diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch new file mode 100644 index 0000000000..a86b9ee86e --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch | |||
@@ -0,0 +1,138 @@ | |||
1 | From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Tue, 15 Sep 2015 16:50:32 +0800 | ||
4 | Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer | ||
5 | |||
6 | For https://bugzilla.gnome.org/show_bug.cgi?id=754946 | ||
7 | |||
8 | When hitting the end of the current input buffer while parsing | ||
9 | a name we could end up loosing the beginning of the name, which | ||
10 | led to various issues. | ||
11 | |||
12 | Upstream-Status: backport | ||
13 | |||
14 | Depend patch for CVE-2015-7500 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | --- | ||
18 | parser.c | 29 ++++++++++++++++++++--------- | ||
19 | result/errors/754946.xml | 0 | ||
20 | result/errors/754946.xml.err | 16 ++++++++++++++++ | ||
21 | result/errors/754946.xml.str | 4 ++++ | ||
22 | test/errors/754946.xml | 1 + | ||
23 | 5 files changed, 41 insertions(+), 9 deletions(-) | ||
24 | create mode 100644 result/errors/754946.xml | ||
25 | create mode 100644 result/errors/754946.xml.err | ||
26 | create mode 100644 result/errors/754946.xml.str | ||
27 | create mode 100644 test/errors/754946.xml | ||
28 | |||
29 | diff --git a/parser.c b/parser.c | ||
30 | index 0edd53b..fd29a39 100644 | ||
31 | --- a/parser.c | ||
32 | +++ b/parser.c | ||
33 | @@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
34 | c = CUR_CHAR(l); | ||
35 | if (c == 0) { | ||
36 | count = 0; | ||
37 | + /* | ||
38 | + * when shrinking to extend the buffer we really need to preserve | ||
39 | + * the part of the name we already parsed. Hence rolling back | ||
40 | + * by current lenght. | ||
41 | + */ | ||
42 | + ctxt->input->cur -= l; | ||
43 | GROW; | ||
44 | + ctxt->input->cur += l; | ||
45 | if (ctxt->instate == XML_PARSER_EOF) | ||
46 | return(NULL); | ||
47 | end = ctxt->input->cur; | ||
48 | @@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { | ||
49 | |||
50 | static const xmlChar * | ||
51 | xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
52 | - const xmlChar *in; | ||
53 | + const xmlChar *in, *e; | ||
54 | const xmlChar *ret; | ||
55 | int count = 0; | ||
56 | |||
57 | @@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
58 | * Accelerator for simple ASCII names | ||
59 | */ | ||
60 | in = ctxt->input->cur; | ||
61 | - if (((*in >= 0x61) && (*in <= 0x7A)) || | ||
62 | - ((*in >= 0x41) && (*in <= 0x5A)) || | ||
63 | - (*in == '_')) { | ||
64 | + e = ctxt->input->end; | ||
65 | + if ((((*in >= 0x61) && (*in <= 0x7A)) || | ||
66 | + ((*in >= 0x41) && (*in <= 0x5A)) || | ||
67 | + (*in == '_')) && (in < e)) { | ||
68 | in++; | ||
69 | - while (((*in >= 0x61) && (*in <= 0x7A)) || | ||
70 | - ((*in >= 0x41) && (*in <= 0x5A)) || | ||
71 | - ((*in >= 0x30) && (*in <= 0x39)) || | ||
72 | - (*in == '_') || (*in == '-') || | ||
73 | - (*in == '.')) | ||
74 | + while ((((*in >= 0x61) && (*in <= 0x7A)) || | ||
75 | + ((*in >= 0x41) && (*in <= 0x5A)) || | ||
76 | + ((*in >= 0x30) && (*in <= 0x39)) || | ||
77 | + (*in == '_') || (*in == '-') || | ||
78 | + (*in == '.')) && (in < e)) | ||
79 | in++; | ||
80 | + if (in >= e) | ||
81 | + goto complex; | ||
82 | if ((*in > 0) && (*in < 0x80)) { | ||
83 | count = in - ctxt->input->cur; | ||
84 | if ((count > XML_MAX_NAME_LENGTH) && | ||
85 | @@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { | ||
86 | return(ret); | ||
87 | } | ||
88 | } | ||
89 | +complex: | ||
90 | return(xmlParseNCNameComplex(ctxt)); | ||
91 | } | ||
92 | |||
93 | diff --git a/result/errors/754946.xml b/result/errors/754946.xml | ||
94 | new file mode 100644 | ||
95 | index 0000000..e69de29 | ||
96 | diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err | ||
97 | new file mode 100644 | ||
98 | index 0000000..423dff5 | ||
99 | --- /dev/null | ||
100 | +++ b/result/errors/754946.xml.err | ||
101 | @@ -0,0 +1,16 @@ | ||
102 | +Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration | ||
103 | + | ||
104 | + %SYSTEM; | ||
105 | + ^ | ||
106 | +Entity: line 1: | ||
107 | +A<lbbbbbbbbbbbbbbbbbbb_ | ||
108 | +^ | ||
109 | +Entity: line 1: parser error : DOCTYPE improperly terminated | ||
110 | + %SYSTEM; | ||
111 | + ^ | ||
112 | +Entity: line 1: | ||
113 | +A<lbbbbbbbbbbbbbbbbbbb_ | ||
114 | +^ | ||
115 | +./test/errors/754946.xml:1: parser error : Extra content at the end of the document | ||
116 | +<!DOCTYPEA[<!ENTITY % | ||
117 | + ^ | ||
118 | diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str | ||
119 | new file mode 100644 | ||
120 | index 0000000..3b748cc | ||
121 | --- /dev/null | ||
122 | +++ b/result/errors/754946.xml.str | ||
123 | @@ -0,0 +1,4 @@ | ||
124 | +./test/errors/754946.xml:1: parser error : Extra content at the end of the document | ||
125 | +<!DOCTYPEA[<!ENTITY % | ||
126 | + ^ | ||
127 | +./test/errors/754946.xml : failed to parse | ||
128 | diff --git a/test/errors/754946.xml b/test/errors/754946.xml | ||
129 | new file mode 100644 | ||
130 | index 0000000..6b5f9b0 | ||
131 | --- /dev/null | ||
132 | +++ b/test/errors/754946.xml | ||
133 | @@ -0,0 +1 @@ | ||
134 | +<!DOCTYPEA[<!ENTITY % SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_" >%SYSTEM;<![ | ||
135 | \ No newline at end of file | ||
136 | -- | ||
137 | 2.3.5 | ||
138 | |||