You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
255 lines
9.9 KiB
255 lines
9.9 KiB
commit 37b45d8ff0f92a7ea0491dd61a0bceb951af332e |
|
Author: Tomas Korbar <tkorbar@redhat.com> |
|
Date: Tue May 3 09:57:53 2022 +0200 |
|
|
|
Fix CVE-2022-25313 |
|
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c |
|
index 0948906..8e84b5a 100644 |
|
--- a/lib/xmlparse.c |
|
+++ b/lib/xmlparse.c |
|
@@ -7138,44 +7138,15 @@ nextScaffoldPart(XML_Parser parser) { |
|
return next; |
|
} |
|
|
|
-static void |
|
-build_node(XML_Parser parser, int src_node, XML_Content *dest, |
|
- XML_Content **contpos, XML_Char **strpos) { |
|
- DTD *const dtd = parser->m_dtd; /* save one level of indirection */ |
|
- dest->type = dtd->scaffold[src_node].type; |
|
- dest->quant = dtd->scaffold[src_node].quant; |
|
- if (dest->type == XML_CTYPE_NAME) { |
|
- const XML_Char *src; |
|
- dest->name = *strpos; |
|
- src = dtd->scaffold[src_node].name; |
|
- for (;;) { |
|
- *(*strpos)++ = *src; |
|
- if (! *src) |
|
- break; |
|
- src++; |
|
- } |
|
- dest->numchildren = 0; |
|
- dest->children = NULL; |
|
- } else { |
|
- unsigned int i; |
|
- int cn; |
|
- dest->numchildren = dtd->scaffold[src_node].childcnt; |
|
- dest->children = *contpos; |
|
- *contpos += dest->numchildren; |
|
- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren; |
|
- i++, cn = dtd->scaffold[cn].nextsib) { |
|
- build_node(parser, cn, &(dest->children[i]), contpos, strpos); |
|
- } |
|
- dest->name = NULL; |
|
- } |
|
-} |
|
- |
|
static XML_Content * |
|
build_model(XML_Parser parser) { |
|
+ /* Function build_model transforms the existing parser->m_dtd->scaffold |
|
+ * array of CONTENT_SCAFFOLD tree nodes into a new array of |
|
+ * XML_Content tree nodes followed by a gapless list of zero-terminated |
|
+ * strings. */ |
|
DTD *const dtd = parser->m_dtd; /* save one level of indirection */ |
|
XML_Content *ret; |
|
- XML_Content *cpos; |
|
- XML_Char *str; |
|
+ XML_Char *str; /* the current string writing location */ |
|
|
|
/* Detect and prevent integer overflow. |
|
* The preprocessor guard addresses the "always false" warning |
|
@@ -7201,10 +7172,96 @@ build_model(XML_Parser parser) { |
|
if (! ret) |
|
return NULL; |
|
|
|
- str = (XML_Char *)(&ret[dtd->scaffCount]); |
|
- cpos = &ret[1]; |
|
+ /* What follows is an iterative implementation (of what was previously done |
|
+ * recursively in a dedicated function called "build_node". The old recursive |
|
+ * build_node could be forced into stack exhaustion from input as small as a |
|
+ * few megabyte, and so that was a security issue. Hence, a function call |
|
+ * stack is avoided now by resolving recursion.) |
|
+ * |
|
+ * The iterative approach works as follows: |
|
+ * |
|
+ * - We have two writing pointers, both walking up the result array; one does |
|
+ * the work, the other creates "jobs" for its colleague to do, and leads |
|
+ * the way: |
|
+ * |
|
+ * - The faster one, pointer jobDest, always leads and writes "what job |
|
+ * to do" by the other, once they reach that place in the |
|
+ * array: leader "jobDest" stores the source node array index (relative |
|
+ * to array dtd->scaffold) in field "numchildren". |
|
+ * |
|
+ * - The slower one, pointer dest, looks at the value stored in the |
|
+ * "numchildren" field (which actually holds a source node array index |
|
+ * at that time) and puts the real data from dtd->scaffold in. |
|
+ * |
|
+ * - Before the loop starts, jobDest writes source array index 0 |
|
+ * (where the root node is located) so that dest will have something to do |
|
+ * when it starts operation. |
|
+ * |
|
+ * - Whenever nodes with children are encountered, jobDest appends |
|
+ * them as new jobs, in order. As a result, tree node siblings are |
|
+ * adjacent in the resulting array, for example: |
|
+ * |
|
+ * [0] root, has two children |
|
+ * [1] first child of 0, has three children |
|
+ * [3] first child of 1, does not have children |
|
+ * [4] second child of 1, does not have children |
|
+ * [5] third child of 1, does not have children |
|
+ * [2] second child of 0, does not have children |
|
+ * |
|
+ * Or (the same data) presented in flat array view: |
|
+ * |
|
+ * [0] root, has two children |
|
+ * |
|
+ * [1] first child of 0, has three children |
|
+ * [2] second child of 0, does not have children |
|
+ * |
|
+ * [3] first child of 1, does not have children |
|
+ * [4] second child of 1, does not have children |
|
+ * [5] third child of 1, does not have children |
|
+ * |
|
+ * - The algorithm repeats until all target array indices have been processed. |
|
+ */ |
|
+ XML_Content *dest = ret; /* tree node writing location, moves upwards */ |
|
+ XML_Content *const destLimit = &ret[dtd->scaffCount]; |
|
+ XML_Content *jobDest = ret; /* next free writing location in target array */ |
|
+ str = (XML_Char *)&ret[dtd->scaffCount]; |
|
+ |
|
+ /* Add the starting job, the root node (index 0) of the source tree */ |
|
+ (jobDest++)->numchildren = 0; |
|
+ |
|
+ for (; dest < destLimit; dest++) { |
|
+ /* Retrieve source tree array index from job storage */ |
|
