You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
119 lines
4.7 KiB
119 lines
4.7 KiB
From 7d23a33fbf8fe09fe52f9abafeafb9f438229603 Mon Sep 17 00:00:00 2001 |
|
From: David Kilzer <ddkilzer@apple.com> |
|
Date: Tue, 26 Jan 2016 16:57:03 -0800 |
|
Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName |
|
To: libvir-list@redhat.com |
|
|
|
For https://bugzilla.gnome.org/show_bug.cgi?id=759573 |
|
|
|
* parser.c: |
|
(xmlParseElementDecl): Return early on invalid input to fix |
|
non-minimized test case (759573-2.xml). Otherwise the parser |
|
gets into a bad state in SKIP(3) at the end of the function. |
|
(xmlParseConditionalSections): Halt parsing when hitting invalid |
|
input that would otherwise caused xmlParserHandlePEReference() |
|
to recurse unexpectedly. This fixes the minimized test case |
|
(759573.xml). |
|
|
|
* result/errors/759573-2.xml: Add. |
|
* result/errors/759573-2.xml.err: Add. |
|
* result/errors/759573-2.xml.str: Add. |
|
* result/errors/759573.xml: Add. |
|
* result/errors/759573.xml.err: Add. |
|
* result/errors/759573.xml.str: Add. |
|
* test/errors/759573-2.xml: Add. |
|
* test/errors/759573.xml: Add. |
|
|
|
Had to fixup by removing test 759573-2 |
|
|
|
Signed-off-by: Daniel Veillard <veillard@redhat.com> |
|
--- |
|
parser.c | 2 ++ |
|
result/errors/759573.xml | 0 |
|
result/errors/759573.xml.err | 31 +++++++++++++++++++++++++++++++ |
|
result/errors/759573.xml.str | 4 ++++ |
|
test/errors/759573.xml | 1 + |
|
5 files changed, 38 insertions(+) |
|
create mode 100644 result/errors/759573.xml |
|
create mode 100644 result/errors/759573.xml.err |
|
create mode 100644 result/errors/759573.xml.str |
|
create mode 100644 test/errors/759573.xml |
|
|
|
diff --git a/parser.c b/parser.c |
|
index 133df95..0accf54 100644 |
|
--- a/parser.c |
|
+++ b/parser.c |
|
@@ -6683,6 +6683,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) { |
|
if (!IS_BLANK_CH(CUR)) { |
|
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, |
|
"Space required after 'ELEMENT'\n"); |
|
+ return(-1); |
|
} |
|
SKIP_BLANKS; |
|
name = xmlParseName(ctxt); |
|
@@ -6834,6 +6835,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { |
|
|
|
if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) { |
|
xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL); |
|
+ xmlHaltParser(ctxt); |
|
break; |
|
} |
|
} |
|
diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err |
|
new file mode 100644 |
|
index 0000000..2c21e9a |
|
--- /dev/null |
|
+++ b/result/errors/759573.xml.err |
|
@@ -0,0 +1,31 @@ |
|
+./test/errors/759573.xml:1: parser error : Space required after '<!ENTITY' |
|
+ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITY |
|
+ ^ |
|
+./test/errors/759573.xml:1: parser error : Space required after the entity name |
|
+LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz |
|
+ ^ |
|
+./test/errors/759573.xml:1: parser error : Entity value required |
|
+LEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz |
|
+ ^ |
|
+Entity: line 1: parser error : PEReference: no name |
|
+ %xx; |
|
+ ^ |
|
+Entity: line 1: |
|
+%<![INCLUDE[000%ஸ000%z; |
|
+ ^ |
|
+Entity: line 1: parser error : Content error in the external subset |
|
+ %xx; |
|
+ ^ |
|
+Entity: line 1: |
|
+%<![INCLUDE[000%ஸ000%z; |
|
+ ^ |
|
+./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration |
|
+ |
|
+T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
|
+ ^ |
|
+./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated |
|
+T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
|
+ ^ |
|
+./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found |
|
+T t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
|
+ ^ |
|
diff --git a/result/errors/759573.xml.str b/result/errors/759573.xml.str |
|
new file mode 100644 |
|
index 0000000..1b6addb |
|
--- /dev/null |
|
+++ b/result/errors/759573.xml.str |
|
@@ -0,0 +1,4 @@ |
|
+./test/errors/759573.xml:1: parser error : Extra content at the end of the document |
|
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ00 |
|
+ ^ |
|
+./test/errors/759573.xml : failed to parse |
|
diff --git a/test/errors/759573.xml b/test/errors/759573.xml |
|
new file mode 100644 |
|
index 0000000..69ebb57 |
|
--- /dev/null |
|
+++ b/test/errors/759573.xml |
|
@@ -0,0 +1 @@ |
|
+<?h?><!DOCTYPEt[<!ELEMENT t (A)><!ENTITY % xx '%<![INCLUDE[000%ஸ000%z;'><!ENTITYz>%xx; |
|
\ No newline at end of file |
|
-- |
|
2.5.5 |
|
|
|
|