powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
605 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: ce7a691b61
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ce7a691b61'
${ noResults }
base/SOURCES/libxml2-Heap-use-after-free...

156 lines
9.6 KiB
Raw Blame History

From 7eca8fef0d19c65bd2004ba73347575a38e8d08e Mon Sep 17 00:00:00 2001
From: Pranjal Jumde <pjumde@apple.com>
Date: Mon, 7 Mar 2016 14:04:08 -0800
Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
To: libvir-list@redhat.com
For https://bugzilla.gnome.org/show_bug.cgi?id=759020
* parser.c:
(xmlParseStartTag2): Attribute strings are only valid if the
base does not change, so add another check where the base may
change. Make sure to set 'attvalue' to NULL after freeing it.
* result/errors/759020.xml: Added.
* result/errors/759020.xml.err: Added.
* result/errors/759020.xml.str: Added.
* test/errors/759020.xml: Added test case.
Signed-off-by: Daniel Veillard <veillard@redhat.com>
---
parser.c | 26 +++++++++++++++++++++++--
result/errors/759020.xml | 0
result/errors/759020.xml.err | 6 ++++++
result/errors/759020.xml.str | 7 +++++++
test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 83 insertions(+), 2 deletions(-)
create mode 100644 result/errors/759020.xml
create mode 100644 result/errors/759020.xml.err
create mode 100644 result/errors/759020.xml.str
create mode 100644 test/errors/759020.xml
diff --git a/parser.c b/parser.c
index 1936599..133df95 100644
--- a/parser.c
+++ b/parser.c
@@ -9438,8 +9438,20 @@ reparse:
else
if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
skip_default_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ "attributes construct error\n");
+ break;
+ }
SKIP_BLANKS;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
continue;
}
if (aprefix == ctxt->str_xmlns) {
@@ -9511,7 +9523,17 @@ skip_default_ns:
else
if (nsPush(ctxt, attname, URL) > 0) nbNs++;
skip_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
+ if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
+ break;
+ if (!IS_BLANK_CH(RAW)) {
+ xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
+ "attributes construct error\n");
+ break;
+ }
SKIP_BLANKS;
if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
goto base_changed;
diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err
new file mode 100644
index 0000000..a0d3051
--- /dev/null
+++ b/result/errors/759020.xml.err
@@ -0,0 +1,6 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
+
+ ^
diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str
new file mode 100644
index 0000000..998d6d2
--- /dev/null
+++ b/result/errors/759020.xml.str
@@ -0,0 +1,7 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
+
+ ^
+./test/errors/759020.xml : failed to parse
diff --git a/test/errors/759020.xml b/test/errors/759020.xml
new file mode 100644
index 0000000..db23275
--- /dev/null
+++ b/test/errors/759020.xml
@@ -0,0 +1,46 @@
+<?l 00000000000000000000000000000?>
+<s00 w0000="000" h00000="000"
+ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
--
2.5.5