+ const int src_node = (int)dest->numchildren; |
|
+ |
|
+ /* Convert item */ |
|
+ dest->type = dtd->scaffold[src_node].type; |
|
+ dest->quant = dtd->scaffold[src_node].quant; |
|
+ if (dest->type == XML_CTYPE_NAME) { |
|
+ const XML_Char *src; |
|
+ dest->name = str; |
|
+ src = dtd->scaffold[src_node].name; |
|
+ for (;;) { |
|
+ *str++ = *src; |
|
+ if (! *src) |
|
+ break; |
|
+ src++; |
|
+ } |
|
+ dest->numchildren = 0; |
|
+ dest->children = NULL; |
|
+ } else { |
|
+ unsigned int i; |
|
+ int cn; |
|
+ dest->name = NULL; |
|
+ dest->numchildren = dtd->scaffold[src_node].childcnt; |
|
+ dest->children = jobDest; |
|
+ |
|
+ /* Append scaffold indices of children to array */ |
|
+ for (i = 0, cn = dtd->scaffold[src_node].firstchild; |
|
+ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) |
|
+ (jobDest++)->numchildren = (unsigned int)cn; |
|
+ } |
|
+ } |
|
|
|
- build_node(parser, 0, ret, &cpos, &str); |
|
return ret; |
|
} |
|
|
|
diff --git a/tests/runtests.c b/tests/runtests.c |
|
index 7293d46..05f3083 100644 |
|
--- a/tests/runtests.c |
|
+++ b/tests/runtests.c |
|
@@ -2677,6 +2677,82 @@ START_TEST(test_dtd_elements) { |
|
} |
|
END_TEST |
|
|
|
+static void XMLCALL |
|
+element_decl_check_model(void *userData, const XML_Char *name, |
|
+ XML_Content *model) { |
|
+ UNUSED_P(userData); |
|
+ uint32_t errorFlags = 0; |
|
+ |
|
+ /* Expected model array structure is this: |
|
+ * [0] (type 6, quant 0) |
|
+ * [1] (type 5, quant 0) |
|
+ * [3] (type 4, quant 0, name "bar") |
|
+ * [4] (type 4, quant 0, name "foo") |
|
+ * [5] (type 4, quant 3, name "xyz") |
|
+ * [2] (type 4, quant 2, name "zebra") |
|
+ */ |
|
+ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0)); |
|
+ errorFlags |= ((model != NULL) ? 0 : (1u << 1)); |
|
+ |
|
+ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2)); |
|
+ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3)); |
|
+ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4)); |
|
+ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5)); |
|
+ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6)); |
|
+ |
|
+ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7)); |
|
+ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8)); |
|
+ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9)); |
|
+ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10)); |
|
+ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11)); |
|
+ |
|
+ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12)); |
|
+ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13)); |
|
+ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14)); |
|
+ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15)); |
|
+ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16)); |
|
+ |
|
+ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17)); |
|
+ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18)); |
|
+ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19)); |
|
+ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20)); |
|
+ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21)); |
|
+ |
|
+ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22)); |
|
+ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23)); |
|
+ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24)); |
|
+ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25)); |
|
+ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26)); |
|
+ |
|
+ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27)); |
|
+ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28)); |
|
+ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29)); |
|
+ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30)); |
|
+ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31)); |
|
+ |
|
+ XML_SetUserData(g_parser, (void *)(uintptr_t)errorFlags); |
|
+ XML_FreeContentModel(g_parser, model); |
|
+} |
|
+ |
|
+START_TEST(test_dtd_elements_nesting) { |
|
+ // Payload inspired by a test in Perl's XML::Parser |
|
+ const char *text = "<!DOCTYPE foo [\n" |
|
+ "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>\n" |
|
+ "]>\n" |
|
+ "<foo/>"; |
|
+ |
|
+ XML_SetUserData(g_parser, (void *)(uintptr_t)-1); |
|
+ |
|
+ XML_SetElementDeclHandler(g_parser, element_decl_check_model); |
|
+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) |
|
+ == XML_STATUS_ERROR) |
|
+ xml_failure(g_parser); |
|
+ |
|
+ if ((uint32_t)(uintptr_t)XML_GetUserData(g_parser) != 0) |
|
+ fail("Element declaration model regression detected"); |
|
+} |
|
+END_TEST |
|
+ |
|
/* Test foreign DTD handling */ |
|
START_TEST(test_set_foreign_dtd) { |
|
const char *text1 = "<?xml version='1.0' encoding='us-ascii'?>\n"; |
|
@@ -11487,6 +11563,7 @@ make_suite(void) { |
|
tcase_add_test(tc_basic, test_memory_allocation); |
|
tcase_add_test(tc_basic, test_default_current); |
|
tcase_add_test(tc_basic, test_dtd_elements); |
|
+ tcase_add_test(tc_basic, test_dtd_elements_nesting); |
|
tcase_add_test__ifdef_xml_dtd(tc_basic, test_set_foreign_dtd); |
|
tcase_add_test__ifdef_xml_dtd(tc_basic, test_foreign_dtd_not_standalone); |
|
tcase_add_test__ifdef_xml_dtd(tc_basic, test_invalid_foreign_dtd);
|
|
|