diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-12-12 11:28:30 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-23 23:05:49 +0000 |
commit | f930572051984d5afa390f436ce4843b5f838b14 (patch) | |
tree | 68321cb42151c3dd124316dd67eac81b24d09fd6 /meta/recipes-core | |
parent | a00404e18e290a50e6cb542d402787e3281adba3 (diff) | |
download | poky-f930572051984d5afa390f436ce4843b5f838b14.tar.gz |
libxml2: Fix CVE-2022-40303 && CVE-2022-40304
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 && https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b
(From OE-Core rev: b46d0b7a599ee5d3009cca302ad5322d64eb94b9)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch | 624 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch | 106 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 |
3 files changed, 732 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 0000000000..346ec37a9f --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch | |||
@@ -0,0 +1,624 @@ | |||
1 | From 15050f59d2a62b97b34e9cab8b8076a68ef003bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Thu, 25 Aug 2022 17:43:08 +0200 | ||
4 | Subject: [PATCH] CVE-2022-40303 | ||
5 | |||
6 | Fix integer overflows with XML_PARSE_HUGE | ||
7 | |||
8 | Also impose size limits when XML_PARSE_HUGE is set. Limit size of names | ||
9 | to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to | ||
10 | XML_MAX_HUGE_LENGTH (1 billion bytes). | ||
11 | |||
12 | Move some the length checks to the end of the respective loop to make | ||
13 | them strict. | ||
14 | |||
15 | xmlParseEntityValue didn't have a length limitation at all. But without | ||
16 | XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. | ||
17 | |||
18 | Thanks to Maddie Stone working with Google Project Zero for the report! | ||
19 | |||
20 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0] | ||
21 | CVE: CVE-2022-40303 | ||
22 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
23 | --- | ||
24 | parser.c | 233 +++++++++++++++++++++++++++++-------------------------- | ||
25 | 1 file changed, 121 insertions(+), 112 deletions(-) | ||
26 | |||
27 | diff --git a/parser.c b/parser.c | ||
28 | index 1bc3713..0f76577 100644 | ||
29 | --- a/parser.c | ||
30 | +++ b/parser.c | ||
31 | @@ -115,6 +115,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); | ||
32 | * * | ||
33 | ************************************************************************/ | ||
34 | |||
35 | +#define XML_MAX_HUGE_LENGTH 1000000000 | ||
36 | + | ||
37 | #define XML_PARSER_BIG_ENTITY 1000 | ||
38 | #define XML_PARSER_LOT_ENTITY 5000 | ||
39 | |||
40 | @@ -565,7 +567,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) | ||
41 | errmsg = "Malformed declaration expecting version"; | ||
42 | break; | ||
43 | case XML_ERR_NAME_TOO_LONG: | ||
44 | - errmsg = "Name too long use XML_PARSE_HUGE option"; | ||
45 | + errmsg = "Name too long"; | ||
46 | break; | ||
47 | #if 0 | ||
48 | case: | ||
49 | @@ -3210,6 +3212,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
50 | int len = 0, l; | ||
51 | int c; | ||
52 | int count = 0; | ||
53 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
54 | + XML_MAX_TEXT_LENGTH : | ||
55 | + XML_MAX_NAME_LENGTH; | ||
56 | |||
57 | #ifdef DEBUG | ||
58 | nbParseNameComplex++; | ||
59 | @@ -3275,7 +3280,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
60 | if (ctxt->instate == XML_PARSER_EOF) | ||
61 | return(NULL); | ||
62 | } | ||
63 | - len += l; | ||
64 | + if (len <= INT_MAX - l) | ||
65 | + len += l; | ||
66 | NEXTL(l); | ||
67 | c = CUR_CHAR(l); | ||
68 | } | ||
69 | @@ -3301,13 +3307,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { | ||
70 | if (ctxt->instate == XML_PARSER_EOF) | ||
71 | return(NULL); | ||
72 | } | ||
73 | - len += l; | ||
