diff options
Diffstat (limited to 'meta/recipes-core/expat/expat/CVE-2022-40674.patch')
-rw-r--r-- | meta/recipes-core/expat/expat/CVE-2022-40674.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch new file mode 100644 index 0000000000..8b95f5f198 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 | ||
2 | From: Rhodri James <rhodri@wildebeest.org.uk> | ||
3 | Date: Wed, 17 Aug 2022 18:26:18 +0100 | ||
4 | Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser | ||
5 | |||
6 | It is possible to concoct a situation in which parsing is | ||
7 | suspended while substituting in an internal entity, so that | ||
8 | XML_ResumeParser directly uses internalEntityProcessor as | ||
9 | its processor. If the subsequent parse includes some unclosed | ||
10 | tags, this will return without calling storeRawNames to ensure | ||
11 | that the raw versions of the tag names are stored in memory other | ||
12 | than the parse buffer itself. If the parse buffer is then changed | ||
13 | or reallocated (for example if processing a file line by line), | ||
14 | badness will ensue. | ||
15 | |||
16 | This patch ensures storeRawNames is always called when needed | ||
17 | after calling doContent. The earlier call do doContent does | ||
18 | not need the same protection; it only deals with entity | ||
19 | substitution, which cannot leave unbalanced tags, and in any | ||
20 | case the raw names will be pointing into the stored entity | ||
21 | value not the parse buffer. | ||
22 | |||
23 | Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b] | ||
24 | CVE: CVE-2022-40674 | ||
25 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
26 | --- | ||
27 | expat/lib/xmlparse.c | 13 +++++++++---- | ||
28 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
29 | |||
30 | Index: expat/lib/xmlparse.c | ||
31 | =================================================================== | ||
32 | --- a/lib/xmlparse.c | ||
33 | +++ b/lib/xmlparse.c | ||
34 | @@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse | ||
35 | { | ||
36 | parser->m_processor = contentProcessor; | ||
37 | /* see externalEntityContentProcessor vs contentProcessor */ | ||
38 | - return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, | ||
39 | - s, end, nextPtr, | ||
40 | - (XML_Bool)! parser->m_parsingStatus.finalBuffer, | ||
41 | - XML_ACCOUNT_DIRECT); | ||
42 | + result = doContent(parser, parser->m_parentParser ? 1 : 0, | ||
43 | + parser->m_encoding, s, end, nextPtr, | ||
44 | + (XML_Bool)! parser->m_parsingStatus.finalBuffer, | ||
45 | + XML_ACCOUNT_DIRECT); | ||
46 | + if (result == XML_ERROR_NONE) { | ||
47 | + if (! storeRawNames(parser)) | ||
48 | + return XML_ERROR_NO_MEMORY; | ||
49 | + } | ||
50 | + return result; | ||
51 | } | ||
52 | } | ||
53 | |||