powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
646 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: b558cfd63a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b558cfd63a'
${ noResults }
base/SOURCES/libxml2-CVE-2015-7500-Fix-m...

108 lines
3.3 KiB
Raw Blame History

From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 16:06:59 +0800
Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
entities boundaries
To: libvir-list@redhat.com
For https://bugzilla.gnome.org/show_bug.cgi?id=756525
handle properly the case where we popped out of the current entity
while processing a start tag
Reported by Kostya Serebryany @ Google
Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/parser.c b/parser.c
index cc45e17..f4fc310 100644
--- a/parser.c
+++ b/parser.c
@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
const xmlChar **atts = ctxt->atts;
int maxatts = ctxt->maxatts;
int nratts, nbatts, nbdef;
- int i, j, nbNs, attval, oldline, oldcol;
+ int i, j, nbNs, attval, oldline, oldcol, inputNr;
const xmlChar *base;
unsigned long cur;
int nsNr = ctxt->nsNr;
@@ -9328,6 +9328,7 @@ reparse:
SHRINK;
base = ctxt->input->base;
cur = ctxt->input->cur - ctxt->input->base;
+ inputNr = ctxt->inputNr;
oldline = ctxt->input->line;
oldcol = ctxt->input->col;
nbatts = 0;
@@ -9353,7 +9354,8 @@ reparse:
*/
SKIP_BLANKS;
GROW;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
while (((RAW != '>') &&
((RAW != '/') || (NXT(1) != '>')) &&
@@ -9364,7 +9366,7 @@ reparse:
attname = xmlParseAttribute2(ctxt, prefix, localname,
&aprefix, &attvalue, &len, &alloc);
- if (ctxt->input->base != base) {
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
if ((attvalue != NULL) && (alloc != 0))
xmlFree(attvalue);
attvalue = NULL;
@@ -9493,7 +9495,8 @@ skip_default_ns:
skip_ns:
if (alloc != 0) xmlFree(attvalue);
SKIP_BLANKS;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
continue;
}
@@ -9530,7 +9533,8 @@ failed:
GROW
if (ctxt->instate == XML_PARSER_EOF)
break;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
if (!IS_BLANK_CH(RAW)) {
@@ -9546,7 +9550,8 @@ failed:
break;
}
GROW;
- if (ctxt->input->base != base) goto base_changed;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
}
/*
@@ -9713,6 +9718,17 @@ base_changed:
if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
xmlFree((xmlChar *) atts[i]);
}
+
+ /*
+ * We can't switch from one entity to another in the middle
+ * of a start tag
+ */
+ if (inputNr != ctxt->inputNr) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+ "Start tag doesn't start and stop in the same entity\n");
+ return(NULL);
+ }
+
ctxt->input->cur = ctxt->input->base + cur;
ctxt->input->line = oldline;
ctxt->input->col = oldcol;
--
2.5.0