74 | + if (len <= INT_MAX - l) | ||
75 | + len += l; | ||
76 | NEXTL(l); | ||
77 | c = CUR_CHAR(l); | ||
78 | } | ||
79 | } | ||
80 | - if ((len > XML_MAX_NAME_LENGTH) && | ||
81 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
82 | + if (len > maxLength) { | ||
83 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); | ||
84 | return(NULL); | ||
85 | } | ||
86 | @@ -3346,7 +3352,10 @@ const xmlChar * | ||
87 | xmlParseName(xmlParserCtxtPtr ctxt) { | ||
88 | const xmlChar *in; | ||
89 | const xmlChar *ret; | ||
90 | - int count = 0; | ||
91 | + size_t count = 0; | ||
92 | + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
93 | + XML_MAX_TEXT_LENGTH : | ||
94 | + XML_MAX_NAME_LENGTH; | ||
95 | |||
96 | GROW; | ||
97 | |||
98 | @@ -3370,8 +3379,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { | ||
99 | in++; | ||
100 | if ((*in > 0) && (*in < 0x80)) { | ||
101 | count = in - ctxt->input->cur; | ||
102 | - if ((count > XML_MAX_NAME_LENGTH) && | ||
103 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
104 | + if (count > maxLength) { | ||
105 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); | ||
106 | return(NULL); | ||
107 | } | ||
108 | @@ -3392,6 +3400,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
109 | int len = 0, l; | ||
110 | int c; | ||
111 | int count = 0; | ||
112 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
113 | + XML_MAX_TEXT_LENGTH : | ||
114 | + XML_MAX_NAME_LENGTH; | ||
115 | size_t startPosition = 0; | ||
116 | |||
117 | #ifdef DEBUG | ||
118 | @@ -3412,17 +3423,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
119 | while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ | ||
120 | (xmlIsNameChar(ctxt, c) && (c != ':'))) { | ||
121 | if (count++ > XML_PARSER_CHUNK_SIZE) { | ||
122 | - if ((len > XML_MAX_NAME_LENGTH) && | ||
123 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
124 | - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); | ||
125 | - return(NULL); | ||
126 | - } | ||
127 | count = 0; | ||
128 | GROW; | ||
129 | if (ctxt->instate == XML_PARSER_EOF) | ||
130 | return(NULL); | ||
131 | } | ||
132 | - len += l; | ||
133 | + if (len <= INT_MAX - l) | ||
134 | + len += l; | ||
135 | NEXTL(l); | ||
136 | c = CUR_CHAR(l); | ||
137 | if (c == 0) { | ||
138 | @@ -3440,8 +3447,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
139 | c = CUR_CHAR(l); | ||
140 | } | ||
141 | } | ||
142 | - if ((len > XML_MAX_NAME_LENGTH) && | ||
143 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
144 | + if (len > maxLength) { | ||
145 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); | ||
146 | return(NULL); | ||
147 | } | ||
148 | @@ -3467,7 +3473,10 @@ static const xmlChar * | ||
149 | xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
150 | const xmlChar *in, *e; | ||
151 | const xmlChar *ret; | ||
152 | - int count = 0; | ||
153 | + size_t count = 0; | ||
154 | + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
155 | + XML_MAX_TEXT_LENGTH : | ||
156 | + XML_MAX_NAME_LENGTH; | ||
157 | |||
158 | #ifdef DEBUG | ||
159 | nbParseNCName++; | ||
160 | @@ -3492,8 +3501,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
161 | goto complex; | ||
162 | if ((*in > 0) && (*in < 0x80)) { | ||
163 | count = in - ctxt->input->cur; | ||
164 | - if ((count > XML_MAX_NAME_LENGTH) && | ||
165 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
166 | + if (count > maxLength) { | ||
167 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); | ||
168 | return(NULL); | ||
169 | } | ||
170 | @@ -3575,6 +3583,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { | ||
171 | const xmlChar *cur = *str; | ||
172 | int len = 0, l; | ||
173 | int c; | ||
174 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
175 | + XML_MAX_TEXT_LENGTH : | ||
