basebuilder_pel7x64builder0
6 years ago
43 changed files with 5129 additions and 0 deletions
@ -0,0 +1,140 @@
@@ -0,0 +1,140 @@
|
||||
commit 8ed73eb939d6c9b79f3fa41b76916cc443196bbc |
||||
Author: Daniel Veillard <veillard@redhat.com> |
||||
Date: Thu Oct 2 16:17:09 2014 +0800 |
||||
|
||||
Fix for CVE-2014-3660 |
||||
|
||||
Issues related to the billion laugh entity expansion which happened to |
||||
escape the initial set of fixes |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index f30588c..3c72cbb 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, |
||||
return (0); |
||||
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) |
||||
return (1); |
||||
+ |
||||
+ /* |
||||
+ * This may look absurd but is needed to detect |
||||
+ * entities problems |
||||
+ */ |
||||
+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && |
||||
+ (ent->content != NULL) && (ent->checked == 0)) { |
||||
+ unsigned long oldnbent = ctxt->nbentities; |
||||
+ xmlChar *rep; |
||||
+ |
||||
+ ent->checked = 1; |
||||
+ |
||||
+ rep = xmlStringDecodeEntities(ctxt, ent->content, |
||||
+ XML_SUBSTITUTE_REF, 0, 0, 0); |
||||
+ |
||||
+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; |
||||
+ if (rep != NULL) { |
||||
+ if (xmlStrchr(rep, '<')) |
||||
+ ent->checked |= 1; |
||||
+ xmlFree(rep); |
||||
+ rep = NULL; |
||||
+ } |
||||
+ } |
||||
if (replacement != 0) { |
||||
if (replacement < XML_MAX_TEXT_LENGTH) |
||||
return(0); |
||||
@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, |
||||
return (0); |
||||
} else { |
||||
/* |
||||
- * strange we got no data for checking just return |
||||
+ * strange we got no data for checking |
||||
*/ |
||||
- return (0); |
||||
+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) && |
||||
+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) || |
||||
+ (ctxt->nbentities <= 10000)) |
||||
+ return (0); |
||||
} |
||||
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); |
||||
return (1); |
||||
@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { |
||||
name, NULL); |
||||
ctxt->valid = 0; |
||||
} |
||||
+ xmlParserEntityCheck(ctxt, 0, NULL, 0); |
||||
} else if (ctxt->input->free != deallocblankswrapper) { |
||||
input = xmlNewBlanksWrapperInputStream(ctxt, entity); |
||||
if (xmlPushInput(ctxt, input) < 0) |
||||
@@ -2737,6 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, |
||||
if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || |
||||
(ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) |
||||
goto int_error; |
||||
+ xmlParserEntityCheck(ctxt, 0, ent, 0); |
||||
if (ent != NULL) |
||||
ctxt->nbentities += ent->checked / 2; |
||||
if ((ent != NULL) && |
||||
@@ -2788,6 +2816,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, |
||||
ent = xmlParseStringPEReference(ctxt, &str); |
||||
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) |
||||
goto int_error; |
||||
+ xmlParserEntityCheck(ctxt, 0, ent, 0); |
||||
if (ent != NULL) |
||||
ctxt->nbentities += ent->checked / 2; |
||||
if (ent != NULL) { |
||||
@@ -7286,6 +7315,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { |
||||
(ret != XML_WAR_UNDECLARED_ENTITY)) { |
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY, |
||||
"Entity '%s' failed to parse\n", ent->name); |
||||
+ xmlParserEntityCheck(ctxt, 0, ent, 0); |
||||
} else if (list != NULL) { |
||||
xmlFreeNodeList(list); |
||||
list = NULL; |
||||
@@ -7392,7 +7422,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { |
||||
/* |
||||
* We are copying here, make sure there is no abuse |
||||
*/ |
||||
- ctxt->sizeentcopy += ent->length; |
||||
+ ctxt->sizeentcopy += ent->length + 5; |
||||
if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) |
||||
return; |
||||
|
||||
@@ -7440,7 +7470,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { |
||||
/* |
||||
* We are copying here, make sure there is no abuse |
||||
*/ |
||||
- ctxt->sizeentcopy += ent->length; |
||||
+ ctxt->sizeentcopy += ent->length + 5; |
||||
if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) |
||||
return; |
||||
|
||||
@@ -7626,6 +7656,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) { |
||||
ctxt->sax->reference(ctxt->userData, name); |
||||
} |
||||
} |
||||
+ xmlParserEntityCheck(ctxt, 0, ent, 0); |
||||
ctxt->valid = 0; |
||||
} |
||||
|
||||
@@ -7819,6 +7850,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) { |
||||
"Entity '%s' not defined\n", |
||||
name); |
||||
} |
||||
+ xmlParserEntityCheck(ctxt, 0, ent, 0); |
||||
/* TODO ? check regressions ctxt->valid = 0; */ |
||||
} |
||||
|
||||
@@ -7978,6 +8010,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) |
||||
name, NULL); |
||||
ctxt->valid = 0; |
||||
} |
||||
+ xmlParserEntityCheck(ctxt, 0, NULL, 0); |
||||
} else { |
||||
/* |
||||
* Internal checking in case the entity quest barfed |
||||
@@ -8217,6 +8250,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) { |
||||
name, NULL); |
||||
ctxt->valid = 0; |
||||
} |
||||
+ xmlParserEntityCheck(ctxt, 0, NULL, 0); |
||||
} else { |
||||
/* |
||||
* Internal checking in case the entity quest barfed |
||||
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c |
||||
--- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200 |
||||
+++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100 |
||||
@@ -552,17 +552,20 @@ xz_decomp(xz_statep state) |
||||
#ifdef HAVE_ZLIB_H |
||||
if (state->how == GZIP) { |
||||
if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) { |
||||
- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); |
||||
- return -1; |
||||
- } |
||||
- if (crc != state->zstrm.adler) { |
||||
- xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); |
||||
- return -1; |
||||
- } |
||||
- if (len != (state->zstrm.total_out & 0xffffffffL)) { |
||||
- xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); |
||||
- return -1; |
||||
- } |
||||
+ /* |
||||
+ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); |
||||
+ return -1; |
||||
+ */ |
||||
+ } else { |
||||
+ if (crc != state->zstrm.adler) { |
||||
+ xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); |
||||
+ return -1; |
||||
+ } |
||||
+ if (len != (state->zstrm.total_out & 0xffffffffL)) { |
||||
+ xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); |
||||
+ return -1; |
||||
+ } |
||||
+ } |
||||
state->strm.avail_in = 0; |
||||
state->strm.next_in = NULL; |
||||
state->strm.avail_out = 0; |
||||
@ -0,0 +1,72 @@
@@ -0,0 +1,72 @@
|
||||
From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001 |
||||
From: Peter Simons <psimons@suse.com> |
||||
Date: Fri, 15 Apr 2016 11:56:55 +0200 |
||||
Subject: [PATCH] Add missing increments of recursion depth counter to XML |
||||
parser. |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=765207 |
||||
CVE-2016-3705 |
||||
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call |
||||
xmlStringDecodeEntities() in a recursive context without incrementing the |
||||
'depth' counter in the parser context. Because of that omission, the parser |
||||
failed to detect attribute recursions in certain documents before running out |
||||
of stack space. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 8 ++++++++ |
||||
1 file changed, 8 insertions(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 0accf54..32293d0 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, |
||||
|
||||
ent->checked = 1; |
||||
|
||||
+ ++ctxt->depth; |
||||
rep = xmlStringDecodeEntities(ctxt, ent->content, |
||||
XML_SUBSTITUTE_REF, 0, 0, 0); |
||||
+ --ctxt->depth; |
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; |
||||
if (rep != NULL) { |
||||
@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { |
||||
* an entity declaration, it is bypassed and left as is. |
||||
* so XML_SUBSTITUTE_REF is not set here. |
||||
*/ |
||||
+ ++ctxt->depth; |
||||
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF, |
||||
0, 0, 0); |
||||
+ --ctxt->depth; |
||||
if (orig != NULL) |
||||
*orig = buf; |
||||
else |
||||
@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { |
||||
} else if ((ent != NULL) && |
||||
(ctxt->replaceEntities != 0)) { |
||||
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) { |
||||
+ ++ctxt->depth; |
||||
rep = xmlStringDecodeEntities(ctxt, ent->content, |
||||
XML_SUBSTITUTE_REF, |
||||
0, 0, 0); |
||||
+ --ctxt->depth; |
||||
if (rep != NULL) { |
||||
current = rep; |
||||
while (*current != 0) { /* non input consuming */ |
||||
@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { |
||||
(ent->content != NULL) && (ent->checked == 0)) { |
||||
unsigned long oldnbent = ctxt->nbentities; |
||||
|
||||
+ ++ctxt->depth; |
||||
rep = xmlStringDecodeEntities(ctxt, ent->content, |
||||
XML_SUBSTITUTE_REF, 0, 0, 0); |
||||
+ --ctxt->depth; |
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; |
||||
if (rep != NULL) { |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,84 @@
@@ -0,0 +1,84 @@
|
||||
From d6b6dc7bb5e68fa11cb980bc08c4d9ea3f39b190 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 14:55:30 +0800 |
||||
Subject: [PATCH] Add xmlHaltParser() to stop the parser |
||||
To: libvir-list@redhat.com |
||||
|
||||
The problem is doing it in a consistent and safe fashion |
||||
It's more complex than just setting ctxt->instate = XML_PARSER_EOF |
||||
Update the public function to reuse that new internal routine |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 34 +++++++++++++++++++++++++++++----- |
||||
1 file changed, 29 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index e536e54..5b4f719 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -94,6 +94,8 @@ static xmlParserCtxtPtr |
||||
xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, |
||||
const xmlChar *base, xmlParserCtxtPtr pctx); |
||||
|
||||
+static void xmlHaltParser(xmlParserCtxtPtr ctxt); |
||||
+ |
||||
/************************************************************************ |
||||
* * |
||||
* Arbitrary limits set in the parser. See XML_PARSE_HUGE * |
||||
@@ -12558,25 +12560,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr sax, void *user_data, |
||||
#endif /* LIBXML_PUSH_ENABLED */ |
||||
|
||||
/** |
||||
- * xmlStopParser: |
||||
+ * xmlHaltParser: |
||||
* @ctxt: an XML parser context |
||||
* |
||||
- * Blocks further parser processing |
||||
+ * Blocks further parser processing don't override error |
||||
+ * for internal use |
||||
*/ |
||||
-void |
||||
-xmlStopParser(xmlParserCtxtPtr ctxt) { |
||||
+static void |
||||
+xmlHaltParser(xmlParserCtxtPtr ctxt) { |
||||
if (ctxt == NULL) |
||||
return; |
||||
ctxt->instate = XML_PARSER_EOF; |
||||
- ctxt->errNo = XML_ERR_USER_STOP; |
||||
ctxt->disableSAX = 1; |
||||
if (ctxt->input != NULL) { |
||||
+ /* |
||||
+ * in case there was a specific allocation deallocate before |
||||
+ * overriding base |
||||
+ */ |
||||
+ if (ctxt->input->free != NULL) { |
||||
+ ctxt->input->free((xmlChar *) ctxt->input->base); |
||||
+ ctxt->input->free = NULL; |
||||
+ } |
||||
ctxt->input->cur = BAD_CAST""; |
||||
ctxt->input->base = ctxt->input->cur; |
||||
} |
||||
} |
||||
|
||||
/** |
||||
+ * xmlStopParser: |
||||
+ * @ctxt: an XML parser context |
||||
+ * |
||||
+ * Blocks further parser processing |
||||
+ */ |
||||
+void |
||||
+xmlStopParser(xmlParserCtxtPtr ctxt) { |
||||
+ if (ctxt == NULL) |
||||
+ return; |
||||
+ xmlHaltParser(ctxt); |
||||
+ ctxt->errNo = XML_ERR_USER_STOP; |
||||
+} |
||||
+ |
||||
+/** |
||||
* xmlCreateIOParserCtxt: |
||||
* @sax: a SAX handler |
||||
* @user_data: The user data returned on SAX callbacks |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
From 8d9f8c6dca5fd34743ed11ef0c570c4306db10e5 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 23 Oct 2015 19:02:28 +0800 |
||||
Subject: [PATCH] Another variation of overflow in Conditional sections |
||||
To: libvir-list@redhat.com |
||||
|
||||
Which happen after the previous fix to |
||||
https://bugzilla.gnome.org/show_bug.cgi?id=756456 |
||||
|
||||
But stopping the parser and exiting we didn't pop the intermediary entities |
||||
and doing the SKIP there applies on an input which may be too small |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 4 +++- |
||||
1 file changed, 3 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index e2e0ad8..4926ab0 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -6895,7 +6895,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
"All markup of the conditional section is not in the same entity\n", |
||||
NULL, NULL); |
||||
} |
||||
- SKIP(3); |
||||
+ if ((ctxt-> instate != XML_PARSER_EOF) && |
||||
+ ((ctxt->input->cur + 3) < ctxt->input->end)) |
||||
+ SKIP(3); |
||||
} |
||||
} |
||||
|
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,62 @@
@@ -0,0 +1,62 @@
|
||||
From 2fc95df152622cf5cf1d478af6ed3538e170118b Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 23 May 2016 12:27:58 +0800 |
||||
Subject: [PATCH] Avoid building recursive entities |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=762100 |
||||
|
||||
When we detect a recusive entity we should really not |
||||
build the associated data, moreover if someone bypass |
||||
libxml2 fatal errors and still tries to serialize a broken |
||||
entity make sure we don't risk to get ito a recursion |
||||
|
||||
* parser.c: xmlParserEntityCheck() don't build if entity loop |
||||
were found and remove the associated text content |
||||
* tree.c: xmlStringGetNodeList() avoid a potential recursion |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 6 +++++- |
||||
tree.c | 1 + |
||||
2 files changed, 6 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 32293d0..2ae44c5 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, |
||||
* entities problems |
||||
*/ |
||||
if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) && |
||||
- (ent->content != NULL) && (ent->checked == 0)) { |
||||
+ (ent->content != NULL) && (ent->checked == 0) && |
||||
+ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) { |
||||
unsigned long oldnbent = ctxt->nbentities; |
||||
xmlChar *rep; |
||||
|
||||
@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, |
||||
rep = xmlStringDecodeEntities(ctxt, ent->content, |
||||
XML_SUBSTITUTE_REF, 0, 0, 0); |
||||
--ctxt->depth; |
||||
+ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { |
||||
+ ent->content[0] = 0; |
||||
+ } |
||||
|
||||
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2; |
||||
if (rep != NULL) { |
||||
diff --git a/tree.c b/tree.c |
||||
index 7e5af26..83ec66f 100644 |
||||
--- a/tree.c |
||||
+++ b/tree.c |
||||
@@ -1588,6 +1588,7 @@ xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) { |
||||
else if ((ent != NULL) && (ent->children == NULL)) { |
||||
xmlNodePtr temp; |
||||
|
||||
+ ent->children = (xmlNodePtr) -1; |
||||
ent->children = xmlStringGetNodeList(doc, |
||||
(const xmlChar*)node->content); |
||||
ent->owner = 1; |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,38 @@
@@ -0,0 +1,38 @@
|
||||
From eb1114e90b22e09d500840bac1e171763e8baa16 Mon Sep 17 00:00:00 2001 |
||||
From: Hugh Davenport <hugh@allthethings.co.nz> |
||||
Date: Tue, 3 Nov 2015 20:40:49 +0800 |
||||
Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=756263 |
||||
|
||||
One place where ctxt->instate == XML_PARSER_EOF whic was set up |
||||
by entity detection issues doesn't get noticed, and even overrided |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 8 ++++++++ |
||||
1 file changed, 8 insertions(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index b56d94c..262db1e 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -6952,6 +6952,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) { |
||||
xmlParsePI(ctxt); |
||||
} |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * detect requirement to exit there and act accordingly |
||||
+ * and avoid having instate overriden later on |
||||
+ */ |
||||
+ if (ctxt->instate == XML_PARSER_EOF) |
||||
+ return; |
||||
+ |
||||
/* |
||||
* This is only for internal subset. On external entities, |
||||
* the replacement is done before parsing stage |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,85 @@
@@ -0,0 +1,85 @@
|
||||
From 7c2be3213eeddd202c3e4c600cf3cfac06fb128a Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 9 Nov 2015 18:07:18 +0800 |
||||
Subject: [PATCH] Avoid processing entities after encoding conversion failures |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=756527 |
||||
and was also raised by Chromium team in the past |
||||
|
||||
When we hit a convwersion failure when switching encoding |
||||
it is bestter to stop parsing there, this was treated as a |
||||
fatal error but the parser was continuing to process to extract |
||||
more errors, unfortunately that makes little sense as the data |
||||
is obviously corrupt and can potentially lead to unexpected behaviour. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 7 +++++-- |
||||
parserInternals.c | 11 ++++++++++- |
||||
2 files changed, 15 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 262db1e..134ea7f 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -10598,7 +10598,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { |
||||
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); |
||||
} |
||||
xmlParseEncodingDecl(ctxt); |
||||
- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { |
||||
+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || |
||||
+ (ctxt->instate == XML_PARSER_EOF)) { |
||||
/* |
||||
* The XML REC instructs us to stop parsing right here |
||||
*/ |
||||
@@ -10722,6 +10723,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { |
||||
|
||||
if (CUR == 0) { |
||||
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); |
||||
+ return(-1); |
||||
} |
||||
|
||||
/* |
||||
@@ -10739,7 +10741,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { |
||||
* Note that we will switch encoding on the fly. |
||||
*/ |
||||
xmlParseXMLDecl(ctxt); |
||||
- if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { |
||||
+ if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || |
||||
+ (ctxt->instate == XML_PARSER_EOF)) { |
||||
/* |
||||
* The XML REC instructs us to stop parsing right here |
||||
*/ |
||||
diff --git a/parserInternals.c b/parserInternals.c |
||||
index f8a7041..9acfea4 100644 |
||||
--- a/parserInternals.c |
||||
+++ b/parserInternals.c |
||||
@@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) |
||||
{ |
||||
xmlCharEncodingHandlerPtr handler; |
||||
int len = -1; |
||||
+ int ret; |
||||
|
||||
if (ctxt == NULL) return(-1); |
||||
switch (enc) { |
||||
@@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) |
||||
if (handler == NULL) |
||||
return(-1); |
||||
ctxt->charset = XML_CHAR_ENCODING_UTF8; |
||||
- return(xmlSwitchToEncodingInt(ctxt, handler, len)); |
||||
+ ret = xmlSwitchToEncodingInt(ctxt, handler, len); |
||||
+ if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { |
||||
+ /* |
||||
+ * on encoding conversion errors, stop the parser |
||||
+ */ |
||||
+ xmlStopParser(ctxt); |
||||
+ ctxt->errNo = XML_I18N_CONV_FAILED; |
||||
+ } |
||||
+ return(ret); |
||||
} |
||||
|
||||
/** |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,38 @@
@@ -0,0 +1,38 @@
|
||||
From 367c602b42f1afe7ed50508b01491b5690d54d52 Mon Sep 17 00:00:00 2001 |
||||
From: Pranjal Jumde <pjumde@apple.com> |
||||
Date: Mon, 7 Mar 2016 06:34:26 -0800 |
||||
Subject: [PATCH] Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup |
||||
<https://bugzilla.gnome.org/show_bug.cgi?id=757711> |
||||
To: libvir-list@redhat.com |
||||
|
||||
* xmlregexp.c: |
||||
(xmlFAParseCharRange): Only advance to the next character if |
||||
there is no error. Advancing to the next character in case of |
||||
an error while parsing regexp leads to an out of bounds access. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
xmlregexp.c | 3 ++- |
||||
1 file changed, 2 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/xmlregexp.c b/xmlregexp.c |
||||
index 1f9911c..eb67b74 100644 |
||||
--- a/xmlregexp.c |
||||
+++ b/xmlregexp.c |
||||
@@ -5050,11 +5050,12 @@ xmlFAParseCharRange(xmlRegParserCtxtPtr ctxt) { |
||||
ERROR("Expecting the end of a char range"); |
||||
return; |
||||
} |
||||
- NEXTL(len); |
||||
+ |
||||
/* TODO check that the values are acceptable character ranges for XML */ |
||||
if (end < start) { |
||||
ERROR("End of range is before start of range"); |
||||
} else { |
||||
+ NEXTL(len); |
||||
xmlRegAtomAddRange(ctxt, ctxt->atom, ctxt->neg, |
||||
XML_REGEXP_CHARVAL, start, end, NULL); |
||||
} |
||||
-- |
||||
2.5.5 |
||||
|
||||
File diff suppressed because one or more lines are too long
@ -0,0 +1,114 @@
@@ -0,0 +1,114 @@
|
||||
commit 3018042fd3c11c3d6cda36b3cbae4f7bb4f20c3d |
||||
Author: Pranjal Jumde <pjumde@apple.com> |
||||
Date: Tue Mar 1 11:34:04 2016 -0800 |
||||
|
||||
Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> |
||||
|
||||
Reviewed by David Kilzer. |
||||
|
||||
* HTMLparser.c: |
||||
(htmlParseName): Add bounds check. |
||||
(htmlParseNameComplex): Ditto. |
||||
* result/HTML/758605.html: Added. |
||||
* result/HTML/758605.html.err: Added. |
||||
* result/HTML/758605.html.sax: Added. |
||||
* runtest.c: |
||||
(pushParseTest): The input for the new test case was so small |
||||
(4 bytes) that htmlParseChunk() was never called after |
||||
htmlCreatePushParserCtxt(), thereby creating a false positive |
||||
test failure. Fixed by using a do-while loop so we always call |
||||
htmlParseChunk() at least once. |
||||
* test/HTML/758605.html: Added. |
||||
|
||||
diff --git a/HTMLparser.c b/HTMLparser.c |
||||
index 4331d53..a897cb0 100644 |
||||
--- a/HTMLparser.c |
||||
+++ b/HTMLparser.c |
||||
@@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { |
||||
(*in == '_') || (*in == '-') || |
||||
(*in == ':') || (*in == '.')) |
||||
in++; |
||||
+ |
||||
+ if (in == ctxt->input->end) |
||||
+ return(NULL); |
||||
+ |
||||
if ((*in > 0) && (*in < 0x80)) { |
||||
count = in - ctxt->input->cur; |
||||
ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); |
||||
@@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { |
||||
NEXTL(l); |
||||
c = CUR_CHAR(l); |
||||
} |
||||
+ |
||||
+ if (ctxt->input->base > ctxt->input->cur - len) |
||||
+ return(NULL); |
||||
+ |
||||
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); |
||||
} |
||||
|
||||
diff --git a/result/HTML/758605.html b/result/HTML/758605.html |
||||
new file mode 100644 |
||||
index 0000000..a085cce |
||||
--- /dev/null |
||||
+++ b/result/HTML/758605.html |
||||
@@ -0,0 +1,3 @@ |
||||
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> |
||||
+<html><body><p>& |
||||
+</p></body></html> |
||||
diff --git a/result/HTML/758605.html.err b/result/HTML/758605.html.err |
||||
new file mode 100644 |
||||
index 0000000..2b82be6 |
||||
--- /dev/null |
||||
+++ b/result/HTML/758605.html.err |
||||
@@ -0,0 +1,3 @@ |
||||
+./test/HTML/758605.html:1: HTML parser error : htmlParseEntityRef: no name |
||||
+ê |
||||
+ ^ |
||||
diff --git a/result/HTML/758605.html.sax b/result/HTML/758605.html.sax |
||||
new file mode 100644 |
||||
index 0000000..1f5cd32 |
||||
--- /dev/null |
||||
+++ b/result/HTML/758605.html.sax |
||||
@@ -0,0 +1,13 @@ |
||||
+SAX.setDocumentLocator() |
||||
+SAX.startDocument() |
||||
+SAX.error: htmlParseEntityRef: no name |
||||
+SAX.startElement(html) |
||||
+SAX.startElement(body) |
||||
+SAX.startElement(p) |
||||
+SAX.characters(&, 1) |
||||
+SAX.ignorableWhitespace( |
||||
+, 1) |
||||
+SAX.endElement(p) |
||||
+SAX.endElement(body) |
||||
+SAX.endElement(html) |
||||
+SAX.endDocument() |
||||
diff --git a/runtest.c b/runtest.c |
||||
index ccdd49b..0afa788 100644 |
||||
--- a/runtest.c |
||||
+++ b/runtest.c |
||||
@@ -1824,7 +1824,7 @@ pushParseTest(const char *filename, const char *result, |
||||
ctxt = xmlCreatePushParserCtxt(NULL, NULL, base + cur, 4, filename); |
||||
xmlCtxtUseOptions(ctxt, options); |
||||
cur += 4; |
||||
- while (cur < size) { |
||||
+ do { |
||||
if (cur + 1024 >= size) { |
||||
#ifdef LIBXML_HTML_ENABLED |
||||
if (options & XML_PARSE_HTML) |
||||
@@ -1842,7 +1842,7 @@ pushParseTest(const char *filename, const char *result, |
||||
xmlParseChunk(ctxt, base + cur, 1024, 0); |
||||
cur += 1024; |
||||
} |
||||
- } |
||||
+ } while (cur < size); |
||||
doc = ctxt->myDoc; |
||||
#ifdef LIBXML_HTML_ENABLED |
||||
if (options & XML_PARSE_HTML) |
||||
diff --git a/test/HTML/758605.html b/test/HTML/758605.html |
||||
new file mode 100644 |
||||
index 0000000..9b1b3c2 |
||||
--- /dev/null |
||||
+++ b/test/HTML/758605.html |
||||
@@ -0,0 +1 @@ |
||||
+&:ê |
||||
@ -0,0 +1,53 @@
@@ -0,0 +1,53 @@
|
||||
From b1a4e51efbfb1ae3a37a14be73d438aaab6b5c9e Mon Sep 17 00:00:00 2001 |
||||
From: Pranjal Jumde <pjumde@apple.com> |
||||
Date: Tue, 8 Mar 2016 17:29:00 -0800 |
||||
Subject: [PATCH] Bug 763071: heap-buffer-overflow in xmlStrncat |
||||
<https://bugzilla.gnome.org/show_bug.cgi?id=763071> |
||||
To: libvir-list@redhat.com |
||||
|
||||
* xmlstring.c: |
||||
(xmlStrncat): Return NULL if xmlStrlen returns a negative length. |
||||
(xmlStrncatNew): Ditto. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
xmlstring.c | 9 ++++++++- |
||||
1 file changed, 8 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/xmlstring.c b/xmlstring.c |
||||
index a37220d..d465c23 100644 |
||||
--- a/xmlstring.c |
||||
+++ b/xmlstring.c |
||||
@@ -457,6 +457,8 @@ xmlStrncat(xmlChar *cur, const xmlChar *add, int len) { |
||||
return(xmlStrndup(add, len)); |
||||
|
||||
size = xmlStrlen(cur); |
||||
+ if (size < 0) |
||||
+ return(NULL); |
||||
ret = (xmlChar *) xmlRealloc(cur, (size + len + 1) * sizeof(xmlChar)); |
||||
if (ret == NULL) { |
||||
xmlErrMemory(NULL, NULL); |
||||
@@ -484,14 +486,19 @@ xmlStrncatNew(const xmlChar *str1, const xmlChar *str2, int len) { |
||||
int size; |
||||
xmlChar *ret; |
||||
|
||||
- if (len < 0) |
||||
+ if (len < 0) { |
||||
len = xmlStrlen(str2); |
||||
+ if (len < 0) |
||||
+ return(NULL); |
||||
+ } |
||||
if ((str2 == NULL) || (len == 0)) |
||||
return(xmlStrdup(str1)); |
||||
if (str1 == NULL) |
||||
return(xmlStrndup(str2, len)); |
||||
|
||||
size = xmlStrlen(str1); |
||||
+ if (size < 0) |
||||
+ return(NULL); |
||||
ret = (xmlChar *) xmlMalloc((size + len + 1) * sizeof(xmlChar)); |
||||
if (ret == NULL) { |
||||
xmlErrMemory(NULL, NULL); |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,30 @@
@@ -0,0 +1,30 @@
|
||||
From 3154c607f22497fa843b8ad8a596ef5523d42ee6 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 15:07:38 +0800 |
||||
Subject: [PATCH] Bug on creating new stream from entity |
||||
To: libvir-list@redhat.com |
||||
|
||||
sometimes the entity could have a lenght of 0, i.e. it wasn't |
||||
parsed or used yet, and we ended up with an incoherent input state |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parserInternals.c | 2 ++ |
||||
1 file changed, 2 insertions(+) |
||||
|
||||
diff --git a/parserInternals.c b/parserInternals.c |
||||
index 9acfea4..1fe1f6a 100644 |
||||
--- a/parserInternals.c |
||||
+++ b/parserInternals.c |
||||
@@ -1459,6 +1459,8 @@ xmlNewEntityInputStream(xmlParserCtxtPtr ctxt, xmlEntityPtr entity) { |
||||
if (entity->URI != NULL) |
||||
input->filename = (char *) xmlStrdup((xmlChar *) entity->URI); |
||||
input->base = entity->content; |
||||
+ if (entity->length == 0) |
||||
+ entity->length = xmlStrlen(entity->content); |
||||
input->cur = entity->content; |
||||
input->length = entity->length; |
||||
input->end = &entity->content[input->length]; |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,179 @@
@@ -0,0 +1,179 @@
|
||||
From 5cec67e3f8d56e6e5fda2f90e102950cbb09e3d1 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Tue, 14 Apr 2015 17:41:48 +0800 |
||||
Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory |
||||
To: libvir-list@redhat.com |
||||
|
||||
One of the operation on the reader could resolve entities |
||||
leading to the classic expansion issue. Make sure the |
||||
buffer used for xmlreader operation is bounded. |
||||
Introduce a new allocation type for the buffers for this effect. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- |
||||
include/libxml/tree.h | 3 ++- |
||||
xmlreader.c | 20 +++++++++++++++++++- |
||||
3 files changed, 63 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/buf.c b/buf.c |
||||
index d1756c4..b52e41d 100644 |
||||
--- a/buf.c |
||||
+++ b/buf.c |
||||
@@ -27,6 +27,7 @@ |
||||
#include <libxml/tree.h> |
||||
#include <libxml/globals.h> |
||||
#include <libxml/tree.h> |
||||
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ |
||||
