summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch80
-rw-r--r--meta/recipes-support/libxslt/libxslt_1.1.29.bb1
2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
new file mode 100644
index 0000000000..57aaacc587
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch
@@ -0,0 +1,80 @@
1From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Thu, 12 Jan 2017 15:39:52 +0100
4Subject: [PATCH] Check for integer overflow in xsltAddTextString
5
6Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
7exploited to trigger an out of bounds write on 64-bit systems.
8
9Originally reported to Chromium:
10
11https://crbug.com/676623
12
13CVE: CVE-2017-5029
14Upstream-Status: Backport
15
16Signed-off-by: Fan Xin <fan.xin@jp.fujitus.com>
17
18---
19 libxslt/transform.c | 25 ++++++++++++++++++++++---
20 libxslt/xsltInternals.h | 4 ++--
21 2 files changed, 24 insertions(+), 5 deletions(-)
22
23diff --git a/libxslt/transform.c b/libxslt/transform.c
24index 519133f..02bff34 100644
25--- a/libxslt/transform.c
26+++ b/libxslt/transform.c
27@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
28 return(target);
29
30 if (ctxt->lasttext == target->content) {
31+ int minSize;
32
33- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
34+ /* Check for integer overflow accounting for NUL terminator. */
35+ if (len >= INT_MAX - ctxt->lasttuse) {
36+ xsltTransformError(ctxt, NULL, target,
37+ "xsltCopyText: text allocation failed\n");
38+ return(NULL);
39+ }
40+ minSize = ctxt->lasttuse + len + 1;
41+
42+ if (ctxt->lasttsize < minSize) {
43 xmlChar *newbuf;
44 int size;
45+ int extra;
46+
47+ /* Double buffer size but increase by at least 100 bytes. */
48+ extra = minSize < 100 ? 100 : minSize;
49+
50+ /* Check for integer overflow. */
51+ if (extra > INT_MAX - ctxt->lasttsize) {
52+ size = INT_MAX;
53+ }
54+ else {
55+ size = ctxt->lasttsize + extra;
56+ }
57
58- size = ctxt->lasttsize + len + 100;
59- size *= 2;
60 newbuf = (xmlChar *) xmlRealloc(target->content,size);
61 if (newbuf == NULL) {
62 xsltTransformError(ctxt, NULL, target,
63diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
64index 060b178..5ad1771 100644
65--- a/libxslt/xsltInternals.h
66+++ b/libxslt/xsltInternals.h
67@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
68 * Speed optimization when coalescing text nodes
69 */
70 const xmlChar *lasttext; /* last text node content */
71- unsigned int lasttsize; /* last text node size */
72- unsigned int lasttuse; /* last text node use */
73+ int lasttsize; /* last text node size */
74+ int lasttuse; /* last text node use */
75 /*
76 * Per Context Debugging
77 */
78--
791.9.1
80
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.29.bb b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
index 2946a745e9..d27c706602 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.29.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.29.bb
@@ -12,6 +12,7 @@ SRC_URI = "ftp://xmlsoft.org/libxslt/libxslt-${PV}.tar.gz \
12 file://pkgconfig_fix.patch \ 12 file://pkgconfig_fix.patch \
13 file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \ 13 file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \
14 file://0001-Link-libraries-with-libm.patch \ 14 file://0001-Link-libraries-with-libm.patch \
15 file://0001-Check-for-integer-overflow-in-xsltAddTextString.patch \
15 " 16 "
16 17
17SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e" 18SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e"