176 | + XML_MAX_NAME_LENGTH; | ||
177 | |||
178 | #ifdef DEBUG | ||
179 | nbParseStringName++; | ||
180 | @@ -3610,12 +3621,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { | ||
181 | if (len + 10 > max) { | ||
182 | xmlChar *tmp; | ||
183 | |||
184 | - if ((len > XML_MAX_NAME_LENGTH) && | ||
185 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
186 | - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); | ||
187 | - xmlFree(buffer); | ||
188 | - return(NULL); | ||
189 | - } | ||
190 | max *= 2; | ||
191 | tmp = (xmlChar *) xmlRealloc(buffer, | ||
192 | max * sizeof(xmlChar)); | ||
193 | @@ -3629,14 +3634,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { | ||
194 | COPY_BUF(l,buffer,len,c); | ||
195 | cur += l; | ||
196 | c = CUR_SCHAR(cur, l); | ||
197 | + if (len > maxLength) { | ||
198 | + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); | ||
199 | + xmlFree(buffer); | ||
200 | + return(NULL); | ||
201 | + } | ||
202 | } | ||
203 | buffer[len] = 0; | ||
204 | *str = cur; | ||
205 | return(buffer); | ||
206 | } | ||
207 | } | ||
208 | - if ((len > XML_MAX_NAME_LENGTH) && | ||
209 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
210 | + if (len > maxLength) { | ||
211 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); | ||
212 | return(NULL); | ||
213 | } | ||
214 | @@ -3663,6 +3672,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { | ||
215 | int len = 0, l; | ||
216 | int c; | ||
217 | int count = 0; | ||
218 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
219 | + XML_MAX_TEXT_LENGTH : | ||
220 | + XML_MAX_NAME_LENGTH; | ||
221 | |||
222 | #ifdef DEBUG | ||
223 | nbParseNmToken++; | ||
224 | @@ -3714,12 +3726,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { | ||
225 | if (len + 10 > max) { | ||
226 | xmlChar *tmp; | ||
227 | |||
228 | - if ((max > XML_MAX_NAME_LENGTH) && | ||
229 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
230 | - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); | ||
231 | - xmlFree(buffer); | ||
232 | - return(NULL); | ||
233 | - } | ||
234 | max *= 2; | ||
235 | tmp = (xmlChar *) xmlRealloc(buffer, | ||
236 | max * sizeof(xmlChar)); | ||
237 | @@ -3733,6 +3739,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { | ||
238 | COPY_BUF(l,buffer,len,c); | ||
239 | NEXTL(l); | ||
240 | c = CUR_CHAR(l); | ||
241 | + if (len > maxLength) { | ||
242 | + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); | ||
243 | + xmlFree(buffer); | ||
244 | + return(NULL); | ||
245 | + } | ||
246 | } | ||
247 | buffer[len] = 0; | ||
248 | return(buffer); | ||
249 | @@ -3740,8 +3751,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { | ||
250 | } | ||
251 | if (len == 0) | ||
252 | return(NULL); | ||
253 | - if ((len > XML_MAX_NAME_LENGTH) && | ||
254 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
255 | + if (len > maxLength) { | ||
256 | xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); | ||
257 | return(NULL); | ||
258 | } | ||
259 | @@ -3767,6 +3777,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { | ||
260 | int len = 0; | ||
261 | int size = XML_PARSER_BUFFER_SIZE; | ||
262 | int c, l; | ||
263 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
264 | + XML_MAX_HUGE_LENGTH : | ||
265 | + XML_MAX_TEXT_LENGTH; | ||
266 | xmlChar stop; | ||
267 | xmlChar *ret = NULL; | ||
268 | const xmlChar *cur = NULL; | ||
269 | @@ -3826,6 +3839,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { | ||
270 | GROW; | ||
271 | c = CUR_CHAR(l); | ||
272 | } | ||
273 | + | ||
274 | + if (len > maxLength) { | ||
275 | + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, | ||
276 | + "entity value too long\n"); | ||
277 | + goto error; | ||
278 | + } | ||
279 | } | ||
280 | buf[len] = 0; | ||
281 | if (ctxt->instate == XML_PARSER_EOF) | ||