#include "buf.h" |
||||
|
||||
#define WITH_BUFFER_COMPAT |
||||
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, |
||||
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || |
||||
(scheme == XML_BUFFER_ALLOC_EXACT) || |
||||
(scheme == XML_BUFFER_ALLOC_HYBRID) || |
||||
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { |
||||
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || |
||||
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { |
||||
buf->alloc = scheme; |
||||
if (buf->buffer) |
||||
buf->buffer->alloc = scheme; |
||||
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { |
||||
size = buf->use + len + 100; |
||||
#endif |
||||
|
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
||||
+ /* |
||||
+ * Used to provide parsing limits |
||||
+ */ |
||||
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || |
||||
+ (buf->size >= XML_MAX_TEXT_LENGTH)) { |
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n"); |
||||
+ return(0); |
||||
+ } |
||||
+ if (size >= XML_MAX_TEXT_LENGTH) |
||||
+ size = XML_MAX_TEXT_LENGTH; |
||||
+ } |
||||
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { |
||||
size_t start_buf = buf->content - buf->contentIO; |
||||
|
||||
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) |
||||
CHECK_COMPAT(buf) |
||||
|
||||
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); |
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
||||
+ /* |
||||
+ * Used to provide parsing limits |
||||
+ */ |
||||
+ if (size >= XML_MAX_TEXT_LENGTH) { |
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n"); |
||||
+ return(0); |
||||
+ } |
||||
+ } |
||||
|
||||
/* Don't resize if we don't have to */ |
||||
if (size < buf->size) |
||||
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { |
||||
|
||||
needSize = buf->use + len + 2; |
||||
if (needSize > buf->size){ |
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
||||
+ /* |
||||
+ * Used to provide parsing limits |
||||
+ */ |
||||
+ if (needSize >= XML_MAX_TEXT_LENGTH) { |
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n"); |
||||
+ return(-1); |
||||
+ } |
||||
+ } |
||||
if (!xmlBufResize(buf, needSize)){ |
||||
xmlBufMemoryError(buf, "growing buffer"); |
||||
return XML_ERR_NO_MEMORY; |
||||
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { |
||||
} |
||||
needSize = buf->use + len + 2; |
||||
if (needSize > buf->size){ |
||||
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
||||
+ /* |
||||
+ * Used to provide parsing limits |
||||
+ */ |
||||
+ if (needSize >= XML_MAX_TEXT_LENGTH) { |
||||
+ xmlBufMemoryError(buf, "buffer error: text too long\n"); |
||||
+ return(-1); |
||||
+ } |
||||
+ } |
||||
if (!xmlBufResize(buf, needSize)){ |
||||
xmlBufMemoryError(buf, "growing buffer"); |
||||
return XML_ERR_NO_MEMORY; |
||||
diff --git a/include/libxml/tree.h b/include/libxml/tree.h |
||||
index 7e06686..d904a44 100644 |
||||
--- a/include/libxml/tree.h |
||||
+++ b/include/libxml/tree.h |
||||
@@ -76,7 +76,8 @@ typedef enum { |
||||
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ |
||||
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ |
||||
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ |
||||
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ |
||||
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ |
||||
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ |
||||
} xmlBufferAllocationScheme; |
||||
|
||||
/** |
||||
diff --git a/xmlreader.c b/xmlreader.c |
||||
index 00083d0..4fabaa9 100644 |
||||
--- a/xmlreader.c |
||||
+++ b/xmlreader.c |
||||
@@ -2077,6 +2077,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { |
||||
"xmlNewTextReader : malloc failed\n"); |
||||
return(NULL); |
||||
} |
||||
+ /* no operation on a reader should require a huge buffer */ |
||||
+ xmlBufSetAllocationScheme(ret->buffer, |
||||
+ XML_BUFFER_ALLOC_BOUNDED); |
||||
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); |
||||
if (ret->sax == NULL) { |
||||
xmlBufFree(ret->buffer); |
||||
@@ -3602,6 +3605,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { |
||||
return(((xmlNsPtr) node)->href); |
||||
case XML_ATTRIBUTE_NODE:{ |
||||
xmlAttrPtr attr = (xmlAttrPtr) node; |
||||
+ const xmlChar *ret; |
||||
|
||||
if ((attr->children != NULL) && |
||||
(attr->children->type == XML_TEXT_NODE) && |
||||
@@ -3615,10 +3619,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { |
||||
"xmlTextReaderSetup : malloc failed\n"); |
||||
return (NULL); |
||||
} |
||||
+ xmlBufSetAllocationScheme(reader->buffer, |
||||
+ XML_BUFFER_ALLOC_BOUNDED); |
||||
} else |
||||
xmlBufEmpty(reader->buffer); |
||||
xmlBufGetNodeContent(reader->buffer, node); |
||||
- return(xmlBufContent(reader->buffer)); |
||||
+ ret = xmlBufContent(reader->buffer); |
||||
+ if (ret == NULL) { |
||||
+ /* error on the buffer best to reallocate */ |
||||
+ xmlBufFree(reader->buffer); |
||||
+ reader->buffer = xmlBufCreateSize(100); |
||||
+ xmlBufSetAllocationScheme(reader->buffer, |
||||
+ XML_BUFFER_ALLOC_BOUNDED); |
||||
+ ret = BAD_CAST ""; |
||||
+ } |
||||
+ return(ret); |
||||
} |
||||
break; |
||||
} |
||||
@@ -5117,6 +5132,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, |
||||
"xmlTextReaderSetup : malloc failed\n"); |
||||
return (-1); |
||||
} |
||||
+ /* no operation on a reader should require a huge buffer */ |
||||
+ xmlBufSetAllocationScheme(reader->buffer, |
||||
+ XML_BUFFER_ALLOC_BOUNDED); |
||||
if (reader->sax == NULL) |
||||
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); |
||||
if (reader->sax == NULL) { |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
From 4e1ea576167520bbc2bad50797119983e133af74 Mon Sep 17 00:00:00 2001 |
||||
From: David Drysdale <drysdale@google.com> |
||||
Date: Fri, 20 Nov 2015 11:13:45 +0800 |
||||
Subject: [PATCH] CVE-2015-5312 Another entity expansion issue |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=756733 |
||||
It is one case where the code in place to detect entities expansions |
||||
failed to exit when the situation was detected, leading to DoS |
||||
Problem reported by Kostya Serebryany @ Google |
||||
Patch provided by David Drysdale @ Google |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 4 ++++ |
||||
1 file changed, 4 insertions(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index a58dda3..e536e54 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -2801,6 +2801,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, |
||||
0, 0, 0); |
||||
ctxt->depth--; |
||||
|
||||
+ if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) || |
||||
+ (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR)) |
||||
+ goto int_error; |
||||
+ |
||||
if (rep != NULL) { |
||||
current = rep; |
||||
while (*current != 0) { /* non input consuming loop */ |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,36 @@
@@ -0,0 +1,36 @@
|
||||
From 540a3b58c233db4f2d2becea9c2b79b3ce190055 Mon Sep 17 00:00:00 2001 |
||||
From: David Drysdale <drysdale@google.com> |
||||
Date: Fri, 20 Nov 2015 10:47:12 +0800 |
||||
Subject: [PATCH] CVE-2015-7497 Avoid an heap buffer overflow in |
||||
xmlDictComputeFastQKey |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=756528 |
||||
It was possible to hit a negative offset in the name indexing |
||||
used to randomize the dictionary key generation |
||||
Reported and fix provided by David Drysdale @ Google |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
dict.c | 5 ++++- |
||||
1 file changed, 4 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/dict.c b/dict.c |
||||
index 5f71d55..8c8f931 100644 |
||||
--- a/dict.c |
||||
+++ b/dict.c |
||||
@@ -486,7 +486,10 @@ xmlDictComputeFastQKey(const xmlChar *prefix, int plen, |
||||
value += 30 * (*prefix); |
||||
|
||||
if (len > 10) { |
||||
- value += name[len - (plen + 1 + 1)]; |
||||
+ int offset = len - (plen + 1 + 1); |
||||
+ if (offset < 0) |
||||
+ offset = len - (10 + 1); |
||||
+ value += name[offset]; |
||||
len = 10; |
||||
if (plen > 10) |
||||
plen = 10; |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,108 @@
@@ -0,0 +1,108 @@
|
||||
From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 16:06:59 +0800 |
||||
Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect |
||||
entities boundaries |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=756525 |
||||
handle properly the case where we popped out of the current entity |
||||
while processing a start tag |
||||
Reported by Kostya Serebryany @ Google |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 28 ++++++++++++++++++++++------ |
||||
1 file changed, 22 insertions(+), 6 deletions(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index cc45e17..f4fc310 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, |
||||
const xmlChar **atts = ctxt->atts; |
||||
int maxatts = ctxt->maxatts; |
||||
int nratts, nbatts, nbdef; |
||||
- int i, j, nbNs, attval, oldline, oldcol; |
||||
+ int i, j, nbNs, attval, oldline, oldcol, inputNr; |
||||
const xmlChar *base; |
||||
unsigned long cur; |
||||
int nsNr = ctxt->nsNr; |
||||
@@ -9328,6 +9328,7 @@ reparse: |
||||
SHRINK; |
||||
base = ctxt->input->base; |
||||
cur = ctxt->input->cur - ctxt->input->base; |
||||
+ inputNr = ctxt->inputNr; |
||||
oldline = ctxt->input->line; |
||||
oldcol = ctxt->input->col; |
||||
nbatts = 0; |
||||
@@ -9353,7 +9354,8 @@ reparse: |
||||
*/ |
||||
SKIP_BLANKS; |
||||
GROW; |
||||
- if (ctxt->input->base != base) goto base_changed; |
||||
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) |
||||
+ goto base_changed; |
||||
|
||||
while (((RAW != '>') && |
||||
((RAW != '/') || (NXT(1) != '>')) && |
||||
@@ -9364,7 +9366,7 @@ reparse: |
||||
|
||||
attname = xmlParseAttribute2(ctxt, prefix, localname, |
||||
&aprefix, &attvalue, &len, &alloc); |
||||
- if (ctxt->input->base != base) { |
||||
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { |
||||
if ((attvalue != NULL) && (alloc != 0)) |
||||
xmlFree(attvalue); |
||||
attvalue = NULL; |
||||
@@ -9493,7 +9495,8 @@ skip_default_ns: |
||||
skip_ns: |
||||
if (alloc != 0) xmlFree(attvalue); |
||||
SKIP_BLANKS; |
||||
- if (ctxt->input->base != base) goto base_changed; |
||||
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) |
||||
+ goto base_changed; |
||||
continue; |
||||
} |
||||
|
||||
@@ -9530,7 +9533,8 @@ failed: |
||||
GROW |
||||
if (ctxt->instate == XML_PARSER_EOF) |
||||
break; |
||||
- if (ctxt->input->base != base) goto base_changed; |
||||
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) |
||||
+ goto base_changed; |
||||
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) |
||||
break; |
||||
if (!IS_BLANK_CH(RAW)) { |
||||
@@ -9546,7 +9550,8 @@ failed: |
||||
break; |
||||
} |
||||
GROW; |
||||
- if (ctxt->input->base != base) goto base_changed; |
||||
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) |
||||
+ goto base_changed; |
||||
} |
||||
|
||||
/* |
||||
@@ -9713,6 +9718,17 @@ base_changed: |
||||
if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) |
||||
xmlFree((xmlChar *) atts[i]); |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * We can't switch from one entity to another in the middle |
||||
+ * of a start tag |
||||
+ */ |
||||
+ if (inputNr != ctxt->inputNr) { |
||||
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, |
||||
+ "Start tag doesn't start and stop in the same entity\n"); |
||||
+ return(NULL); |
||||
+ } |
||||
+ |
||||
ctxt->input->cur = ctxt->input->base + cur; |
||||
ctxt->input->line = oldline; |
||||
ctxt->input->col = oldcol; |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,45 @@
@@ -0,0 +1,45 @@
|
||||
From ebf48b59943833b5f57e909e5d00f0d6e75e874e Mon Sep 17 00:00:00 2001 |
||||
From: Hugh Davenport <hugh@allthethings.co.nz> |
||||
Date: Fri, 20 Nov 2015 17:16:06 +0800 |
||||
Subject: [PATCH] CVE-2015-8242 Buffer overead with HTML parser in push mode |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=756372 |
||||
Error in the code pointing to the codepoint in the stack for the |
||||
current char value instead of the pointer in the input that the SAX |
||||
callback expects |
||||
Reported and fixed by Hugh Davenport |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
HTMLparser.c | 6 +++--- |
||||
1 file changed, 3 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/HTMLparser.c b/HTMLparser.c |
||||
index cab499a..4331d53 100644 |
||||
--- a/HTMLparser.c |
||||
+++ b/HTMLparser.c |
||||
@@ -5708,17 +5708,17 @@ htmlParseTryOrFinish(htmlParserCtxtPtr ctxt, int terminate) { |
||||
if (ctxt->keepBlanks) { |
||||
if (ctxt->sax->characters != NULL) |
||||
ctxt->sax->characters( |
||||
- ctxt->userData, &cur, 1); |
||||
+ ctxt->userData, &in->cur[0], 1); |
||||
} else { |
||||
if (ctxt->sax->ignorableWhitespace != NULL) |
||||
ctxt->sax->ignorableWhitespace( |
||||
- ctxt->userData, &cur, 1); |
||||
+ ctxt->userData, &in->cur[0], 1); |
||||
} |
||||
} else { |
||||
htmlCheckParagraph(ctxt); |
||||
if (ctxt->sax->characters != NULL) |
||||
ctxt->sax->characters( |
||||
- ctxt->userData, &cur, 1); |
||||
+ ctxt->userData, &in->cur[0], 1); |
||||
} |
||||
} |
||||
ctxt->token = 0; |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,52 @@
@@ -0,0 +1,52 @@
|
||||
From 5b47a2c6666f0293a5164f094b9e8031914b1f8f Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 23 Feb 2015 11:29:20 +0800 |
||||
Subject: [PATCH] Cleanup conditional section error handling |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=744980 |
||||
|
||||
The error handling of Conditional Section also need to be |
||||
straightened as the structure of the document can't be |
||||
guessed on a failure there and it's better to stop parsing |
||||
as further errors are likely to be irrelevant. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 6 ++++++ |
||||
1 file changed, 6 insertions(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index d790f8e..dc14e5c 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -6761,6 +6761,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
SKIP_BLANKS; |
||||
if (RAW != '[') { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); |
||||
+ xmlStopParser(ctxt); |
||||
+ return; |
||||
} else { |
||||
if (ctxt->input->id != id) { |
||||
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, |
||||
@@ -6821,6 +6823,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
