diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch new file mode 100644 index 0000000000..b4860791bf --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch | |||
@@ -0,0 +1,131 @@ | |||
1 | From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Veillard <veillard@redhat.com> | ||
3 | Date: Fri, 20 Nov 2015 16:06:59 +0800 | ||
4 | Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect | ||
5 | entities boundaries | ||
6 | |||
7 | For https://bugzilla.gnome.org/show_bug.cgi?id=756525 | ||
8 | handle properly the case where we popped out of the current entity | ||
9 | while processing a start tag | ||
10 | Reported by Kostya Serebryany @ Google | ||
11 | |||
12 | This slightly modifies the output of 754946 in regression tests | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | CVE-2015-7500 | ||
17 | |||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | parser.c | 28 ++++++++++++++++++++++------ | ||
22 | result/errors/754946.xml.err | 7 +++++-- | ||
23 | 2 files changed, 27 insertions(+), 8 deletions(-) | ||
24 | |||
25 | diff --git a/parser.c b/parser.c | ||
26 | index c7e4574..c5741e3 100644 | ||
27 | --- a/parser.c | ||
28 | +++ b/parser.c | ||
29 | @@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref, | ||
30 | const xmlChar **atts = ctxt->atts; | ||
31 | int maxatts = ctxt->maxatts; | ||
32 | int nratts, nbatts, nbdef; | ||
33 | - int i, j, nbNs, attval, oldline, oldcol; | ||
34 | + int i, j, nbNs, attval, oldline, oldcol, inputNr; | ||
35 | const xmlChar *base; | ||
36 | unsigned long cur; | ||
37 | int nsNr = ctxt->nsNr; | ||
38 | @@ -9367,6 +9367,7 @@ reparse: | ||
39 | SHRINK; | ||
40 | base = ctxt->input->base; | ||
41 | cur = ctxt->input->cur - ctxt->input->base; | ||
42 | + inputNr = ctxt->inputNr; | ||
43 | oldline = ctxt->input->line; | ||
44 | oldcol = ctxt->input->col; | ||
45 | nbatts = 0; | ||
46 | @@ -9392,7 +9393,8 @@ reparse: | ||
47 | */ | ||
48 | SKIP_BLANKS; | ||
49 | GROW; | ||
50 | - if (ctxt->input->base != base) goto base_changed; | ||
51 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
52 | + goto base_changed; | ||
53 | |||
54 | while (((RAW != '>') && | ||
55 | ((RAW != '/') || (NXT(1) != '>')) && | ||
56 | @@ -9403,7 +9405,7 @@ reparse: | ||
57 | |||
58 | attname = xmlParseAttribute2(ctxt, prefix, localname, | ||
59 | &aprefix, &attvalue, &len, &alloc); | ||
60 | - if (ctxt->input->base != base) { | ||
61 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) { | ||
62 | if ((attvalue != NULL) && (alloc != 0)) | ||
63 | xmlFree(attvalue); | ||
64 | attvalue = NULL; | ||
65 | @@ -9552,7 +9554,8 @@ skip_ns: | ||
66 | break; | ||
67 | } | ||
68 | SKIP_BLANKS; | ||
69 | - if (ctxt->input->base != base) goto base_changed; | ||
70 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
71 | + goto base_changed; | ||
72 | continue; | ||
73 | } | ||
74 | |||
75 | @@ -9589,7 +9592,8 @@ failed: | ||
76 | GROW | ||
77 | if (ctxt->instate == XML_PARSER_EOF) | ||
78 | break; | ||
79 | - if (ctxt->input->base != base) goto base_changed; | ||
80 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
81 | + goto base_changed; | ||
82 | if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>')))) | ||
83 | break; | ||
84 | if (!IS_BLANK_CH(RAW)) { | ||
85 | @@ -9605,7 +9609,8 @@ failed: | ||
86 | break; | ||
87 | } | ||
88 | GROW; | ||
89 | - if (ctxt->input->base != base) goto base_changed; | ||
90 | + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) | ||
91 | + goto base_changed; | ||
92 | } | ||
93 | |||
94 | /* | ||
95 | @@ -9772,6 +9777,17 @@ base_changed: | ||
96 | if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL)) | ||
97 | xmlFree((xmlChar *) atts[i]); | ||
98 | } | ||
99 | + | ||
100 | + /* | ||
101 | + * We can't switch from one entity to another in the middle | ||
102 | + * of a start tag | ||
103 | + */ | ||
104 | + if (inputNr != ctxt->inputNr) { | ||
105 | + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, | ||
106 | + "Start tag doesn't start and stop in the same entity\n"); | ||
107 | + return(NULL); | ||
108 | + } | ||
109 | + | ||
110 | ctxt->input->cur = ctxt->input->base + cur; | ||
111 | ctxt->input->line = oldline; | ||
112 | ctxt->input->col = oldcol; | ||
113 | diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err | ||
114 | index 423dff5..a75088b 100644 | ||
115 | --- a/result/errors/754946.xml.err | ||
116 | +++ b/result/errors/754946.xml.err | ||
117 | @@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated | ||
118 | Entity: line 1: | ||
119 | A<lbbbbbbbbbbbbbbbbbbb_ | ||
120 | ^ | ||
121 | +./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity | ||
122 | +>%SYSTEM;<![ | ||
123 | + ^ | ||
124 | ./test/errors/754946.xml:1: parser error : Extra content at the end of the document | ||
125 | -<!DOCTYPEA[<!ENTITY % | ||
126 | - ^ | ||
127 | +>%SYSTEM;<![ | ||
128 | + ^ | ||
129 | -- | ||
130 | 2.3.5 | ||
131 | |||