282 | @@ -3913,6 +3932,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { | ||
283 | xmlChar *rep = NULL; | ||
284 | size_t len = 0; | ||
285 | size_t buf_size = 0; | ||
286 | + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
287 | + XML_MAX_HUGE_LENGTH : | ||
288 | + XML_MAX_TEXT_LENGTH; | ||
289 | int c, l, in_space = 0; | ||
290 | xmlChar *current = NULL; | ||
291 | xmlEntityPtr ent; | ||
292 | @@ -3944,16 +3966,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { | ||
293 | while (((NXT(0) != limit) && /* checked */ | ||
294 | (IS_CHAR(c)) && (c != '<')) && | ||
295 | (ctxt->instate != XML_PARSER_EOF)) { | ||
296 | - /* | ||
297 | - * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE | ||
298 | - * special option is given | ||
299 | - */ | ||
300 | - if ((len > XML_MAX_TEXT_LENGTH) && | ||
301 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
302 | - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
303 | - "AttValue length too long\n"); | ||
304 | - goto mem_error; | ||
305 | - } | ||
306 | if (c == '&') { | ||
307 | in_space = 0; | ||
308 | if (NXT(1) == '#') { | ||
309 | @@ -4101,6 +4113,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { | ||
310 | } | ||
311 | GROW; | ||
312 | c = CUR_CHAR(l); | ||
313 | + if (len > maxLength) { | ||
314 | + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
315 | + "AttValue length too long\n"); | ||
316 | + goto mem_error; | ||
317 | + } | ||
318 | } | ||
319 | if (ctxt->instate == XML_PARSER_EOF) | ||
320 | goto error; | ||
321 | @@ -4122,16 +4139,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { | ||
322 | } else | ||
323 | NEXT; | ||
324 | |||
325 | - /* | ||
326 | - * There we potentially risk an overflow, don't allow attribute value of | ||
327 | - * length more than INT_MAX it is a very reasonable assumption ! | ||
328 | - */ | ||
329 | - if (len >= INT_MAX) { | ||
330 | - xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
331 | - "AttValue length too long\n"); | ||
332 | - goto mem_error; | ||
333 | - } | ||
334 | - | ||
335 | if (attlen != NULL) *attlen = (int) len; | ||
336 | return(buf); | ||
337 | |||
338 | @@ -4202,6 +4209,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { | ||
339 | int len = 0; | ||
340 | int size = XML_PARSER_BUFFER_SIZE; | ||
341 | int cur, l; | ||
342 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
343 | + XML_MAX_TEXT_LENGTH : | ||
344 | + XML_MAX_NAME_LENGTH; | ||
345 | xmlChar stop; | ||
346 | int state = ctxt->instate; | ||
347 | int count = 0; | ||
348 | @@ -4229,13 +4239,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { | ||
349 | if (len + 5 >= size) { | ||
350 | xmlChar *tmp; | ||
351 | |||
352 | - if ((size > XML_MAX_NAME_LENGTH) && | ||
353 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
354 | - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); | ||
355 | - xmlFree(buf); | ||
356 | - ctxt->instate = (xmlParserInputState) state; | ||
357 | - return(NULL); | ||
358 | - } | ||
359 | size *= 2; | ||
360 | tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); | ||
361 | if (tmp == NULL) { | ||
362 | @@ -4264,6 +4267,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { | ||
363 | SHRINK; | ||
364 | cur = CUR_CHAR(l); | ||
365 | } | ||
366 | + if (len > maxLength) { | ||
367 | + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); | ||
368 | + xmlFree(buf); | ||
369 | + ctxt->instate = (xmlParserInputState) state; | ||
370 | + return(NULL); | ||
371 | + } | ||
372 | } | ||
373 | buf[len] = 0; | ||
374 | ctxt->instate = (xmlParserInputState) state; | ||
375 | @@ -4291,6 +4300,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { | ||
376 | xmlChar *buf = NULL; | ||
377 | int len = 0; | ||
378 | int size = XML_PARSER_BUFFER_SIZE; | ||