SKIP_BLANKS; |
||||
if (RAW != '[') { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); |
||||
+ xmlStopParser(ctxt); |
||||
+ return; |
||||
} else { |
||||
if (ctxt->input->id != id) { |
||||
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, |
||||
@@ -6876,6 +6880,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
|
||||
} else { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); |
||||
+ xmlStopParser(ctxt); |
||||
+ return; |
||||
} |
||||
|
||||
if (RAW == 0) |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,39 @@
@@ -0,0 +1,39 @@
|
||||
From dfc5aae623e97336323e59a94450f1a708eb7c0c Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 15:04:09 +0800 |
||||
Subject: [PATCH] Detect incoherency on GROW |
||||
To: libvir-list@redhat.com |
||||
|
||||
the current pointer to the input has to be between the base and end |
||||
if not stop everything we have an internal state error. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 9 ++++++++- |
||||
1 file changed, 8 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 9aed98d..7602498 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -2072,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { |
||||
((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) && |
||||
((ctxt->options & XML_PARSE_HUGE) == 0)) { |
||||
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
+ return; |
||||
} |
||||
xmlParserInputGrow(ctxt->input, INPUT_CHUNK); |
||||
+ if ((ctxt->input->cur > ctxt->input->end) || |
||||
+ (ctxt->input->cur < ctxt->input->base)) { |
||||
+ xmlHaltParser(ctxt); |
||||
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound"); |
||||
+ return; |
||||
+ } |
||||
if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) && |
||||
(xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0)) |
||||
xmlPopInput(ctxt); |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,34 @@
@@ -0,0 +1,34 @@
|
||||
commit 84b04b03bd6d31316fd5f0ad1c9cd31952671998 |
||||
Author: Daniel Veillard <veillard@redhat.com> |
||||
Date: Tue Apr 22 15:30:56 2014 +0800 |
||||
|
||||
Do not fetch external parameter entities |
||||
|
||||
Unless explicitely asked for when validating or replacing entities |
||||
with their value. Problem pointed out by Daniel Berrange <berrange@redhat.com> |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 3c72cbb..32f1475 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -2622,6 +2622,20 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { |
||||
xmlCharEncoding enc; |
||||
|
||||
/* |
||||
+ * Note: external parsed entities will not be loaded, it is |
||||
+ * not required for a non-validating parser, unless the |
||||
+ * option of validating, or substituting entities were |
||||
+ * given. Doing so is far more secure as the parser will |
||||
+ * only process data coming from the document entity by |
||||
+ * default. |
||||
+ */ |
||||
+ if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && |
||||
+ ((ctxt->options & XML_PARSE_NOENT) == 0) && |
||||
+ ((ctxt->options & XML_PARSE_DTDVALID) == 0) && |
||||
+ (ctxt->validate == 0)) |
||||
+ return; |
||||
+ |
||||
+ /* |
||||
* handle the extra spaces added before and after |
||||
* c.f. http://www.w3.org/TR/REC-xml#as-PE |
||||
* this is done independently. |
||||
@ -0,0 +1,31 @@
@@ -0,0 +1,31 @@
|
||||
From c5031779667ff362d670e34a42e9bc4f5a430793 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 15:01:22 +0800 |
||||
Subject: [PATCH] Do not print error context when there is none |
||||
To: libvir-list@redhat.com |
||||
|
||||
Which now happens more frequently du to xmlHaltParser use |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
error.c | 4 +++- |
||||
1 file changed, 3 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/error.c b/error.c |
||||
index cbcf5c9..9c45040 100644 |
||||
--- a/error.c |
||||
+++ b/error.c |
||||
@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input , |
||||
xmlChar content[81]; /* space for 80 chars + line terminator */ |
||||
xmlChar *ctnt; |
||||
|
||||
- if (input == NULL) return; |
||||
+ if ((input == NULL) || (input->cur == NULL) || |
||||
+ (*input->cur == 0)) return; |
||||
+ |
||||
cur = input->cur; |
||||
base = input->base; |
||||
/* skip backwards over any end-of-lines */ |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,38 @@
@@ -0,0 +1,38 @@
|
||||
From c171a25d614097e53ab84f64639de4dfbc197613 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 29 Jun 2015 16:10:26 +0800 |
||||
Subject: [PATCH] Fail parsing early on if encoding conversion failed |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=751631 |
||||
|
||||
If we fail conversing the current input stream while |
||||
processing the encoding declaration of the XMLDecl |
||||
then it's safer to just abort there and not try to |
||||
report further errors. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 6 +++++- |
||||
1 file changed, 5 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index dc14e5c..e2e0ad8 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -10415,7 +10415,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { |
||||
|
||||
handler = xmlFindCharEncodingHandler((const char *) encoding); |
||||
if (handler != NULL) { |
||||
- xmlSwitchToEncoding(ctxt, handler); |
||||
+ if (xmlSwitchToEncoding(ctxt, handler) < 0) { |
||||
+ /* failed to convert */ |
||||
+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; |
||||
+ return(NULL); |
||||
+ } |
||||
} else { |
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, |
||||
"Unsupported encoding %s\n", encoding); |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,129 @@
@@ -0,0 +1,129 @@
|
||||
From 268e6a3d615a14c6f6f1e8cf3d8c1e5c42ad1b41 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 10 May 2013 14:01:46 +0800 |
||||
Subject: [PATCH] Fix a regression in xmlGetDocCompressMode() |
||||
To: libvir-list@redhat.com |
||||
|
||||
The switch to xzlib had for consequence that the compression |
||||
level of the input was not gathered anymore in ctxt->input->buf, |
||||
then the parser compression flags was left to -1 and propagated |
||||
to the resulting document. |
||||
Fix the I/O layer to get compression detection in xzlib, |
||||
then carry it in the input buffer and the resulting document |
||||
|
||||
This should fix |
||||
https://lsbbugs.linuxfoundation.org/show_bug.cgi?id=3456 |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 4 ++++ |
||||
xmlIO.c | 17 +++++++++++++++++ |
||||
xzlib.c | 25 +++++++++++++++++++++++++ |
||||
xzlib.h | 1 + |
||||
4 files changed, 47 insertions(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index ee429f3..f30588c 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -10681,6 +10681,10 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { |
||||
ctxt->sax->startDocument(ctxt->userData); |
||||
if (ctxt->instate == XML_PARSER_EOF) |
||||
return(-1); |
||||
+ if ((ctxt->myDoc != NULL) && (ctxt->input != NULL) && |
||||
+ (ctxt->input->buf != NULL) && (ctxt->input->buf->compressed >= 0)) { |
||||
+ ctxt->myDoc->compression = ctxt->input->buf->compressed; |
||||
+ } |
||||
|
||||
/* |
||||
* The Misc part of the Prolog |
||||
diff --git a/xmlIO.c b/xmlIO.c |
||||
index 847cb7e..fc4e111 100644 |
||||
--- a/xmlIO.c |
||||
+++ b/xmlIO.c |
||||
@@ -2669,6 +2669,12 @@ __xmlParserInputBufferCreateFilename(const char *URI, xmlCharEncoding enc) { |
||||
#endif |
||||
} |
||||
#endif |
||||
+#ifdef HAVE_LZMA_H |
||||
+ if ((xmlInputCallbackTable[i].opencallback == xmlXzfileOpen) && |
||||
+ (strcmp(URI, "-") != 0)) { |
||||
+ ret->compressed = __libxml2_xzcompressed(context); |
||||
+ } |
||||
+#endif |
||||
} |
||||
else |
||||
xmlInputCallbackTable[i].closecallback (context); |
||||
@@ -3325,6 +3331,17 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { |
||||
if (res < 0) { |
||||
return(-1); |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * try to establish compressed status of input if not done already |
||||
+ */ |
||||
+ if (in->compressed == -1) { |
||||
+#ifdef HAVE_LZMA_H |
||||
+ if (in->readcallback == xmlXzfileRead) |
||||
+ in->compressed = __libxml2_xzcompressed(in->context); |
||||
+#endif |
||||
+ } |
||||
+ |
||||
len = res; |
||||
if (in->encoder != NULL) { |
||||
unsigned int use; |
||||
diff --git a/xzlib.c b/xzlib.c |
||||
index 928bd17..150e803 100644 |
||||
--- a/xzlib.c |
||||
+++ b/xzlib.c |
||||
@@ -182,12 +182,37 @@ xz_open(const char *path, int fd, const char *mode ATTRIBUTE_UNUSED) |
||||
return (xzFile) state; |
||||
} |
||||
|
||||
+static int |
||||
+xz_compressed(xzFile f) { |
||||
+ xz_statep state; |
||||
+ |
||||
+ if (f == NULL) |
||||
+ return(-1); |
||||
+ state = (xz_statep) f; |
||||
+ if (state->init <= 0) |
||||
+ return(-1); |
||||
+ |
||||
+ switch (state->how) { |
||||
+ case COPY: |
||||
+ return(0); |
||||
+ case GZIP: |
||||
+ case LZMA: |
||||
+ return(1); |
||||
+ } |
||||
+ return(-1); |
||||
+} |
||||
+ |
||||
xzFile |
||||
__libxml2_xzopen(const char *path, const char *mode) |
||||
{ |
||||
return xz_open(path, -1, mode); |
||||
} |
||||
|
||||
+int |
||||
+__libxml2_xzcompressed(xzFile f) { |
||||
+ return xz_compressed(f); |
||||
+} |
||||
+ |
||||
xzFile |
||||
__libxml2_xzdopen(int fd, const char *mode) |
||||
{ |
||||
diff --git a/xzlib.h b/xzlib.h |
||||
index 43c75e1..29ba55e 100644 |
||||
--- a/xzlib.h |
||||
+++ b/xzlib.h |
||||
@@ -15,4 +15,5 @@ xzFile __libxml2_xzopen(const char *path, const char *mode); |
||||
xzFile __libxml2_xzdopen(int fd, const char *mode); |
||||
int __libxml2_xzread(xzFile file, void *buf, unsigned len); |
||||
int __libxml2_xzclose(xzFile file); |
||||
+int __libxml2_xzcompressed(xzFile f); |
||||
#endif /* LIBXML2_XZLIB_H */ |
||||
-- |
||||
1.8.3.1 |
||||
|
||||
@ -0,0 +1,31 @@
@@ -0,0 +1,31 @@
|
||||
From 519455f1d543b1aa8f560dac03ec4127dfbab038 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Tue, 27 Oct 2015 10:53:44 +0800 |
||||
Subject: [PATCH] Fix an error in previous Conditional section patch |
||||
To: libvir-list@redhat.com |
||||
|
||||
an off by one mistake in the change, led to error on correct |
||||
document where the end of the included entity was exactly |
||||
the end of the conditional section, leading to regtest failure |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 4926ab0..b56d94c 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -6896,7 +6896,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
NULL, NULL); |
||||
} |
||||
if ((ctxt-> instate != XML_PARSER_EOF) && |
||||
- ((ctxt->input->cur + 3) < ctxt->input->end)) |
||||
+ ((ctxt->input->cur + 3) <= ctxt->input->end)) |
||||
SKIP(3); |
||||
} |
||||
} |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,47 @@
@@ -0,0 +1,47 @@
|
||||
From be24335cbc0019894e6222bd817e717c41550c3c Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 14 Mar 2016 17:19:44 +0800 |
||||
Subject: [PATCH] Fix inappropriate fetch of entities content |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=761430 |
||||
|
||||
libfuzzer regression testing exposed another case where the parser would |
||||
fetch content of an external entity while not in validating mode. |
||||
Plug that hole |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 16 +++++++++++++++- |
||||
1 file changed, 15 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 46ab0e8..1936599 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -2854,7 +2854,21 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, |
||||
ctxt->nbentities += ent->checked / 2; |
||||
if (ent != NULL) { |
||||
if (ent->content == NULL) { |
||||
- xmlLoadEntityContent(ctxt, ent); |
||||
+ /* |
||||
+ * Note: external parsed entities will not be loaded, |
||||
+ * it is not required for a non-validating parser to |
||||
+ * complete external PEreferences coming from the |
||||
+ * internal subset |
||||
+ */ |
||||
+ if (((ctxt->options & XML_PARSE_NOENT) != 0) || |
||||
+ ((ctxt->options & XML_PARSE_DTDVALID) != 0) || |
||||
+ (ctxt->validate != 0)) { |
||||
+ xmlLoadEntityContent(ctxt, ent); |
||||
+ } else { |
||||
+ xmlWarningMsg(ctxt, XML_ERR_ENTITY_PROCESSING, |
||||
+ "not validating will not read content for PE entity %s\n", |
||||
+ ent->name, NULL); |
||||
+ } |
||||
} |
||||
ctxt->depth++; |
||||
rep = xmlStringDecodeEntities(ctxt, ent->content, what, |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
commit 27a93eff49526aacd34192258c19ff5d69d18c00 |
||||
Author: Daniel Veillard <veillard@redhat.com> |
||||
Date: Thu Oct 23 11:35:36 2014 +0800 |
||||
|
||||
Fix missing entities after CVE-2014-3660 fix |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=738805 |
||||
|
||||
The fix for CVE-2014-3660 introduced a regression in some case |
||||
where entity substitution is required and the entity is used |
||||
first in anotther entity referenced from an attribute value |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index b58c2f0..f70d2b5 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -7226,7 +7226,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { |
||||
* far more secure as the parser will only process data coming from |
||||
* the document entity by default. |
||||
*/ |
||||
- if ((ent->checked == 0) && |
||||
+ if (((ent->checked == 0) || |
||||
+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && |
||||
((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || |
||||
(ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { |
||||
unsigned long oldnbent = ctxt->nbentities; |
||||
@ -0,0 +1,68 @@
@@ -0,0 +1,68 @@
|
||||
From 466ef17b8cf8d68393f3a56cda8e7a5504aacf98 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 30 Oct 2015 21:14:55 +0800 |
||||
Subject: [PATCH] Fix parsing short unclosed comment uninitialized access |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=746048 |
||||
The HTML parser was too optimistic when processing comments and |
||||
didn't check for the end of the stream on the first 2 characters |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
HTMLparser.c | 21 ++++++++++++++------- |
||||
1 file changed, 14 insertions(+), 7 deletions(-) |
||||
|
||||
diff --git a/HTMLparser.c b/HTMLparser.c |
||||
index dd0c1ea..cab499a 100644 |
||||
--- a/HTMLparser.c |
||||
+++ b/HTMLparser.c |
||||
@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { |
