436fced477 (patch) | |
| tree | 6b79dee50f952e202b25554ec8f0b47515c5737b /main | |
| parent | 4418ddad5793b4450725e317ad4231a0cb82215e (diff) | |
main/libxml2: apply various fixes from upstream (CVE-2012-2807)
fixes #1305
Diffstat (limited to 'main')
| -rw-r--r-- | main/libxml2/APKBUILD | 23 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch | 21 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-entities-local-buffers-size.patch | 97 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-entities-local-buffers-size2.patch | 21 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-error-xpath.patch | 62 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-hardening-xpath.patch | 224 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-parser-local-buffers-size.patch | 260 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-xpath-freeing.patch | 32 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-xpath-freeing2.patch | 28 | ||||
| -rw-r--r-- | main/libxml2/libxml2-2.7.8-xpath-memory.patch | 29 |
10 files changed, 795 insertions, 2 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 8f2848f5b23..f9f52acdfbd 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter at gmail> pkgname=libxml2 pkgver=2.7.8 -pkgrel=3 +pkgrel=4 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -15,6 +15,16 @@ source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz largefile64.patch libxml2-2.7.8-CVE-2011-1944.patch cve-2012-0841.patch + + libxml2-2.7.8-xpath-memory.patch + libxml2-2.7.8-xpath-freeing.patch + libxml2-2.7.8-xpath-freeing2.patch + libxml2-2.7.8-hardening-xpath.patch + libxml2-2.7.8-error-xpath.patch + libxml2-2.7.8-allocation-error-copying-entities.patch + libxml2-2.7.8-entities-local-buffers-size.patch + libxml2-2.7.8-entities-local-buffers-size2.patch + libxml2-2.7.8-parser-local-buffers-size.patch " options="!strip" @@ -59,4 +69,13 @@ utils() { md5sums="8127a65e8c3b08856093099b52599c86 libxml2-2.7.8.tar.gz 5ad4915665608ebfa5b89f7908467a72 largefile64.patch 49cba5245dfa6f2ec710324df947fff9 libxml2-2.7.8-CVE-2011-1944.patch -045c7f25e46de3127a6061e273de3f7b cve-2012-0841.patch" +045c7f25e46de3127a6061e273de3f7b cve-2012-0841.patch +bec456883fa9c91b0e7d2ad91283eeb1 libxml2-2.7.8-xpath-memory.patch +8e3374d282fc12c7e40a3c5fb4b62978 libxml2-2.7.8-xpath-freeing.patch +d1eff47d3bc99b38a09744345eaf3434 libxml2-2.7.8-xpath-freeing2.patch +9027cbb76b112629cb5fa84ffcfc44bd libxml2-2.7.8-hardening-xpath.patch +8bf2bd2422b9aab015fb7a8ca993eef3 libxml2-2.7.8-error-xpath.patch +de02f584b928d3e25babc5c90aa800be libxml2-2.7.8-allocation-error-copying-entities.patch +c8c789a4fbdae599a47ecbfa32b889d7 libxml2-2.7.8-entities-local-buffers-size.patch +cba1201e77dc0f3e337d9ff146a2666e libxml2-2.7.8-entities-local-buffers-size2.patch +6c5c7a125dddb616feb1b2f4254bf467 libxml2-2.7.8-parser-local-buffers-size.patch" diff --git a/main/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch b/main/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch new file mode 100644 index 00000000000..c0d943311f2 --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch @@ -0,0 +1,21 @@ +From 5bd3c061823a8499b27422aee04ea20aae24f03e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 16 Dec 2011 10:53:35 +0000 +Subject: Fix an allocation error when copying entities + +--- +diff --git a/parser.c b/parser.c +index 4e5dcb9..c55e41d 100644 +--- a/parser.c ++++ b/parser.c +@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + + buffer[nbchars++] = '&'; + if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { +- growBuffer(buffer, XML_PARSER_BUFFER_SIZE); ++ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); + } + for (;i > 0;i--) + buffer[nbchars++] = *cur++; +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-2.7.8-entities-local-buffers-size.patch b/main/libxml2/libxml2-2.7.8-entities-local-buffers-size.patch new file mode 100644 index 00000000000..89817d81681 --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-entities-local-buffers-size.patch @@ -0,0 +1,97 @@ +From 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Wed, 18 Jul 2012 03:38:17 +0000 +Subject: Fix entities local buffers size problems + +--- +diff --git a/entities.c b/entities.c +index 6aef49f..859ec3b 100644 +--- a/entities.c ++++ b/entities.c +@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) { + * Macro used to grow the current buffer. + */ + #define growBufferReentrant() { \ +- buffer_size *= 2; \ +- buffer = (xmlChar *) \ +- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ +- if (buffer == NULL) { \ +- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ +- return(NULL); \ +- } \ ++ xmlChar *tmp; \ ++ size_t new_size = buffer_size *= 2; \ ++ if (new_size < buffer_size) goto mem_error; \ ++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ ++ if (tmp == NULL) goto mem_error; \ ++ buffer = tmp; \ ++ buffer_size = new_size; \ + } + + +@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) { + const xmlChar *cur = input; + xmlChar *buffer = NULL; + xmlChar *out = NULL; +- int buffer_size = 0; ++ size_t buffer_size = 0; + int html = 0; + + if (input == NULL) return(NULL); +@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) { + out = buffer; + + while (*cur != '\0') { +- if (out - buffer > buffer_size - 100) { +- int indx = out - buffer; ++ size_t indx = out - buffer; ++ if (indx + 100 > buffer_size) { + + growBufferReentrant(); + out = &buffer[indx]; +@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) { + } + *out = 0; + return(buffer); ++ ++mem_error: ++ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); ++ xmlFree(buffer); ++ return(NULL); + } + + /** +@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) { + const xmlChar *cur = input; + xmlChar *buffer = NULL; + xmlChar *out = NULL; +- int buffer_size = 0; ++ size_t buffer_size = 0; + if (input == NULL) return(NULL); + + /* +@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) { + out = buffer; + + while (*cur != '\0') { +- if (out - buffer > buffer_size - 10) { +- int indx = out - buffer; ++ size_t indx = out - buffer; ++ if (indx + 10 > buffer_size) { + + growBufferReentrant(); + out = &buffer[indx]; +@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) { + } + *out = 0; + return(buffer); ++ ++mem_error: ++ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); ++ xmlFree(buffer); ++ return(NULL); + } + + /** +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-2.7.8-entities-local-buffers-size2.patch b/main/libxml2/libxml2-2.7.8-entities-local-buffers-size2.patch new file mode 100644 index 00000000000..f3cc8b65e40 --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-entities-local-buffers-size2.patch @@ -0,0 +1,21 @@ +From baaf03f80f817bb34c421421e6cb4d68c353ac9a Mon Sep 17 00:00:00 2001 +From: Aron Xu <happyaron.xu@gmail.com> +Date: Fri, 20 Jul 2012 07:41:34 +0000 +Subject: Fix an error in previous commit + +--- +diff --git a/entities.c b/entities.c +index 859ec3b..7d06820 100644 +--- a/entities.c ++++ b/entities.c +@@ -529,7 +529,7 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) { + */ + #define growBufferReentrant() { \ + xmlChar *tmp; \ +- size_t new_size = buffer_size *= 2; \ ++ size_t new_size = buffer_size * 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-2.7.8-error-xpath.patch b/main/libxml2/libxml2-2.7.8-error-xpath.patch new file mode 100644 index 00000000000..a12a0507416 --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-error-xpath.patch @@ -0,0 +1,62 @@ +From 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 11 Oct 2011 08:34:34 +0000 +Subject: Fix missing error status in XPath evaluation + +Started by Chris Evans, I added a few more place where the +error should have been set in the evaluation context. +--- +diff --git a/xpath.c b/xpath.c +index bcee2ea..d9d902c 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) + sizeof(ctxt->valueTab[0])); + if (tmp == NULL) { + xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); ++ ctxt->error = XPATH_MEMORY_ERROR; + return (0); + } + ctxt->valueMax *= 2; +@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + if ( (ch & 0xc0) != 0xc0 ) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathTranslateFunction: Invalid UTF8 string\n"); ++ /* not asserting an XPath error is probably better */ + break; + } + /* then skip over remaining bytes for this char */ +@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + if ( (*cptr++ & 0xc0) != 0x80 ) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathTranslateFunction: Invalid UTF8 string\n"); ++ /* not asserting an XPath error is probably better */ + break; + } + if (ch & 0x80) /* must have had error encountered */ +@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n", + (char *) op->value4, (char *)op->value5); ++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; + return (total); + } + val = xmlXPathVariableLookupNS(ctxt->context, +@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", + (char *)op->value4, (char *)op->value5); + xmlXPathPopFrame(ctxt, frame); ++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; + return (total); + } + func = xmlXPathFunctionLookupNS(ctxt->context, +@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + } + xmlGenericError(xmlGenericErrorContext, + "XPath: unknown precompiled operation %d\n", op->op); ++ ctxt->error = XPATH_INVALID_OPERAND; + return (total); + } + +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-2.7.8-hardening-xpath.patch b/main/libxml2/libxml2-2.7.8-hardening-xpath.patch new file mode 100644 index 00000000000..8e699ec8c0b --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-hardening-xpath.patch @@ -0,0 +1,224 @@ +From f5048b3e71fc30ad096970b8df6e7af073bae4cb Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 18 Aug 2011 09:10:13 +0000 +Subject: Hardening of XPath evaluation + +Add a mechanism of frame for XPath evaluation when entering a function +or a scoped evaluation, also fix a potential problem in predicate +evaluation. +--- +diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h +index 1a9e30e..ddd9dd8 100644 +--- a/include/libxml/xpath.h ++++ b/include/libxml/xpath.h +@@ -68,7 +68,8 @@ typedef enum { + XPATH_UNDEF_PREFIX_ERROR, + XPATH_ENCODING_ERROR, + XPATH_INVALID_CHAR_ERROR, +- XPATH_INVALID_CTXT ++ XPATH_INVALID_CTXT, ++ XPATH_STACK_ERROR + } xmlXPathError; + + /* +@@ -380,6 +381,8 @@ struct _xmlXPathParserContext { + xmlXPathCompExprPtr comp; /* the precompiled expression */ + int xptr; /* it this an XPointer expression */ + xmlNodePtr ancestor; /* used for walking preceding axis */ ++ ++ int valueFrame; /* used to limit Pop on the stack */ + }; + + /************************************************************************ +diff --git a/xpath.c b/xpath.c +index b59ac5a..bcee2ea 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = { + "Encoding error\n", + "Char out of XML range\n", + "Invalid or incomplete context\n", ++ "Stack usage errror\n", + "?? Unknown error ??\n" /* Must be last in the list! */ + }; + #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \ +@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) { + ************************************************************************/ + + /** ++ * xmlXPathSetFrame: ++ * @ctxt: an XPath parser context ++ * ++ * Set the callee evaluation frame ++ * ++ * Returns the previous frame value to be restored once done ++ */ ++static int ++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) { ++ int ret; ++ ++ if (ctxt == NULL) ++ return(0); ++ ret = ctxt->valueFrame; ++ ctxt->valueFrame = ctxt->valueNr; ++ return(ret); ++} ++ ++/** ++ * xmlXPathPopFrame: ++ * @ctxt: an XPath parser context ++ * @frame: the previous frame value ++ * ++ * Remove the callee evaluation frame ++ */ ++static void ++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) { ++ if (ctxt == NULL) ++ return; ++ if (ctxt->valueNr < ctxt->valueFrame) { ++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); ++ } ++ ctxt->valueFrame = frame; ++} ++ ++/** + * valuePop: + * @ctxt: an XPath evaluation context + * +@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt) + + if ((ctxt == NULL) || (ctxt->valueNr <= 0)) + return (NULL); ++ ++ if (ctxt->valueNr <= ctxt->valueFrame) { ++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); ++ return (NULL); ++ } ++ + ctxt->valueNr--; + if (ctxt->valueNr > 0) + ctxt->value = ctxt->valueTab[ctxt->valueNr - 1]; +@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) { + ret->valueNr = 0; + ret->valueMax = 10; + ret->value = NULL; ++ ret->valueFrame = 0; + + ret->context = ctxt; + ret->comp = comp; +@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathObjectPtr contextObj = NULL, exprRes = NULL; + xmlNodePtr oldContextNode, contextNode = NULL; + xmlXPathContextPtr xpctxt = ctxt->context; ++ int frame; + + #ifdef LIBXML_XPTR_ENABLED + /* +@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + */ + exprOp = &ctxt->comp->steps[op->ch2]; + for (i = 0; i < set->nodeNr; i++) { ++ xmlXPathObjectPtr tmp; ++ + if (set->nodeTab[i] == NULL) + continue; + +@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathNodeSetAddUnique(contextObj->nodesetval, + contextNode); + ++ frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); ++ tmp = valuePop(ctxt); ++ xmlXPathPopFrame(ctxt, frame); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { +- xmlXPathObjectPtr tmp; +- /* pop the result if any */ +- tmp = valuePop(ctxt); +- if (tmp != contextObj) { ++ while (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); +- valuePop(ctxt); ++ tmp = valuePop(ctxt); + } + goto evaluation_error; + } ++ /* push the result back onto the stack */ ++ valuePush(ctxt, tmp); + + if (res) + pos++; +@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlXPathFunction func; + const xmlChar *oldFunc, *oldFuncURI; + int i; ++ int frame; + ++ frame = xmlXPathSetFrame(ctxt); + if (op->ch1 != -1) + total += + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); +@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } +- for (i = 0; i < op->value; i++) ++ for (i = 0; i < op->value; i++) { + if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } ++ } + if (op->cache != NULL) + XML_CAST_FPTR(func) = op->cache; + else { +@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", + (char *)op->value4, (char *)op->value5); ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } + func = xmlXPathFunctionLookupNS(ctxt->context, +@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + func(ctxt, op->value); + ctxt->context->function = oldFunc; + ctxt->context->functionURI = oldFuncURI; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } + case XPATH_OP_ARG: +@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; ++ ctxt->valueFrame = 0; + } + #ifdef XPATH_STREAMING + if (ctxt->comp->stream) { +diff --git a/xpointer.c b/xpointer.c +index 7a42d02..37afa3a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) { + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; ++ ctxt->valueFrame = 0; + } + SKIP_BLANKS; + if (CUR == '/') { +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-2.7.8-parser-local-buffers-size.patch b/main/libxml2/libxml2-2.7.8-parser-local-buffers-size.patch new file mode 100644 index 00000000000..5b9adabac70 --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-parser-local-buffers-size.patch @@ -0,0 +1,260 @@ +From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 17 Jul 2012 08:19:17 +0000 +Subject: Fix parser local buffers size problems + +--- +diff --git a/parser.c b/parser.c +index 2c38fae..9863275 100644 +--- a/parser.c ++++ b/parser.c +@@ -40,6 +40,7 @@ + #endif + + #include <stdlib.h> ++#include <limits.h> + #include <string.h> + #include <stdarg.h> + #include <libxml/xmlmemory.h> +@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + * parser option. + */ + static int +-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, ++xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent) + { +- unsigned long consumed = 0; ++ size_t consumed = 0; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + + /* + * Macro used to grow the current buffer. ++ * buffer##_size is expected to be a size_t ++ * mem_error: is expected to handle memory allocation failures + */ + #define growBuffer(buffer, n) { \ + xmlChar *tmp; \ +- buffer##_size *= 2; \ +- buffer##_size += n; \ +- tmp = (xmlChar *) \ +- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ ++ size_t new_size = buffer##_size * 2 + n; \ ++ if (new_size < buffer##_size) goto mem_error; \ ++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ ++ buffer##_size = new_size; \ + } + + /** +@@ -2623,14 +2626,14 @@ xmlChar * + xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + int what, xmlChar end, xmlChar end2, xmlChar end3) { + xmlChar *buffer = NULL; +- int buffer_size = 0; ++ size_t buffer_size = 0; ++ size_t nbchars = 0; + + xmlChar *current = NULL; + xmlChar *rep = NULL; + const xmlChar *last; + xmlEntityPtr ent; + int c,l; +- int nbchars = 0; + + if ((ctxt == NULL) || (str == NULL) || (len < 0)) + return(NULL); +@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + * allocate a translation buffer. + */ + buffer_size = XML_PARSER_BIG_BUFFER_SIZE; +- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); ++ buffer = (xmlChar *) xmlMallocAtomic(buffer_size); + if (buffer == NULL) goto mem_error; + + /* +@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + if (val != 0) { + COPY_BUF(0,buffer,nbchars,val); + } +- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } + } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { +@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { + if (ent->content != NULL) { + COPY_BUF(0,buffer,nbchars,ent->content[0]); +- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } + } else { +@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + current = rep; + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; +- if (nbchars > +- buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + if (xmlParserEntityCheck(ctxt, nbchars, ent)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); +@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + const xmlChar *cur = ent->name; + + buffer[nbchars++] = '&'; +- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); + } + for (;i > 0;i--) +@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + current = rep; + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; +- if (nbchars > +- buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + if (xmlParserEntityCheck(ctxt, nbchars, ent)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); +@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + } else { + COPY_BUF(l,buffer,nbchars,c); + str += l; +- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { +- growBuffer(buffer, XML_PARSER_BUFFER_SIZE); ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { ++ growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } + } + if (str < last) +@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar limit = 0; + xmlChar *buf = NULL; + xmlChar *rep = NULL; +- int len = 0; +- int buf_size = 0; ++ size_t len = 0; ++ size_t buf_size = 0; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + * allocate a translation buffer. + */ + buf_size = XML_PARSER_BUFFER_SIZE; +- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); ++ buf = (xmlChar *) xmlMallocAtomic(buf_size); + if (buf == NULL) goto mem_error; + + /* +@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + + if (val == '&') { + if (ctxt->replaceEntities) { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + buf[len++] = '&'; +@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + * The reparsing will be done in xmlStringGetNodeList() + * called by the attribute() function in SAX.c + */ +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + buf[len++] = '&'; +@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + buf[len++] = ';'; + } + } else if (val != 0) { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + len += xmlCopyChar(0, &buf[len], val); +@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + ctxt->nbentities += ent->owner; + if ((ent != NULL) && + (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + if ((ctxt->replaceEntities == 0) && +@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + current++; + } else + buf[len++] = *current++; +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + } +@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + rep = NULL; + } + } else { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + if (ent->content != NULL) +@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + * Just output the reference + */ + buf[len++] = '&'; +- while (len > buf_size - i - 10) { ++ while (len + i + 10 > buf_size) { + growBuffer(buf, i + 10); + } + for (;i > 0;i--) +@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + if ((len != 0) || (!normalize)) { + if ((!normalize) || (!in_space)) { + COPY_BUF(l,buf,len,0x20); +- while (len > buf_size - 10) { ++ while (len + 10 > buf_size) { + growBuffer(buf, 10); + } + } +@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else { + in_space = 0; + COPY_BUF(l,buf,len,c); +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + } +@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + } else + NEXT; +- if (attlen != NULL) *attlen = len; ++ ++ /* ++ * There we potentially risk an overflow, don't allow attribute value of ++ * lenght more than INT_MAX it is a very reasonnable assumption ! ++ */ ++ if (len >= INT_MAX) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue lenght too long\n"); ++ goto mem_error; ++ } ++ ++ if (attlen != NULL) *attlen = (int) len; + return(buf); + + mem_error: +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-2.7.8-xpath-freeing.patch b/main/libxml2/libxml2-2.7.8-xpath-freeing.patch new file mode 100644 index 00000000000..3509a48daf5 --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-xpath-freeing.patch @@ -0,0 +1,32 @@ +From df83c17e5a2646bd923f75e5e507bc80d73c9722 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Wed, 17 Nov 2010 13:12:14 +0000 +Subject: Fix a potential freeing error in XPath + +--- +diff --git a/xpath.c b/xpath.c +index 81e33f6..1447be5 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + xmlXPathObjectPtr tmp; +- /* pop the result */ ++ /* pop the result if any */ + tmp = valuePop(ctxt); +- xmlXPathReleaseObject(xpctxt, tmp); +- /* then pop off contextObj, which will be freed later */ +- valuePop(ctxt); ++ if (tmp != contextObj) ++ /* ++ * Free up the result ++ * then pop off contextObj, which will be freed later ++ */ ++ xmlXPathReleaseObject(xpctxt, tmp); ++ valuePop(ctxt); + goto evaluation_error; + } + +-- +cgit v0.8.3.1 diff --git a/main/libxml2/libxml2-2.7.8-xpath-freeing2.patch b/main/libxml2/libxml2-2.7.8-xpath-freeing2.patch new file mode 100644 index 00000000000..17059418b2c --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-xpath-freeing2.patch @@ -0,0 +1,28 @@ +From fec31bcd452e77c10579467ca87a785b41115de6 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 18 Nov 2010 10:07:24 +0000 +Subject: Small fix for previous commit + +--- +diff --git a/xpath.c b/xpath.c +index 1447be5..8b56189 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathObjectPtr tmp; + /* pop the result if any */ + tmp = valuePop(ctxt); +- if (tmp != contextObj) ++ if (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); + valuePop(ctxt); ++ } + goto evaluation_error; + } + +-- +cgit v0.8.3.1 diff --git a/main/libxml2/libxml2-2.7.8-xpath-memory.patch b/main/libxml2/libxml2-2.7.8-xpath-memory.patch new file mode 100644 index 00000000000..f94350d277f --- /dev/null +++ b/main/libxml2/libxml2-2.7.8-xpath-memory.patch @@ -0,0 +1,29 @@ +From 0cbeb50ee03ce582a0c979c70d8fbf030e270c37 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 15 Nov 2010 11:06:29 +0000 +Subject: Fix a potential memory access error + +in case of a previus allocation error +--- +diff --git a/xpath.c b/xpath.c +index 4d6826d..81e33f6 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3575,13 +3575,13 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) { + } else if (cur->nodeNr == cur->nodeMax) { + xmlNodePtr *temp; + +- cur->nodeMax *= 2; +- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * ++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 * + sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "growing nodeset\n"); + return; + } ++ cur->nodeMax *= 2; + cur->nodeTab = temp; + } + if (val->type == XML_NAMESPACE_DECL) { +-- +cgit v0.8.3.1 |