379 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
380 | + XML_MAX_TEXT_LENGTH : | ||
381 | + XML_MAX_NAME_LENGTH; | ||
382 | xmlChar cur; | ||
383 | xmlChar stop; | ||
384 | int count = 0; | ||
385 | @@ -4318,12 +4330,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { | ||
386 | if (len + 1 >= size) { | ||
387 | xmlChar *tmp; | ||
388 | |||
389 | - if ((size > XML_MAX_NAME_LENGTH) && | ||
390 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
391 | - xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); | ||
392 | - xmlFree(buf); | ||
393 | - return(NULL); | ||
394 | - } | ||
395 | size *= 2; | ||
396 | tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); | ||
397 | if (tmp == NULL) { | ||
398 | @@ -4351,6 +4357,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { | ||
399 | SHRINK; | ||
400 | cur = CUR; | ||
401 | } | ||
402 | + if (len > maxLength) { | ||
403 | + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); | ||
404 | + xmlFree(buf); | ||
405 | + return(NULL); | ||
406 | + } | ||
407 | } | ||
408 | buf[len] = 0; | ||
409 | if (cur != stop) { | ||
410 | @@ -4750,6 +4761,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, | ||
411 | int r, rl; | ||
412 | int cur, l; | ||
413 | size_t count = 0; | ||
414 | + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
415 | + XML_MAX_HUGE_LENGTH : | ||
416 | + XML_MAX_TEXT_LENGTH; | ||
417 | int inputid; | ||
418 | |||
419 | inputid = ctxt->input->id; | ||
420 | @@ -4795,13 +4809,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, | ||
421 | if ((r == '-') && (q == '-')) { | ||
422 | xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); | ||
423 | } | ||
424 | - if ((len > XML_MAX_TEXT_LENGTH) && | ||
425 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
426 | - xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, | ||
427 | - "Comment too big found", NULL); | ||
428 | - xmlFree (buf); | ||
429 | - return; | ||
430 | - } | ||
431 | if (len + 5 >= size) { | ||
432 | xmlChar *new_buf; | ||
433 | size_t new_size; | ||
434 | @@ -4839,6 +4846,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, | ||
435 | GROW; | ||
436 | cur = CUR_CHAR(l); | ||
437 | } | ||
438 | + | ||
439 | + if (len > maxLength) { | ||
440 | + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, | ||
441 | + "Comment too big found", NULL); | ||
442 | + xmlFree (buf); | ||
443 | + return; | ||
444 | + } | ||
445 | } | ||
446 | buf[len] = 0; | ||
447 | if (cur == 0) { | ||
448 | @@ -4883,6 +4897,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { | ||
449 | xmlChar *buf = NULL; | ||
450 | size_t size = XML_PARSER_BUFFER_SIZE; | ||
451 | size_t len = 0; | ||
452 | + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
453 | + XML_MAX_HUGE_LENGTH : | ||
454 | + XML_MAX_TEXT_LENGTH; | ||
455 | xmlParserInputState state; | ||
456 | const xmlChar *in; | ||
457 | size_t nbchar = 0; | ||
458 | @@ -4966,8 +4983,7 @@ get_more: | ||
459 | buf[len] = 0; | ||
460 | } | ||
461 | } | ||
462 | - if ((len > XML_MAX_TEXT_LENGTH) && | ||
463 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
464 | + if (len > maxLength) { | ||
465 | xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, | ||
466 | "Comment too big found", NULL); | ||
467 | xmlFree (buf); | ||
468 | @@ -5167,6 +5183,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { | ||
469 | xmlChar *buf = NULL; | ||
470 | size_t len = 0; | ||
471 | size_t size = XML_PARSER_BUFFER_SIZE; | ||
472 | + size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
473 | + XML_MAX_HUGE_LENGTH : | ||
474 | + XML_MAX_TEXT_LENGTH; | ||
475 | int cur, l; | ||
476 | const xmlChar *target; | ||
477 | xmlParserInputState state; | ||
478 | @@ -5242,14 +5261,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { | ||
479 | return; | ||
480 | } | ||