||||
ctxt->instate = state; |
||||
return; |
||||
} |
||||
+ len = 0; |
||||
+ buf[len] = 0; |
||||
q = CUR_CHAR(ql); |
||||
+ if (!IS_CHAR(q)) |
||||
+ goto unfinished; |
||||
NEXTL(ql); |
||||
r = CUR_CHAR(rl); |
||||
+ if (!IS_CHAR(r)) |
||||
+ goto unfinished; |
||||
NEXTL(rl); |
||||
cur = CUR_CHAR(l); |
||||
- len = 0; |
||||
while (IS_CHAR(cur) && |
||||
((cur != '>') || |
||||
(r != '-') || (q != '-'))) { |
||||
@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { |
||||
} |
||||
} |
||||
buf[len] = 0; |
||||
- if (!IS_CHAR(cur)) { |
||||
- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, |
||||
- "Comment not terminated \n<!--%.50s\n", buf, NULL); |
||||
- xmlFree(buf); |
||||
- } else { |
||||
+ if (IS_CHAR(cur)) { |
||||
NEXT; |
||||
if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) && |
||||
(!ctxt->disableSAX)) |
||||
ctxt->sax->comment(ctxt->userData, buf); |
||||
xmlFree(buf); |
||||
+ ctxt->instate = state; |
||||
+ return; |
||||
} |
||||
- ctxt->instate = state; |
||||
+ |
||||
+unfinished: |
||||
+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, |
||||
+ "Comment not terminated \n<!--%.50s\n", buf, NULL); |
||||
+ xmlFree(buf); |
||||
} |
||||
|
||||
/** |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,57 @@
@@ -0,0 +1,57 @@
|
||||
commit 41b0d17368565b56677455be61b2c892bd665a27 |
||||
Author: Daniel Veillard <veillard@redhat.com> |
||||
Date: Wed Jun 11 16:54:32 2014 +0800 |
||||
|
||||
Fix regressions introduced by CVE-2014-0191 patch |
||||
|
||||
A number of issues have been raised after the fix, and this patch |
||||
tries to correct all of them, though most were related to |
||||
postvalidation. |
||||
https://bugzilla.gnome.org/show_bug.cgi?id=730290 |
||||
and other reports on list, off-list and on Red Hat bugzilla |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 32f1475..b58c2f0 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -2622,8 +2622,8 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { |
||||
xmlCharEncoding enc; |
||||
|
||||
/* |
||||
- * Note: external parsed entities will not be loaded, it is |
||||
- * not required for a non-validating parser, unless the |
||||
+ * Note: external parameter entities will not be loaded, it |
||||
+ * is not required for a non-validating parser, unless the |
||||
* option of validating, or substituting entities were |
||||
* given. Doing so is far more secure as the parser will |
||||
* only process data coming from the document entity by |
||||
@@ -2632,6 +2632,9 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { |
||||
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && |
||||
((ctxt->options & XML_PARSE_NOENT) == 0) && |
||||
((ctxt->options & XML_PARSE_DTDVALID) == 0) && |
||||
+ ((ctxt->options & XML_PARSE_DTDLOAD) == 0) && |
||||
+ ((ctxt->options & XML_PARSE_DTDATTR) == 0) && |
||||
+ (ctxt->replaceEntities == 0) && |
||||
(ctxt->validate == 0)) |
||||
return; |
||||
|
||||
@@ -12643,6 +12646,9 @@ xmlIOParseDTD(xmlSAXHandlerPtr sax, xmlParserInputBufferPtr input, |
||||
return(NULL); |
||||
} |
||||
|
||||
+ /* We are loading a DTD */ |
||||
+ ctxt->options |= XML_PARSE_DTDLOAD; |
||||
+ |
||||
/* |
||||
* Set-up the SAX context |
||||
*/ |
||||
@@ -12770,6 +12776,9 @@ xmlSAXParseDTD(xmlSAXHandlerPtr sax, const xmlChar *ExternalID, |
||||
return(NULL); |
||||
} |
||||
|
||||
+ /* We are loading a DTD */ |
||||
+ ctxt->options |= XML_PARSE_DTDLOAD; |
||||
+ |
||||
/* |
||||
* Set-up the SAX context |
||||
*/ |
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From 6dfc7fd442351269c421a525d91506e43e18208e Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 15:06:02 +0800 |
||||
Subject: [PATCH] Fix some loop issues embedding NEXT |
||||
To: libvir-list@redhat.com |
||||
|
||||
Next can switch the parser back to XML_PARSER_EOF state, we |
||||
need to consider those in loops consuming input |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 6 ++++-- |
||||
1 file changed, 4 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 7602498..cc45e17 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -2155,7 +2155,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) { |
||||
int cur; |
||||
do { |
||||
cur = CUR; |
||||
- while (IS_BLANK_CH(cur)) { /* CHECKED tstblanks.xml */ |
||||
+ while ((IS_BLANK_CH(cur) && /* CHECKED tstblanks.xml */ |
||||
+ (ctxt->instate != XML_PARSER_EOF))) { |
||||
NEXT; |
||||
cur = CUR; |
||||
res++; |
||||
@@ -2169,7 +2170,8 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) { |
||||
* Need to handle support of entities branching here |
||||
*/ |
||||
if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); |
||||
- } while (IS_BLANK(cur)); /* CHECKED tstblanks.xml */ |
||||
+ } while ((IS_BLANK(cur)) && /* CHECKED tstblanks.xml */ |
||||
+ (ctxt->instate != XML_PARSER_EOF)); |
||||
} |
||||
return(res); |
||||
} |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,24 @@
@@ -0,0 +1,24 @@
|
||||
commit 498a54c26abd0fbd6f7d02b6b6f0275b4390d821 |
||||
Author: Daniel Veillard <veillard@redhat.com> |
||||
Date: Tue Feb 9 12:55:29 2016 +0100 |
||||
|
||||
Heap-based buffer overread in xmlNextChar |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=759671 |
||||
|
||||
when the end of the internal subset isn't properly detected |
||||
xmlParseInternalSubset should just return instead of trying |
||||
to process input further. |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index f4fc310..b1215ca 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -8448,6 +8448,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { |
||||
*/ |
||||
if (RAW != '>') { |
||||
xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); |
||||
+ return; |
||||
} |
||||
NEXT; |
||||
} |
||||
@ -0,0 +1,119 @@
@@ -0,0 +1,119 @@
|
||||
From 7d23a33fbf8fe09fe52f9abafeafb9f438229603 Mon Sep 17 00:00:00 2001 |
||||
From: David Kilzer <ddkilzer@apple.com> |
||||
Date: Tue, 26 Jan 2016 16:57:03 -0800 |
||||
Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=759573 |
||||
|
||||
* parser.c: |
||||
(xmlParseElementDecl): Return early on invalid input to fix |
||||
non-minimized test case (759573-2.xml). Otherwise the parser |
||||
gets into a bad state in SKIP(3) at the end of the function. |
||||
(xmlParseConditionalSections): Halt parsing when hitting invalid |
||||
input that would otherwise caused xmlParserHandlePEReference() |
||||
to recurse unexpectedly. This fixes the minimized test case |
||||
(759573.xml). |
||||
|
||||
* result/errors/759573-2.xml: Add. |
||||
* result/errors/759573-2.xml.err: Add. |
||||
* result/errors/759573-2.xml.str: Add. |
||||
* result/errors/759573.xml: Add. |
||||
* result/errors/759573.xml.err: Add. |
||||
* result/errors/759573.xml.str: Add. |
||||
* test/errors/759573-2.xml: Add. |
||||
* test/errors/759573.xml: Add. |
||||
|
||||
Had to fixup by removing test 759573-2 |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 2 ++ |
||||
result/errors/759573.xml | 0 |
||||
result/errors/759573.xml.err | 31 +++++++++++++++++++++++++++++++ |
||||
result/errors/759573.xml.str | 4 ++++ |
||||
test/errors/759573.xml | 1 + |
||||
5 files changed, 38 insertions(+) |
||||
create mode 100644 result/errors/759573.xml |
||||
create mode 100644 result/errors/759573.xml.err |
||||
create mode 100644 result/errors/759573.xml.str |
||||
create mode 100644 test/errors/759573.xml |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 133df95..0accf54 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -6683,6 +6683,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) { |
||||
if (!IS_BLANK_CH(CUR)) { |
||||
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, |
||||
"Space required after 'ELEMENT'\n"); |
||||
+ return(-1); |
||||
} |
||||
SKIP_BLANKS; |
||||
name = xmlParseName(ctxt); |
||||
@@ -6834,6 +6835,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
|
||||
if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { |
||||
xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); |
||||
+ xmlHaltParser(ctxt); |
||||
break; |
||||
} |
||||
} |
||||
diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err |
||||
new file mode 100644 |
||||
index 0000000..2c21e9a |
||||
--- /dev/null |
||||
+++ b/result/errors/759573.xml.err |
||||
@@ -0,0 +1,31 @@ |
||||
+./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY' |
||||
+ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITY |
||||
+ ^ |
||||
+./test/errors/759573.xml:1: parser error : Space required after the entity name |
||||
+LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz |
||||
+ ^ |
||||
+./test/errors/759573.xml:1: parser error : Entity value required |
||||
+LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz |
||||
+ ^ |
||||
+Entity: line 1: parser error : PEReference: no name |
||||
+ %xx; |
||||
+ ^ |
||||
+Entity: line 1: |
||||
+%<![INCLUDE[000%ஸ000%z; |
||||
+ ^ |
||||
+Entity: line 1: parser error : Content error in the external subset |
||||
+ %xx; |
||||
+ ^ |
||||
+Entity: line 1: |
||||
+%<![INCLUDE[000%ஸ000%z; |
||||
+ ^ |
||||
+./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration |
||||
+ |
||||
+T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
||||
+ ^ |
||||
+./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated |
||||
+T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
||||
+ ^ |
||||
+./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found |
||||
+T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
||||
+ ^ |
||||
diff --git a/result/errors/759573.xml.str b/result/errors/759573.xml.str |
||||
new file mode 100644 |
||||
index 0000000..1b6addb |
||||
--- /dev/null |
||||
+++ b/result/errors/759573.xml.str |
||||
@@ -0,0 +1,4 @@ |
||||
+./test/errors/759573.xml:1: parser error : Extra content at the end of the document |
||||
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 |
||||
+ ^ |
||||
+./test/errors/759573.xml : failed to parse |
||||
diff --git a/test/errors/759573.xml b/test/errors/759573.xml |
||||
new file mode 100644 |
||||
index 0000000..69ebb57 |
||||
--- /dev/null |
||||
+++ b/test/errors/759573.xml |
||||
@@ -0,0 +1 @@ |
||||
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
||||
\ No newline at end of file |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,143 @@
@@ -0,0 +1,143 @@
|
||||
From 7012970b0d005f440e8326e37844a834f67a8c64 Mon Sep 17 00:00:00 2001 |
||||
From: Pranjal Jumde <pjumde@apple.com> |
||||
Date: Wed, 2 Mar 2016 15:52:24 -0800 |
||||
Subject: [PATCH] Heap use-after-free in htmlParsePubidLiteral and |
||||
htmlParseSystemiteral |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=760263 |
||||
|
||||
* HTMLparser.c: Add BASE_PTR convenience macro. |
||||
(htmlParseSystemLiteral): Store length and start position instead |
||||
of a pointer while iterating through the public identifier since |
||||
the underlying buffer may change, resulting in a stale pointer |
||||
being used. |
||||
(htmlParsePubidLiteral): Ditto. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
HTMLparser.c | 58 +++++++++++++++++++++++++++++++++++++++++++--------------- |
||||
1 file changed, 43 insertions(+), 15 deletions(-) |
||||
|
||||
diff --git a/HTMLparser.c b/HTMLparser.c |
||||
index a897cb0..e7d802d 100644 |
||||
--- a/HTMLparser.c |
||||
+++ b/HTMLparser.c |
||||
@@ -303,6 +303,7 @@ htmlNodeInfoPop(htmlParserCtxtPtr ctxt) |
||||
#define UPP(val) (toupper(ctxt->input->cur[(val)])) |
||||
|
||||
#define CUR_PTR ctxt->input->cur |
||||
+#define BASE_PTR ctxt->input->base |
||||
|
||||
#define SHRINK if ((ctxt->input->cur - ctxt->input->base > 2 * INPUT_CHUNK) && \ |
||||
(ctxt->input->end - ctxt->input->cur < 2 * INPUT_CHUNK)) \ |
||||
@@ -2773,31 +2774,43 @@ htmlParseAttValue(htmlParserCtxtPtr ctxt) { |
||||
|
||||
static xmlChar * |
||||
htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { |
||||
- const xmlChar *q; |
||||
+ size_t len = 0, startPosition = 0; |
||||
xmlChar *ret = NULL; |
||||
|
||||
if (CUR == '"') { |
||||
NEXT; |
||||
- q = CUR_PTR; |
||||
- while ((IS_CHAR_CH(CUR)) && (CUR != '"')) |
||||
+ |
||||
+ if (CUR_PTR < BASE_PTR) |
||||
+ return(ret); |
||||
+ startPosition = CUR_PTR - BASE_PTR; |
||||
+ |
||||
+ while ((IS_CHAR_CH(CUR)) && (CUR != '"')) { |
||||
NEXT; |
||||
+ len++; |
||||
+ } |
||||
if (!IS_CHAR_CH(CUR)) { |
||||
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, |
||||
"Unfinished SystemLiteral\n", NULL, NULL); |
||||
} else { |
||||
- ret = xmlStrndup(q, CUR_PTR - q); |
||||
+ ret = xmlStrndup((BASE_PTR+startPosition), len); |
||||
NEXT; |
||||
} |
||||
} else if (CUR == '\'') { |
||||
NEXT; |
||||
- q = CUR_PTR; |
||||
- while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) |
||||
+ |
||||
+ if (CUR_PTR < BASE_PTR) |
||||
+ return(ret); |
||||
+ startPosition = CUR_PTR - BASE_PTR; |
||||
+ |
||||
+ while ((IS_CHAR_CH(CUR)) && (CUR != '\'')) { |
||||
NEXT; |
||||
+ len++; |
||||
+ } |
||||
if (!IS_CHAR_CH(CUR)) { |
||||
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, |
||||
"Unfinished SystemLiteral\n", NULL, NULL); |
||||
} else { |
||||
- ret = xmlStrndup(q, CUR_PTR - q); |
||||
+ ret = xmlStrndup((BASE_PTR+startPosition), len); |
||||
NEXT; |
||||
} |
||||
} else { |
||||
@@ -2821,32 +2834,47 @@ htmlParseSystemLiteral(htmlParserCtxtPtr ctxt) { |
||||
|
||||
static xmlChar * |
||||
htmlParsePubidLiteral(htmlParserCtxtPtr ctxt) { |
||||
- const xmlChar *q; |
||||
+ size_t len = 0, startPosition = 0; |
||||
xmlChar *ret = NULL; |
||||
/* |
||||
* Name ::= (Letter | '_') (NameChar)* |
||||
*/ |
||||
if (CUR == '"') { |
||||
NEXT; |
||||
- q = CUR_PTR; |
||||
- while (IS_PUBIDCHAR_CH(CUR)) NEXT; |
||||
+ |
||||
+ if (CUR_PTR < BASE_PTR) |
||||
+ return(ret); |
||||
+ startPosition = CUR_PTR - BASE_PTR; |
||||
+ |
||||
+ while (IS_PUBIDCHAR_CH(CUR)) { |
||||
+ len++; |
||||
+ NEXT; |
||||
+ } |
||||
+ |
||||
if (CUR != '"') { |
||||
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, |
||||
"Unfinished PubidLiteral\n", NULL, NULL); |
||||
} else { |
||||
- ret = xmlStrndup(q, CUR_PTR - q); |
||||
+ ret = xmlStrndup((BASE_PTR + startPosition), len); |
||||
NEXT; |
||||
} |
||||
} else if (CUR == '\'') { |
||||
NEXT; |
||||
- q = CUR_PTR; |
||||
- while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')) |
||||
- NEXT; |
||||
+ |
