summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch')
-rw-r--r--meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch131
1 files changed, 131 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
new file mode 100644
index 0000000..b486079
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
@@ -0,0 +1,131 @@
1From f1063fdbe7fa66332bbb76874101c2a7b51b519f Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Fri, 20 Nov 2015 16:06:59 +0800
4Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect
5 entities boundaries
6
7For https://bugzilla.gnome.org/show_bug.cgi?id=756525
8handle properly the case where we popped out of the current entity
9while processing a start tag
10Reported by Kostya Serebryany @ Google
11
12This slightly modifies the output of 754946 in regression tests
13
14Upstream-Status: Backport
15
16CVE-2015-7500
17
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 parser.c | 28 ++++++++++++++++++++++------
22 result/errors/754946.xml.err | 7 +++++--
23 2 files changed, 27 insertions(+), 8 deletions(-)
24
25diff --git a/parser.c b/parser.c
26index c7e4574..c5741e3 100644
27--- a/parser.c
28+++ b/parser.c
29@@ -9348,7 +9348,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,
30 const xmlChar **atts = ctxt->atts;
31 int maxatts = ctxt->maxatts;
32 int nratts, nbatts, nbdef;
33- int i, j, nbNs, attval, oldline, oldcol;
34+ int i, j, nbNs, attval, oldline, oldcol, inputNr;
35 const xmlChar *base;
36 unsigned long cur;
37 int nsNr = ctxt->nsNr;
38@@ -9367,6 +9367,7 @@ reparse:
39 SHRINK;
40 base = ctxt->input->base;
41 cur = ctxt->input->cur - ctxt->input->base;
42+ inputNr = ctxt->inputNr;
43 oldline = ctxt->input->line;
44 oldcol = ctxt->input->col;
45 nbatts = 0;
46@@ -9392,7 +9393,8 @@ reparse:
47 */
48 SKIP_BLANKS;
49 GROW;
50- if (ctxt->input->base != base) goto base_changed;
51+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
52+ goto base_changed;
53
54 while (((RAW != '>') &&
55 ((RAW != '/') || (NXT(1) != '>')) &&
56@@ -9403,7 +9405,7 @@ reparse:
57
58 attname = xmlParseAttribute2(ctxt, prefix, localname,
59 &aprefix, &attvalue, &len, &alloc);
60- if (ctxt->input->base != base) {
61+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {
62 if ((attvalue != NULL) && (alloc != 0))
63 xmlFree(attvalue);
64 attvalue = NULL;
65@@ -9552,7 +9554,8 @@ skip_ns:
66 break;
67 }
68 SKIP_BLANKS;
69- if (ctxt->input->base != base) goto base_changed;
70+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
71+ goto base_changed;
72 continue;
73 }
74
75@@ -9589,7 +9592,8 @@ failed:
76 GROW
77 if (ctxt->instate == XML_PARSER_EOF)
78 break;
79- if (ctxt->input->base != base) goto base_changed;
80+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
81+ goto base_changed;
82 if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
83 break;
84 if (!IS_BLANK_CH(RAW)) {
85@@ -9605,7 +9609,8 @@ failed:
86 break;
87 }
88 GROW;
89- if (ctxt->input->base != base) goto base_changed;
90+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
91+ goto base_changed;
92 }
93
94 /*
95@@ -9772,6 +9777,17 @@ base_changed:
96 if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))
97 xmlFree((xmlChar *) atts[i]);
98 }
99+
100+ /*
101+ * We can't switch from one entity to another in the middle
102+ * of a start tag
103+ */
104+ if (inputNr != ctxt->inputNr) {
105+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
106+ "Start tag doesn't start and stop in the same entity\n");
107+ return(NULL);
108+ }
109+
110 ctxt->input->cur = ctxt->input->base + cur;
111 ctxt->input->line = oldline;
112 ctxt->input->col = oldcol;
113diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
114index 423dff5..a75088b 100644
115--- a/result/errors/754946.xml.err
116+++ b/result/errors/754946.xml.err
117@@ -11,6 +11,9 @@ Entity: line 1: parser error : DOCTYPE improperly terminated
118 Entity: line 1:
119 A<lbbbbbbbbbbbbbbbbbbb_
120 ^
121+./test/errors/754946.xml:1: parser error : Start tag doesn't start and stop in the same entity
122+>%SYSTEM;<![
123+ ^
124 ./test/errors/754946.xml:1: parser error : Extra content at the end of the document
125-<!DOCTYPEA[<!ENTITY %
126- ^
127+>%SYSTEM;<![
128+ ^
129--
1302.3.5
131