481 | count = 0; | ||
482 | - if ((len > XML_MAX_TEXT_LENGTH) && | ||
483 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
484 | - xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, | ||
485 | - "PI %s too big found", target); | ||
486 | - xmlFree(buf); | ||
487 | - ctxt->instate = state; | ||
488 | - return; | ||
489 | - } | ||
490 | } | ||
491 | COPY_BUF(l,buf,len,cur); | ||
492 | NEXTL(l); | ||
493 | @@ -5259,15 +5270,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { | ||
494 | GROW; | ||
495 | cur = CUR_CHAR(l); | ||
496 | } | ||
497 | + if (len > maxLength) { | ||
498 | + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, | ||
499 | + "PI %s too big found", target); | ||
500 | + xmlFree(buf); | ||
501 | + ctxt->instate = state; | ||
502 | + return; | ||
503 | + } | ||
504 | } | ||
505 | - if ((len > XML_MAX_TEXT_LENGTH) && | ||
506 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
507 | - xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, | ||
508 | - "PI %s too big found", target); | ||
509 | - xmlFree(buf); | ||
510 | - ctxt->instate = state; | ||
511 | - return; | ||
512 | - } | ||
513 | buf[len] = 0; | ||
514 | if (cur != '?') { | ||
515 | xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, | ||
516 | @@ -8959,6 +8969,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, | ||
517 | const xmlChar *in = NULL, *start, *end, *last; | ||
518 | xmlChar *ret = NULL; | ||
519 | int line, col; | ||
520 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
521 | + XML_MAX_HUGE_LENGTH : | ||
522 | + XML_MAX_TEXT_LENGTH; | ||
523 | |||
524 | GROW; | ||
525 | in = (xmlChar *) CUR_PTR; | ||
526 | @@ -8998,8 +9011,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, | ||
527 | start = in; | ||
528 | if (in >= end) { | ||
529 | GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) | ||
530 | - if (((in - start) > XML_MAX_TEXT_LENGTH) && | ||
531 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
532 | + if ((in - start) > maxLength) { | ||
533 | xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
534 | "AttValue length too long\n"); | ||
535 | return(NULL); | ||
536 | @@ -9012,8 +9024,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, | ||
537 | if ((*in++ == 0x20) && (*in == 0x20)) break; | ||
538 | if (in >= end) { | ||
539 | GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) | ||
540 | - if (((in - start) > XML_MAX_TEXT_LENGTH) && | ||
541 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
542 | + if ((in - start) > maxLength) { | ||
543 | xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
544 | "AttValue length too long\n"); | ||
545 | return(NULL); | ||
546 | @@ -9046,16 +9057,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, | ||
547 | last = last + delta; | ||
548 | } | ||
549 | end = ctxt->input->end; | ||
550 | - if (((in - start) > XML_MAX_TEXT_LENGTH) && | ||
551 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
552 | + if ((in - start) > maxLength) { | ||
553 | xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
554 | "AttValue length too long\n"); | ||
555 | return(NULL); | ||
556 | } | ||
557 | } | ||
558 | } | ||
559 | - if (((in - start) > XML_MAX_TEXT_LENGTH) && | ||
560 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
561 | + if ((in - start) > maxLength) { | ||
562 | xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
563 | "AttValue length too long\n"); | ||
564 | return(NULL); | ||
565 | @@ -9068,8 +9077,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, | ||
566 | col++; | ||
567 | if (in >= end) { | ||
568 | GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) | ||
569 | - if (((in - start) > XML_MAX_TEXT_LENGTH) && | ||
570 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
571 | + if ((in - start) > maxLength) { | ||