||||
+ if (CUR_PTR < BASE_PTR) |
||||
+ return(ret); |
||||
+ startPosition = CUR_PTR - BASE_PTR; |
||||
+ |
||||
+ while ((IS_PUBIDCHAR_CH(CUR)) && (CUR != '\'')){ |
||||
+ len++; |
||||
+ NEXT; |
||||
+ } |
||||
+ |
||||
if (CUR != '\'') { |
||||
htmlParseErr(ctxt, XML_ERR_LITERAL_NOT_FINISHED, |
||||
"Unfinished PubidLiteral\n", NULL, NULL); |
||||
} else { |
||||
- ret = xmlStrndup(q, CUR_PTR - q); |
||||
+ ret = xmlStrndup((BASE_PTR + startPosition), len); |
||||
NEXT; |
||||
} |
||||
} else { |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,156 @@
@@ -0,0 +1,156 @@
|
||||
From 7eca8fef0d19c65bd2004ba73347575a38e8d08e Mon Sep 17 00:00:00 2001 |
||||
From: Pranjal Jumde <pjumde@apple.com> |
||||
Date: Mon, 7 Mar 2016 14:04:08 -0800 |
||||
Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=759020 |
||||
|
||||
* parser.c: |
||||
(xmlParseStartTag2): Attribute strings are only valid if the |
||||
base does not change, so add another check where the base may |
||||
change. Make sure to set 'attvalue' to NULL after freeing it. |
||||
* result/errors/759020.xml: Added. |
||||
* result/errors/759020.xml.err: Added. |
||||
* result/errors/759020.xml.str: Added. |
||||
* test/errors/759020.xml: Added test case. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 26 +++++++++++++++++++++++-- |
||||
result/errors/759020.xml | 0 |
||||
result/errors/759020.xml.err | 6 ++++++ |
||||
result/errors/759020.xml.str | 7 +++++++ |
||||
test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ |
||||
5 files changed, 83 insertions(+), 2 deletions(-) |
||||
create mode 100644 result/errors/759020.xml |
||||
create mode 100644 result/errors/759020.xml.err |
||||
create mode 100644 result/errors/759020.xml.str |
||||
create mode 100644 test/errors/759020.xml |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 1936599..133df95 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -9438,8 +9438,20 @@ reparse: |
||||
else |
||||
if (nsPush(ctxt, NULL, URL) > 0) nbNs++; |
||||
skip_default_ns: |
||||
- if (alloc != 0) xmlFree(attvalue); |
||||
+ if ((attvalue != NULL) && (alloc != 0)) { |
||||
+ xmlFree(attvalue); |
||||
+ attvalue = NULL; |
||||
+ } |
||||
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) |
||||
+ break; |
||||
+ if (!IS_BLANK_CH(RAW)) { |
||||
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, |
||||
+ "attributes construct error\n"); |
||||
+ break; |
||||
+ } |
||||
SKIP_BLANKS; |
||||
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) |
||||
+ goto base_changed; |
||||
continue; |
||||
} |
||||
if (aprefix == ctxt->str_xmlns) { |
||||
@@ -9511,7 +9523,17 @@ skip_default_ns: |
||||
else |
||||
if (nsPush(ctxt, attname, URL) > 0) nbNs++; |
||||
skip_ns: |
||||
- if (alloc != 0) xmlFree(attvalue); |
||||
+ if ((attvalue != NULL) && (alloc != 0)) { |
||||
+ xmlFree(attvalue); |
||||
+ attvalue = NULL; |
||||
+ } |
||||
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) |
||||
+ break; |
||||
+ if (!IS_BLANK_CH(RAW)) { |
||||
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, |
||||
+ "attributes construct error\n"); |
||||
+ break; |
||||
+ } |
||||
SKIP_BLANKS; |
||||
if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) |
||||
goto base_changed; |
||||
diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err |
||||
new file mode 100644 |
||||
index 0000000..a0d3051 |
||||
--- /dev/null |
||||
+++ b/result/errors/759020.xml.err |
||||
@@ -0,0 +1,6 @@ |
||||
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute |
||||
+0000000000000000000000000000000000000000000000000000000000000000000000000000000' |
||||
+ ^ |
||||
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 |
||||
+ |
||||
+ ^ |
||||
diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str |
||||
new file mode 100644 |
||||
index 0000000..998d6d2 |
||||
--- /dev/null |
||||
+++ b/result/errors/759020.xml.str |
||||
@@ -0,0 +1,7 @@ |
||||
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute |
||||
+0000000000000000000000000000000000000000000000000000000000000000000000000000000' |
||||
+ ^ |
||||
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 |
||||
+ |
||||
+ ^ |
||||
+./test/errors/759020.xml : failed to parse |
||||
diff --git a/test/errors/759020.xml b/test/errors/759020.xml |
||||
new file mode 100644 |
||||
index 0000000..db23275 |
||||
--- /dev/null |
||||
+++ b/test/errors/759020.xml |
||||
@@ -0,0 +1,46 @@ |
||||
+<?l 00000000000000000000000000000?> |
||||
+<s00 w0000="000" h00000="000" |
||||
+ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
+ |
||||
\ No newline at end of file |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,208 @@
@@ -0,0 +1,208 @@
|
||||
From 6a2a4e753bbba26b2de3d32f11c28691bec967dc Mon Sep 17 00:00:00 2001 |
||||
From: David Kilzer <ddkilzer@apple.com> |
||||
Date: Mon, 23 May 2016 14:58:41 +0800 |
||||
Subject: [PATCH] More format string warnings with possible format string |
||||
vulnerability |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=761029 |
||||
|
||||
adds a new xmlEscapeFormatString() function to escape composed format |
||||
strings |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
libxml.h | 3 +++ |
||||
relaxng.c | 3 ++- |
||||
xmlschemas.c | 39 ++++++++++++++++++++++++++------------- |
||||
xmlstring.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
||||
4 files changed, 86 insertions(+), 14 deletions(-) |
||||
|
||||
diff --git a/libxml.h b/libxml.h |
||||
index 4558b70..88e515f 100644 |
||||
--- a/libxml.h |
||||
+++ b/libxml.h |
||||
@@ -9,6 +9,8 @@ |
||||
#ifndef __XML_LIBXML_H__ |
||||
#define __XML_LIBXML_H__ |
||||
|
||||
+#include <libxml/xmlstring.h> |
||||
+ |
||||
#ifndef NO_LARGEFILE_SOURCE |
||||
#ifndef _LARGEFILE_SOURCE |
||||
#define _LARGEFILE_SOURCE |
||||
@@ -93,6 +95,7 @@ int __xmlInitializeDict(void); |
||||
int __xmlRandom(void); |
||||
#endif |
||||
|
||||
+XMLPUBFUN xmlChar * XMLCALL xmlEscapeFormatString(xmlChar **msg); |
||||
int xmlNop(void); |
||||
|
||||
#ifdef IN_LIBXML |
||||
diff --git a/relaxng.c b/relaxng.c |
||||
index b531081..99e9901 100644 |
||||
--- a/relaxng.c |
||||
+++ b/relaxng.c |
||||
@@ -2215,7 +2215,8 @@ xmlRelaxNGGetErrorString(xmlRelaxNGValidErr err, const xmlChar * arg1, |
||||
snprintf(msg, 1000, "Unknown error code %d\n", err); |
||||
} |
||||
msg[1000 - 1] = 0; |
||||
- return (xmlStrdup((xmlChar *) msg)); |
||||
+ xmlChar *result = xmlCharStrdup(msg); |
||||
+ return (xmlEscapeFormatString(&result)); |
||||
} |
||||
|
||||
/** |
||||
diff --git a/xmlschemas.c b/xmlschemas.c |
||||
index 398cdd8..1bcb0f0 100644 |
||||
--- a/xmlschemas.c |
||||
+++ b/xmlschemas.c |
||||
@@ -1769,7 +1769,7 @@ xmlSchemaFormatItemForReport(xmlChar **buf, |
||||
} |
||||
FREE_AND_NULL(str) |
||||
|
||||
- return (*buf); |
||||
+ return (xmlEscapeFormatString(buf)); |
||||
} |
||||
|
||||
/** |
||||
@@ -2247,6 +2247,13 @@ xmlSchemaFormatNodeForError(xmlChar ** msg, |
||||
TODO |
||||
return (NULL); |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * xmlSchemaFormatItemForReport() also returns an escaped format |
||||
+ * string, so do this before calling it below (in the future). |
||||
+ */ |
||||
+ xmlEscapeFormatString(msg); |
||||
+ |
||||
/* |
||||
* VAL TODO: The output of the given schema component is currently |
||||
* disabled. |
||||
@@ -2474,11 +2481,13 @@ xmlSchemaSimpleTypeErr(xmlSchemaAbstractCtxtPtr actxt, |
||||
msg = xmlStrcat(msg, BAD_CAST " '"); |
||||
if (type->builtInType != 0) { |
||||
msg = xmlStrcat(msg, BAD_CAST "xs:"); |
||||
- msg = xmlStrcat(msg, type->name); |
||||
- } else |
||||
- msg = xmlStrcat(msg, |
||||
- xmlSchemaFormatQName(&str, |
||||
- type->targetNamespace, type->name)); |
||||
+ str = xmlStrdup(type->name); |
||||
+ } else { |
||||
+ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); |
||||
+ if (!str) |
||||
+ str = xmlStrdup(qName); |
||||
+ } |
||||
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); |
||||
msg = xmlStrcat(msg, BAD_CAST "'"); |
||||
FREE_AND_NULL(str); |
||||
} |
||||
@@ -2615,7 +2624,7 @@ xmlSchemaComplexTypeErr(xmlSchemaAbstractCtxtPtr actxt, |
||||
str = xmlStrcat(str, BAD_CAST ", "); |
||||
} |
||||
str = xmlStrcat(str, BAD_CAST " ).\n"); |
||||
- msg = xmlStrcat(msg, BAD_CAST str); |
||||
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); |
||||
FREE_AND_NULL(str) |
||||
} else |
||||
msg = xmlStrcat(msg, BAD_CAST "\n"); |
||||
@@ -3139,11 +3148,13 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, |
||||
msg = xmlStrcat(msg, BAD_CAST " '"); |
||||
if (type->builtInType != 0) { |
||||
msg = xmlStrcat(msg, BAD_CAST "xs:"); |
||||
- msg = xmlStrcat(msg, type->name); |
||||
- } else |
||||
- msg = xmlStrcat(msg, |
||||
- xmlSchemaFormatQName(&str, |
||||
- type->targetNamespace, type->name)); |
||||
+ str = xmlStrdup(type->name); |
||||
+ } else { |
||||
+ const xmlChar *qName = xmlSchemaFormatQName(&str, type->targetNamespace, type->name); |
||||
+ if (!str) |
||||
+ str = xmlStrdup(qName); |
||||
+ } |
||||
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&str)); |
||||
msg = xmlStrcat(msg, BAD_CAST "'."); |
||||
FREE_AND_NULL(str); |
||||
} |
||||
@@ -3156,7 +3167,9 @@ xmlSchemaPSimpleTypeErr(xmlSchemaParserCtxtPtr ctxt, |
||||
} |
||||
if (expected) { |
||||
msg = xmlStrcat(msg, BAD_CAST " Expected is '"); |
||||
- msg = xmlStrcat(msg, BAD_CAST expected); |
||||
+ xmlChar *expectedEscaped = xmlCharStrdup(expected); |
||||
+ msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped)); |
||||
+ FREE_AND_NULL(expectedEscaped); |
||||
msg = xmlStrcat(msg, BAD_CAST "'.\n"); |
||||
} else |
||||
msg = xmlStrcat(msg, BAD_CAST "\n"); |
||||
diff --git a/xmlstring.c b/xmlstring.c |
||||
index c66eef3..9164d2e 100644 |
||||
--- a/xmlstring.c |
||||
+++ b/xmlstring.c |
||||
@@ -987,5 +987,60 @@ xmlUTF8Strsub(const xmlChar *utf, int start, int len) { |
||||
return(xmlUTF8Strndup(utf, len)); |
||||
} |
||||
|
||||
+/** |
||||
+ * xmlEscapeFormatString: |
||||
+ * @msg: a pointer to the string in which to escape '%' characters. |
||||
+ * Must be a heap-allocated buffer created by libxml2 that may be |
||||
+ * returned, or that may be freed and replaced. |
||||
+ * |
||||
+ * Replaces the string pointed to by 'msg' with an escaped string. |
||||
+ * Returns the same string with all '%' characters escaped. |
||||
+ */ |
||||
+xmlChar * |
||||
+xmlEscapeFormatString(xmlChar **msg) |
||||
+{ |
||||
+ xmlChar *msgPtr = NULL; |
||||
+ xmlChar *result = NULL; |
||||
+ xmlChar *resultPtr = NULL; |
||||
+ size_t count = 0; |
||||
+ size_t msgLen = 0; |
||||
+ size_t resultLen = 0; |
||||
+ |
||||
+ if (!msg || !*msg) |
||||
+ return(NULL); |
||||
+ |
||||
+ for (msgPtr = *msg; *msgPtr != '\0'; ++msgPtr) { |
||||
+ ++msgLen; |
||||
+ if (*msgPtr == '%') |
||||
+ ++count; |
||||
+ } |
||||
+ |
||||
+ if (count == 0) |
||||
+ return(*msg); |
||||
+ |
||||
+ resultLen = msgLen + count + 1; |
||||
+ result = (xmlChar *) xmlMallocAtomic(resultLen * sizeof(xmlChar)); |
||||
+ if (result == NULL) { |
||||
+ /* Clear *msg to prevent format string vulnerabilities in |
||||
+ out-of-memory situations. */ |
||||
+ xmlFree(*msg); |
||||
+ *msg = NULL; |
||||
+ xmlErrMemory(NULL, NULL); |
||||
+ return(NULL); |
||||
+ } |
||||
+ |
||||
+ for (msgPtr = *msg, resultPtr = result; *msgPtr != '\0'; ++msgPtr, ++resultPtr) { |
||||
+ *resultPtr = *msgPtr; |
||||
+ if (*msgPtr == '%') |
||||
+ *(++resultPtr) = '%'; |
||||
+ } |
||||
+ result[resultLen - 1] = '\0'; |
||||
+ |
||||
+ xmlFree(*msg); |
||||
+ *msg = result; |
||||
+ |
||||
+ return *msg; |
||||
+} |
||||
+ |
||||
#define bottom_xmlstring |
||||
#include "elfgcchack.h" |
||||
-- |
||||
2.5.5 |
||||
|
||||
@ -0,0 +1,178 @@
@@ -0,0 +1,178 @@
|
||||
From 586849318286965d6ede2932ccd31176b4f7fe81 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Fri, 20 Nov 2015 14:59:30 +0800 |
||||
Subject: [PATCH] Reuse xmlHaltParser() where it makes sense |
||||
To: libvir-list@redhat.com |
||||
|
||||
Unify the various place where either xmlStopParser was called |
||||
(which resets the error as a side effect) and places where we |
||||
used ctxt->instate = XML_PARSER_EOF to stop further processing |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 37 +++++++++++++++++-------------------- |
||||
1 file changed, 17 insertions(+), 20 deletions(-) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 5b4f719..9aed98d 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -1773,7 +1773,7 @@ nodePush(xmlParserCtxtPtr ctxt, xmlNodePtr value) |
||||
xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, |
||||
"Excessive depth in document: %d use XML_PARSE_HUGE option\n", |
||||
xmlParserMaxDepth); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
return(-1); |
||||
} |
||||
ctxt->nodeTab[ctxt->nodeNr] = value; |
||||
@@ -5655,7 +5655,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { |
||||
if (RAW != '>') { |
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, |
||||
"xmlParseEntityDecl: entity %s not terminated\n", name); |
||||
- xmlStopParser(ctxt); |
||||
+ xmlHaltParser(ctxt); |
||||
} else { |
||||
if (input != ctxt->input) { |
||||
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, |
||||
@@ -6767,8 +6767,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
SKIP_BLANKS; |
||||
if (RAW != '[') { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); |
||||
- xmlStopParser(ctxt); |
||||
- ctxt->errNo = XML_ERR_CONDSEC_INVALID; |
||||
+ xmlHaltParser(ctxt); |
||||
return; |
||||
} else { |
||||
if (ctxt->input->id != id) { |
||||
@@ -6830,8 +6829,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
SKIP_BLANKS; |
||||
if (RAW != '[') { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); |
||||
- xmlStopParser(ctxt); |
||||
- ctxt->errNo = XML_ERR_CONDSEC_INVALID; |
||||
+ xmlHaltParser(ctxt); |
||||
return; |
||||
} else { |
||||
if (ctxt->input->id != id) { |
||||
@@ -6888,8 +6886,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
|
||||
} else { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); |
||||
- xmlStopParser(ctxt); |
||||
- ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD; |
||||
+ xmlHaltParser(ctxt); |
||||
return; |
||||
} |
||||
|
||||
@@ -7100,7 +7097,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID, |
||||
/* |
||||
* The XML REC instructs us to stop parsing right here |