572 | xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
573 | "AttValue length too long\n"); | ||
574 | return(NULL); | ||
575 | @@ -9077,8 +9085,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, | ||
576 | } | ||
577 | } | ||
578 | last = in; | ||
579 | - if (((in - start) > XML_MAX_TEXT_LENGTH) && | ||
580 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
581 | + if ((in - start) > maxLength) { | ||
582 | xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, | ||
583 | "AttValue length too long\n"); | ||
584 | return(NULL); | ||
585 | @@ -9768,6 +9775,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { | ||
586 | int s, sl; | ||
587 | int cur, l; | ||
588 | int count = 0; | ||
589 | + int maxLength = (ctxt->options & XML_PARSE_HUGE) ? | ||
590 | + XML_MAX_HUGE_LENGTH : | ||
591 | + XML_MAX_TEXT_LENGTH; | ||
592 | |||
593 | /* Check 2.6.0 was NXT(0) not RAW */ | ||
594 | if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { | ||
595 | @@ -9801,13 +9811,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { | ||
596 | if (len + 5 >= size) { | ||
597 | xmlChar *tmp; | ||
598 | |||
599 | - if ((size > XML_MAX_TEXT_LENGTH) && | ||
600 | - ((ctxt->options & XML_PARSE_HUGE) == 0)) { | ||
601 | - xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, | ||
602 | - "CData section too big found", NULL); | ||
603 | - xmlFree (buf); | ||
604 | - return; | ||
605 | - } | ||
606 | tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); | ||
607 | if (tmp == NULL) { | ||
608 | xmlFree(buf); | ||
609 | @@ -9834,6 +9837,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { | ||
610 | } | ||
611 | NEXTL(l); | ||
612 | cur = CUR_CHAR(l); | ||
613 | + if (len > maxLength) { | ||
614 | + xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, | ||
615 | + "CData section too big found\n"); | ||
616 | + xmlFree(buf); | ||
617 | + return; | ||
618 | + } | ||
619 | } | ||
620 | buf[len] = 0; | ||
621 | ctxt->instate = XML_PARSER_CONTENT; | ||
622 | -- | ||
623 | 2.25.1 | ||
624 | |||
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 0000000000..b24be03315 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | From cde95d801abc9405ca821ad814c7730333328d96 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 31 Aug 2022 22:11:25 +0200 | ||
4 | Subject: [PATCH] CVE-2022-40304 | ||
5 | |||
6 | Fix dict corruption caused by entity reference cycles | ||
7 | |||
8 | When an entity reference cycle is detected, the entity content is | ||
9 | cleared by setting its first byte to zero. But the entity content might | ||
10 | be allocated from a dict. In this case, the dict entry becomes corrupted | ||
11 | leading to all kinds of logic errors, including memory errors like | ||
12 | double-frees. | ||
13 | |||
14 | Stop storing entity content, orig, ExternalID and SystemID in a dict. | ||
15 | These values are unlikely to occur multiple times in a document, so they | ||
16 | shouldn't have been stored in a dict in the first place. | ||
17 | |||
18 | Thanks to Ned Williamson and Nathan Wachholz working with Google Project | ||
19 | Zero for the report! | ||
20 | |||
21 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b] | ||
22 | CVE: CVE-2022-40304 | ||
23 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
24 | --- | ||
25 | entities.c | 55 ++++++++++++++++-------------------------------------- | ||
26 | 1 file changed, 16 insertions(+), 39 deletions(-) | ||
27 | |||
28 | diff --git a/entities.c b/entities.c | ||
29 | index 1a8f86f..ec1b9a7 100644 | ||
30 | --- a/entities.c | ||
31 | +++ b/entities.c | ||
32 | @@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity) | ||
33 | if ((entity->children) && (entity->owner == 1) && | ||
34 | (entity == (xmlEntityPtr) entity->children->parent)) | ||
35 | xmlFreeNodeList(entity->children); | ||
36 | - if (dict != NULL) { | ||
37 | - if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) | ||
38 | - xmlFree((char *) entity->name); | ||
39 | - if ((entity->ExternalID != NULL) && | ||
40 | - (!xmlDictOwns(dict, entity->ExternalID))) | ||
41 | - xmlFree((char *) entity->ExternalID); | ||
42 | - if ((entity->SystemID != NULL) && | ||
43 | - (!xmlDictOwns(dict, entity->SystemID))) | ||
44 | - xmlFree((char *) entity->SystemID); | ||
45 | - if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) | ||
46 | - xmlFree((char *) entity->URI); | ||
47 | - if ((entity->content != NULL) | ||
48 | - && (!xmlDictOwns(dict, entity->content))) | ||
49 | - xmlFree((char *) entity->content); | ||
50 | - if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) | ||
51 | - xmlFree((char *) entity->orig); | ||
52 | - } else { | ||
53 | - if (entity->name != NULL) | ||
54 | - xmlFree((char *) entity->name); | ||
55 | - if (entity->ExternalID != NULL) | ||
56 | - xmlFree((char *) entity->ExternalID); | ||
57 | - if (entity->SystemID != NULL) | ||
58 | - xmlFree((char *) entity->SystemID); | ||
59 | - if (entity->URI != NULL) | ||
60 | - xmlFree((char *) entity->URI); | ||
61 | - if (entity->content != NULL) | ||
62 | - xmlFree((char *) entity->content); | ||
63 | - if (entity->orig != NULL) | ||
64 | - xmlFree((char *) entity->orig); | ||
65 | - } | ||
66 | + if ((entity->name != NULL) && | ||
67 | + ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) | ||
68 | + xmlFree((char *) entity->name); | ||
69 | + if (entity->ExternalID != NULL) | ||
70 | + xmlFree((char *) entity->ExternalID); | ||
71 | + if (entity->SystemID != NULL) | ||
72 | + xmlFree((char *) entity->SystemID); | ||
73 | + if (entity->URI != NULL) | ||
74 | + xmlFree((char *) entity->URI); | ||
75 | + if (entity->content != NULL) | ||
76 | + xmlFree((char *) entity->content); | ||
77 | + if (entity->orig != NULL) | ||
78 | + xmlFree((char *) entity->orig); | ||
79 | xmlFree(entity); | ||
80 | } | ||
81 | |||
82 | @@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, | ||
83 | ret->SystemID = xmlStrdup(SystemID); | ||
84 | } else { | ||
85 | ret->name = xmlDictLookup(dict, name, -1); | ||
86 | - if (ExternalID != NULL) | ||
87 | - ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); | ||
88 | - if (SystemID != NULL) | ||
89 | - ret->SystemID = xmlDictLookup(dict, SystemID, -1); | ||
90 | + ret->ExternalID = xmlStrdup(ExternalID); | ||
91 | + ret->SystemID = xmlStrdup(SystemID); | ||
92 | } | ||
93 | if (content != NULL) { | ||
94 | ret->length = xmlStrlen(content); | ||
95 | - if ((dict != NULL) && (ret->length < 5)) | ||
96 | - ret->content = (xmlChar *) | ||
97 | - xmlDictLookup(dict, content, ret->length); | ||
98 | - else | ||
99 | - ret->content = xmlStrndup(content, ret->length); | ||
100 | + ret->content = xmlStrndup(content, ret->length); | ||
101 | } else { | ||
102 | ret->length = 0; | ||
103 | ret->content = NULL; | ||
104 | -- | ||
105 | 2.25.1 | ||
106 | |||
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 519985bbae..fffe7dda98 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb | |||
@@ -23,6 +23,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te | |||
23 | file://remove-fuzz-from-ptests.patch \ | 23 | file://remove-fuzz-from-ptests.patch \ |
24 | file://libxml-m4-use-pkgconfig.patch \ | 24 | file://libxml-m4-use-pkgconfig.patch \ |
25 | file://0001-Port-gentest.py-to-Python-3.patch \ | 25 | file://0001-Port-gentest.py-to-Python-3.patch \ |
26 | file://CVE-2022-40303.patch \ | ||
27 | file://CVE-2022-40304.patch \ | ||
26 | " | 28 | " |
27 | 29 | ||
28 | SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" | 30 | SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" |