||||
*/ |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
return; |
||||
} |
||||
} |
||||
@@ -8087,7 +8084,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt) |
||||
* The XML REC instructs us to stop parsing |
||||
* right here |
||||
*/ |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
return; |
||||
} |
||||
} |
||||
@@ -9986,7 +9983,7 @@ xmlParseContent(xmlParserCtxtPtr ctxt) { |
||||
if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { |
||||
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, |
||||
"detected an error in element content\n"); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
break; |
||||
} |
||||
} |
||||
@@ -10021,7 +10018,7 @@ xmlParseElement(xmlParserCtxtPtr ctxt) { |
||||
xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR, |
||||
"Excessive depth in document: %d use XML_PARSE_HUGE option\n", |
||||
xmlParserMaxDepth); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
return; |
||||
} |
||||
|
||||
@@ -11345,7 +11342,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { |
||||
ctxt->sax->setDocumentLocator(ctxt->userData, |
||||
&xmlDefaultSAXLocator); |
||||
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
#ifdef DEBUG_PUSH |
||||
xmlGenericError(xmlGenericErrorContext, |
||||
"PP: entering EOF\n"); |
||||
@@ -11378,7 +11375,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { |
||||
* The XML REC instructs us to stop parsing right |
||||
* here |
||||
*/ |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
return(0); |
||||
} |
||||
ctxt->standalone = ctxt->input->standalone; |
||||
@@ -11434,7 +11431,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { |
||||
cur = ctxt->input->cur[0]; |
||||
if (cur != '<') { |
||||
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) |
||||
ctxt->sax->endDocument(ctxt->userData); |
||||
goto done; |
||||
@@ -11466,7 +11463,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { |
||||
goto done; |
||||
if (name == NULL) { |
||||
spacePop(ctxt); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
if ((ctxt->sax) && (ctxt->sax->endDocument != NULL)) |
||||
ctxt->sax->endDocument(ctxt->userData); |
||||
goto done; |
||||
@@ -11633,7 +11630,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { |
||||
if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) { |
||||
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, |
||||
"detected an error in element content\n"); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
break; |
||||
} |
||||
break; |
||||
@@ -11954,7 +11951,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { |
||||
goto done; |
||||
} else { |
||||
xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
#ifdef DEBUG_PUSH |
||||
xmlGenericError(xmlGenericErrorContext, |
||||
"PP: entering EOF\n"); |
||||
@@ -12318,7 +12315,7 @@ xmldecl_done: |
||||
res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); |
||||
if (res < 0) { |
||||
ctxt->errNo = XML_PARSER_EOF; |
||||
- ctxt->disableSAX = 1; |
||||
+ xmlHaltParser(ctxt); |
||||
return (XML_PARSER_EOF); |
||||
} |
||||
xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); |
||||
@@ -12372,7 +12369,7 @@ xmldecl_done: |
||||
((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) && |
||||
((ctxt->options & XML_PARSE_HUGE) == 0)) { |
||||
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); |
||||
- ctxt->instate = XML_PARSER_EOF; |
||||
+ xmlHaltParser(ctxt); |
||||
} |
||||
if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1)) |
||||
return(ctxt->errNo); |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
From f0dbfaebd1a4a647ed1902ca16839ecfcb89c422 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 23 Feb 2015 11:17:35 +0800 |
||||
Subject: [PATCH] Stop parsing on entities boundaries errors |
||||
To: libvir-list@redhat.com |
||||
|
||||
For https://bugzilla.gnome.org/show_bug.cgi?id=744980 |
||||
|
||||
There are times, like on unterminated entities that it's preferable to |
||||
stop parsing, even if that means less error reporting. Entities are |
||||
feeding the parser on further processing, and if they are ill defined |
||||
then it's possible to get the parser to bug. Also do the same on |
||||
Conditional Sections if the input is broken, as the structure of |
||||
the document can't be guessed. |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 1 + |
||||
1 file changed, 1 insertion(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index f70d2b5..d790f8e 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -5649,6 +5649,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { |
||||
if (RAW != '>') { |
||||
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, |
||||
"xmlParseEntityDecl: entity %s not terminated\n", name); |
||||
+ xmlStopParser(ctxt); |
||||
} else { |
||||
if (input != ctxt->input) { |
||||
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, |
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,24 @@
@@ -0,0 +1,24 @@
|
||||
*** XML/xml2-config.in.orig 2006-06-06 16:35:56.000000000 +0200 |
||||
--- XML/xml2-config.in 2006-06-06 16:36:24.000000000 +0200 |
||||
*************** |
||||
*** 3,9 **** |
||||
prefix=@prefix@ |
||||
exec_prefix=@exec_prefix@ |
||||
includedir=@includedir@ |
||||
! libdir=@libdir@ |
||||
|
||||
usage() |
||||
{ |
||||
--- 3,14 ---- |
||||
prefix=@prefix@ |
||||
exec_prefix=@exec_prefix@ |
||||
includedir=@includedir@ |
||||
! if [ "`ldd /bin/sh | grep lib64`" = "" ] |
||||
! then |
||||
! libdir=${exec_prefix}/lib |
||||
! else |
||||
! libdir=${exec_prefix}/lib64 |
||||
! fi |
||||
|
||||
usage() |
||||
{ |
||||
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
From 5b3397ee81277ed70af58a247a0d731de9c7a6c7 Mon Sep 17 00:00:00 2001 |
||||
From: Daniel Veillard <veillard@redhat.com> |
||||
Date: Mon, 9 Nov 2015 18:16:00 +0800 |
||||
Subject: [PATCH] xmlStopParser reset errNo |
||||
To: libvir-list@redhat.com |
||||
|
||||
I had used it in contexts where that information ought to be preserved |
||||
|
||||
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
||||
--- |
||||
parser.c | 3 +++ |
||||
1 file changed, 3 insertions(+) |
||||
|
||||
diff --git a/parser.c b/parser.c |
||||
index 134ea7f..a58dda3 100644 |
||||
--- a/parser.c |
||||
+++ b/parser.c |
||||
@@ -6762,6 +6762,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
if (RAW != '[') { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); |
||||
xmlStopParser(ctxt); |
||||
+ ctxt->errNo = XML_ERR_CONDSEC_INVALID; |
||||
return; |
||||
} else { |
||||
if (ctxt->input->id != id) { |
||||
@@ -6824,6 +6825,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
if (RAW != '[') { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); |
||||
xmlStopParser(ctxt); |
||||
+ ctxt->errNo = XML_ERR_CONDSEC_INVALID; |
||||
return; |
||||
} else { |
||||
if (ctxt->input->id != id) { |
||||
@@ -6881,6 +6883,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
||||
} else { |
||||
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); |
||||
xmlStopParser(ctxt); |
||||
+ ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD; |
||||
return; |
||||
} |
||||
|
||||
-- |
||||
2.5.0 |
||||
|
||||
@ -0,0 +1,493 @@
@@ -0,0 +1,493 @@
|
||||
# for -O3 on ppc64 c.f. 1051068 |
||||
%global _performance_build 1 |
||||
|
||||
Summary: Library providing XML and HTML support |
||||
Name: libxml2 |
||||
Version: 2.9.1 |
||||
Release: 6%{?dist}%{?extra_release}.3 |
||||
License: MIT |
||||
Group: Development/Libraries |
||||
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz |
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root |
||||
BuildRequires: python python-devel zlib-devel pkgconfig xz-devel |
||||
URL: http://xmlsoft.org/ |
||||
Patch0: libxml2-multilib.patch |
||||
Patch1: libxml2-2.9.0-do-not-check-crc.patch |
||||
|
||||
Patch100: libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch |
||||
Patch101: CVE-2014-3660-rhel7.patch |
||||
Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch |
||||
Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch |
||||
Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch |
||||
Patch105: libxml2-Stop-parsing-on-entities-boundaries-errors.patch |
||||
Patch106: libxml2-Cleanup-conditional-section-error-handling.patch |
||||
Patch107: libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch |
||||
Patch108: libxml2-Another-variation-of-overflow-in-Conditional-sections.patch |
||||
Patch109: libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch |
||||
Patch110: libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch |
||||
Patch111: libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch |
||||
Patch112: libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch |
||||
Patch113: libxml2-xmlStopParser-reset-errNo.patch |
||||
Patch114: libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch |
||||
Patch115: libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch |
||||
Patch116: libxml2-Add-xmlHaltParser-to-stop-the-parser.patch |
||||
Patch117: libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch |
||||
Patch118: libxml2-Do-not-print-error-context-when-there-is-none.patch |
||||
Patch119: libxml2-Detect-incoherency-on-GROW.patch |
||||
Patch120: libxml2-Fix-some-loop-issues-embedding-NEXT.patch |
||||
Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch |
||||
Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch |
||||
Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch |
||||
Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch |
||||
patch125: libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch |
||||
patch126: libxml2-Avoid-building-recursive-entities.patch |
||||
patch127: libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch |
||||
patch128: libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch |
||||
patch129: libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch |
||||
patch130: libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch |
||||
patch131: libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch |
||||
patch132: libxml2-Fix-inappropriate-fetch-of-entities-content.patch |
||||
patch133: libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch |
||||
patch134: libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch |
||||
patch135: libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch |
||||
patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch |
||||
patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch |
||||
patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch |
||||
patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch |
||||
|
||||
|
||||
%description |
||||
This library allows to manipulate XML files. It includes support |
||||
to read, modify and write XML and HTML files. There is DTDs support |
||||
this includes parsing and validation even with complex DtDs, either |
||||
at parse time or later once the document has been modified. The output |
||||
can be a simple SAX stream or and in-memory DOM like representations. |
||||
In this case one can use the built-in XPath and XPointer implementation |
||||
to select sub nodes or ranges. A flexible Input/Output mechanism is |
||||
available, with existing HTTP and FTP modules and combined to an |
||||
URI library. |
||||
|
||||
%package devel |
||||
Summary: Libraries, includes, etc. to develop XML and HTML applications |
||||
Group: Development/Libraries |
||||
Requires: libxml2 = %{version}-%{release} |
||||
Requires: zlib-devel |
||||
Requires: xz-devel |
||||
Requires: pkgconfig |
||||
|
||||
%description devel |
||||
Libraries, include files, etc you can use to develop XML applications. |
||||
This library allows to manipulate XML files. It includes support |
||||
to read, modify and write XML and HTML files. There is DTDs support |
||||
this includes parsing and validation even with complex DtDs, either |
||||
at parse time or later once the document has been modified. The output |
||||
can be a simple SAX stream or and in-memory DOM like representations. |
||||
In this case one can use the built-in XPath and XPointer implementation |
||||
to select sub nodes or ranges. A flexible Input/Output mechanism is |
||||
available, with existing HTTP and FTP modules and combined to an |
||||
URI library. |
||||
|
||||
%package static |
||||
Summary: Static library for libxml2 |
||||
Group: Development/Libraries |
||||
Requires: libxml2 = %{version}-%{release} |
||||
|
||||
%description static |
||||
Static library for libxml2 provided for specific uses or shaving a few |
||||
microseconds when parsing, do not link to them for generic purpose packages. |
||||
|
||||
%package python |
||||
Summary: Python bindings for the libxml2 library |
||||
Group: Development/Libraries |
||||
Requires: libxml2 = %{version}-%{release} |
||||
|
||||
%description python |
||||
The libxml2-python package contains a module that permits applications |
||||
written in the Python programming language to use the interface |
||||
supplied by the libxml2 library to manipulate XML files. |
||||
|
||||
This library allows to manipulate XML files. It includes support |
||||
to read, modify and write XML and HTML files. There is DTDs support |
||||
this includes parsing and validation even with complex DTDs, either |
||||
at parse time or later once the document has been modified. |
||||
|
||||
%prep |
||||
%setup -q |
||||
%patch0 -p1 |
||||
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions |
||||
%patch1 -p1 -b .do-not-check-crc |
||||
|
||||
%patch100 -p1 |
||||
%patch101 -p1 |
||||
%patch102 -p1 |
||||
%patch103 -p1 |
||||
%patch104 -p1 |
||||
%patch105 -p1 |
||||
%patch106 -p1 |
||||
%patch107 -p1 |
||||
%patch108 -p1 |
||||
%patch109 -p1 |
||||
%patch110 -p1 |
||||
%patch111 -p1 |
||||
%patch112 -p1 |
||||
%patch113 -p1 |
||||
%patch114 -p1 |
||||
%patch115 -p1 |
||||
%patch116 -p1 |
||||
%patch117 -p1 |
||||
%patch118 -p1 |
||||
%patch119 -p1 |
||||
%patch120 -p1 |
||||
%patch121 -p1 |
||||
%patch122 -p1 |
||||
%patch123 -p1 |
||||
%patch124 -p1 |
||||
%patch125 -p1 |
||||
%patch126 -p1 |
||||
%patch127 -p1 |
||||
%patch128 -p1 |
||||
%patch129 -p1 |
||||
%patch130 -p1 |
||||
%patch131 -p1 |
||||
%patch132 -p1 |
||||
%patch133 -p1 |
||||
%patch134 -p1 |
||||
%patch135 -p1 |
||||
%patch136 -p1 |
||||
%patch137 -p1 |
||||
%patch138 -p1 |
||||
%patch139 -p1 |
||||
|
||||
%build |
||||
%configure |
||||
make %{_smp_mflags} |
||||
|
||||
%install |
||||
rm -fr %{buildroot} |
||||
|
||||
make install DESTDIR=%{buildroot} |
||||
|
||||
# multiarch crazyness on timestamp differences or Makefile/binaries for examples |
||||
touch -m --reference=$RPM_BUILD_ROOT/%{_includedir}/libxml2/libxml/parser.h $RPM_BUILD_ROOT/%{_bindir}/xml2-config |
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la |
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a |
||||
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la |
||||
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/* |
||||
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/* |
||||
(cd doc/examples ; make clean ; rm -rf .deps Makefile) |
||||
gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz |
||||
|
||||
%check |
||||
make runtests |
||||
|
||||
%clean |
||||
rm -fr %{buildroot} |
||||
|
||||
%post -p /sbin/ldconfig |
||||
|
||||
%postun -p /sbin/ldconfig |
||||
|
||||
%files |
||||
%defattr(-, root, root) |
||||
|
||||
%doc AUTHORS NEWS README Copyright TODO |
||||
%doc %{_mandir}/man1/xmllint.1* |
||||
%doc %{_mandir}/man1/xmlcatalog.1* |
||||
%doc %{_mandir}/man3/libxml.3* |
||||
|
||||
%{_libdir}/lib*.so.* |
||||
%{_bindir}/xmllint |
||||
%{_bindir}/xmlcatalog |
||||
|
||||
%files devel |
||||
%defattr(-, root, root) |
||||
|
||||
%doc %{_mandir}/man1/xml2-config.1* |
||||
%doc AUTHORS NEWS README Copyright |
||||
%doc doc/*.html doc/html doc/*.gif doc/*.png |
||||
%doc doc/tutorial doc/libxml2-api.xml.gz |
||||
%doc doc/examples |
||||
%doc %dir %{_datadir}/gtk-doc/html/libxml2 |
||||
%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp |
||||
%doc %{_datadir}/gtk-doc/html/libxml2/*.html |
||||
%doc %{_datadir}/gtk-doc/html/libxml2/*.png |
||||
%doc %{_datadir}/gtk-doc/html/libxml2/*.css |
||||
|
||||
%{_libdir}/lib*.so |
||||
%{_libdir}/*.sh |
||||
%{_includedir}/* |
||||
%{_bindir}/xml2-config |
||||
%{_datadir}/aclocal/libxml.m4 |
||||
%{_libdir}/pkgconfig/libxml-2.0.pc |
||||
|
||||
%files static |
||||
%defattr(-, root, root) |
||||
|
||||
%{_libdir}/*a |
||||
|
||||
%files python |
||||
%defattr(-, root, root) |
||||
|
||||
%{_libdir}/python*/site-packages/libxml2.py* |
||||
%{_libdir}/python*/site-packages/drv_libxml2.py* |
||||
%{_libdir}/python*/site-packages/libxml2mod* |
||||
%doc python/TODO |
||||
%doc python/libxml2class.txt |
||||
%doc python/tests/*.py |
||||
%doc doc/*.py |
||||
%doc doc/python.html |
||||
|
||||
%changelog |
||||
* Mon Jun 6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3 |
||||
- Heap-based buffer overread in xmlNextChar (CVE-2016-1762) |
||||
- Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834) |
||||
- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> (CVE-2016-1840) |
||||
- Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588> (CVE-2016-1838) |
||||
- Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> (CVE-2016-1839) |
||||
- Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398> (CVE-2016-1836) |
||||
- Fix inappropriate fetch of entities content (CVE-2016-4449) |
||||
- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837) |
||||
- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835) |
||||
- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447) |
||||
- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833) |
||||
- Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705) |
||||
- Avoid building recursive entities (CVE-2016-3627) |
||||
- Fix some format string warnings with possible format string vulnerability (CVE-2016-4448) |
||||
- More format string warnings with possible format string vulnerability (CVE-2016-4448) |
||||
|
||||
* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2 |
||||
- Fix a series of CVEs (rhbz#1286496) |
||||
- CVE-2015-7941 Stop parsing on entities boundaries errors |
||||
- CVE-2015-7941 Cleanup conditional section error handling |
||||
- CVE-2015-8317 Fail parsing early on if encoding conversion failed |
||||
- CVE-2015-7942 Another variation of overflow in Conditional sections |
||||
- CVE-2015-7942 Fix an error in previous Conditional section patch |
||||
- Fix parsing short unclosed comment uninitialized access |
||||
- CVE-2015-7498 Avoid processing entities after encoding conversion failures |
||||
- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey |
||||
- CVE-2015-5312 Another entity expansion issue |
||||
- CVE-2015-7499 Add xmlHaltParser() to stop the parser |
||||
- CVE-2015-7499 Detect incoherency on GROW |
||||
- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries |
||||
- CVE-2015-8242 Buffer overead with HTML parser in push mode |
||||
- CVE-2015-1819 Enforce the reader to run in constant memory |
||||
|
||||
* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6 |
||||
- Fix missing entities after CVE-2014-3660 fix |
||||
- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650) |
||||
- Fix regressions introduced by CVE-2014-0191 patch |
||||
|
||||
* Sat Oct 11 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.1 |
||||
- CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087) |
||||
|
||||
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.9.1-5 |
||||
- Mass rebuild 2014-01-24 |
||||
|
||||
* Wed Jan 15 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-4 |
||||
- rebuild to activate -O3 on ppc64 rhbz#1051068 |
||||
|
||||
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.9.1-3 |
||||
- Mass rebuild 2013-12-27 |
||||
|
||||
* Fri Nov 15 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-2 |
||||
- Fix a regression in xmlGetDocCompressMode() rhbz#963716 |
||||
|
||||
* Fri Apr 19 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-1 |
||||
- upstream release of 2.9.1 |
||||
- a couple more API entry point |
||||
- compatibility with python3 |
||||
- a lot of bug fixes |
||||
|
||||
* Mon Feb 11 2013 Daniel Veillard <veillard@redhat.com> - 2.9.0-4 |
||||
- fix --nocheck build which I broke in october rhbz#909767 |
||||
|
||||
* Mon Nov 19 2012 Jaroslav Reznik <jreznik@redhat.com> - 2.9.0-3 |
||||
- workaround for crc/len check failure, rhbz#877567 |
||||
|
||||
* Thu Oct 11 2012 Daniel Veillard <veillard@redhat.com> - 2.9.0-2 |
||||
- remaining cleanups from merge bug rhbz#226079 |
||||
- do not put the docs in the main package, only in -devel rhbz#864731 |
||||
|
||||
* Tue Sep 11 2012 Daniel Veillard <veillard@redhat.com> - 2.9.0-1 |
||||
- upstream release of 2.9.0 |
||||
- A few new API entry points |
||||
- More resilient push parser mode |
||||
- A lot of portability improvement |
||||
- Faster XPath evaluation |
||||
- a lot of bug fixes and smaller improvement |
||||
|
||||
* Fri Aug 10 2012 Daniel Veillard <veillard@redhat.com> - 2.9.0-0rc1 |
||||
- upstream release candidate 1 of 2.9.0 |
||||
- introduce a small API change, but ABI compatible, see |
||||
https://mail.gnome.org/archives/xml/2012-August/msg00005.html |
||||
patches for php, gcc/libjava and evolution-data-connector are upstream |
||||
Grab me in cases of problems veillard@redhat.com |
||||
- many bug fixes including security aspects and small improvements |
||||
|
||||
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild |
||||
|
||||
* Wed May 23 2012 Daniel Veillard <veillard@redhat.com> - 2.8.0-1 |
||||
- upstream release of 2.8.0 |
||||
- add lzma compression support |
||||
- many bug fixes and small improvements |
||||
|
||||
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.8-7 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild |
||||
|
||||
* Fri Mar 4 2011 Daniel Veillard <veillard@redhat.com> - 2.7.8-6 |
||||
- fix a double free in XPath CVE-2010-4494 bug 665965 |
||||
|
||||
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.8-5 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild |
||||
|
||||
* Fri Nov 5 2010 Daniel Veillard <veillard@redhat.com> - 2.7.8-4 |
||||
- reactivate shared libs versionning script |
||||
|
||||
* Thu Nov 4 2010 Daniel Veillard <veillard@redhat.com> - 2.7.8-1 |
||||
- Upstream release of 2.7.8 |
||||
- various bug fixes, including potential crashes |
||||
- new non-destructive formatting option |
||||
- date parsing updated to RFC 5646 |
||||
|
||||
* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.7.7-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild |
||||
|
||||
* Mon Mar 15 2010 Daniel Veillard <veillard@redhat.com> - 2.7.7-1 |
||||
- Upstream release of 2.7.7 |
||||
- fix serious trouble with zlib >= 1.2.4 |
||||
- xmllint new option --xpath |
||||
- various HTML parser improvements |
||||
- includes a number of nug fixes |
||||
|
||||
* Tue Oct 6 2009 Daniel Veillard <veillard@redhat.com> - 2.7.6-1 |
||||
- Upstream release of 2.7.6 |
||||
- restore thread support off by default in 2.7.5 |
||||
|
||||
* Thu Sep 24 2009 Daniel Veillard <veillard@redhat.com> - 2.7.5-1 |
||||
- Upstream release of 2.7.5 |
||||
- fix a couple of Relax-NG validation problems |
||||
- couple more fixes |
||||
|
||||
* Tue Sep 15 2009 Daniel Veillard <veillard@redhat.com> - 2.7.4-2 |
||||
- fix a problem with little data at startup affecting inkscape #523002 |
||||
|
||||
* Thu Sep 10 2009 Daniel Veillard <veillard@redhat.com> - 2.7.4-1 |
||||
- upstream release 2.7.4 |
||||
- symbol versioning of libxml2 shared libs |
||||
- very large number of bug fixes |
||||
|
||||
* Mon Aug 10 2009 Daniel Veillard <veillard@redhat.com> - 2.7.3-4 |
||||
- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 |
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.3-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild |
||||
|
||||
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.3-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
||||
|
||||
* Sun Jan 18 2009 Daniel Veillard <veillard@redhat.com> - 2.7.3-1 |
||||
- new release 2.7.3 |
||||
- limit default max size of text nodes |
||||
- special parser mode for PHP |
||||
- bug fixes and more compiler checks |
||||
|
||||
* Wed Dec 3 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.7.2-7 |
||||
- Pull back into Python 2.6 |
||||
|
||||
* Wed Dec 3 2008 Caolán McNamara <caolanm@redhat.com> - 2.7.2-6 |
||||
- AutoProvides requires BuildRequires pkgconfig |
||||
|
||||
* Wed Dec 3 2008 Caolán McNamara <caolanm@redhat.com> - 2.7.2-5 |
||||
- rebuild to get provides(libxml-2.0) into HEAD rawhide |
||||
|
||||
* Mon Dec 1 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.7.2-4 |
||||
- Rebuild for pkgconfig logic |
||||
|
||||
* Fri Nov 28 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.7.2-3 |
||||
- Rebuild for Python 2.6 |
||||
|
||||
* Wed Nov 12 2008 Daniel Veillard <veillard@redhat.com> - 2.7.2-2.fc11 |
||||
- two patches for size overflows problems CVE-2008-4225 and CVE-2008-4226 |
||||
|
||||
* Fri Oct 3 2008 Daniel Veillard <veillard@redhat.com> 2.7.2-1.fc10 |
||||
- new release 2.7.2 |
||||
- Fixes the known problems in 2.7.1 |
||||
- increase the set of options when saving documents |
||||
|
||||
* Thu Oct 2 2008 Daniel Veillard <veillard@redhat.com> 2.7.1-2.fc10 |
||||
- fix a nasty bug in 2.7.x, http://bugzilla.gnome.org/show_bug.cgi?id=554660 |
||||
|
||||
* Mon Sep 1 2008 Daniel Veillard <veillard@redhat.com> 2.7.1-1.fc10 |
||||
- fix python serialization which was broken in 2.7.0 |
||||
- Resolve: rhbz#460774 |
||||
|
||||
* Sat Aug 30 2008 Daniel Veillard <veillard@redhat.com> 2.7.0-1.fc10 |
||||
- upstream release of 2.7.0 |
||||
- switch to XML 1.0 5th edition |
||||
- switch to RFC 3986 for URI parsing |
||||
- better entity handling |
||||
- option to remove hardcoded limitations in the parser |
||||
- more testing |
||||
- a new API to allocate entity nodes |
||||
- and lot of fixes and clanups |
||||
|
||||
* Mon Aug 25 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-4.fc10 |
||||
- fix for entities recursion problem |
||||
- Resolve: rhbz#459714 |
||||
|
||||
* Fri May 30 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-3.fc10 |
||||
- cleanup based on Fedora packaging guidelines, should fix #226079 |
||||
- separate a -static package |
||||
|
||||
* Thu May 15 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-2.fc10 |
||||
- try to fix multiarch problems like #440206 |
||||
|
||||
* Tue Apr 8 2008 Daniel Veillard <veillard@redhat.com> 2.6.32-1.fc9 |
||||
- upstream release 2.6.32 see http://xmlsoft.org/news.html |
||||
- many bug fixed upstream |
||||
|
||||
* Wed Feb 20 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.6.31-2 |
||||
- Autorebuild for GCC 4.3 |
||||
|
||||
* Fri Jan 11 2008 Daniel Veillard <veillard@redhat.com> 2.6.31-1.fc9 |
||||
- upstream release 2.6.31 see http://xmlsoft.org/news.html |
||||
- many bug fixed upstream |
||||
|
||||
* Thu Aug 23 2007 Daniel Veillard <veillard@redhat.com> 2.6.30-1 |
||||
- upstream release 2.6.30 see http://xmlsoft.org/news.html |
||||
- many bug fixed upstream |
||||
|
||||
* Tue Jun 12 2007 Daniel Veillard <veillard@redhat.com> 2.6.29-1 |
||||
- upstream release 2.6.29 see http://xmlsoft.org/news.html |
||||
- many bug fixed upstream |
||||
|
||||
* Wed May 16 2007 Matthias Clasen <mclasen@redhat.com> 2.6.28-2 |
||||
- Bump revision to fix N-V-R problem |
||||
|
||||
* Tue Apr 17 2007 Daniel Veillard <veillard@redhat.com> 2.6.28-1 |
||||
- upstream release 2.6.28 see http://xmlsoft.org/news.html |
||||
- many bug fixed upstream |
||||
|
||||
* Thu Dec 7 2006 Jeremy Katz <katzj@redhat.com> - 2.6.27-2 |
||||
- rebuild against python 2.5 |
||||
|
||||
* Wed Oct 25 2006 Daniel Veillard <veillard@redhat.com> 2.6.27-1 |
||||
- upstream release 2.6.27 see http://xmlsoft.org/news.html |
||||
- very large amount of bug fixes reported upstream |
||||
|
||||
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.6.26-2.1.1 |
||||
- rebuild |
||||
|
||||
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.6.26-2.1 |
||||
- rebuild |
||||
|
||||
* Wed Jun 7 2006 Daniel Veillard <veillard@redhat.com> 2.6.26-2 |
||||
- fix bug #192873 |
||||
* Tue Jun 6 2006 Daniel Veillard <veillard@redhat.com> 2.6.26-1 |
||||
- upstream release 2.6.26 see http://xmlsoft.org/news.html |
||||
|
||||
* Tue Jun 6 2006 Daniel Veillard <veillard@redhat.com> |
||||
- upstream release 2.6.25 broken, do not ship ! |
||||
|
||||
Loading…
Reference in new issue