diff options
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch')
-rw-r--r-- | meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 0000000000..c19726fe9f --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch | |||
@@ -0,0 +1,104 @@ | |||
1 | From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Wellnhofer <wellnhofer@aevum.de> | ||
3 | Date: Wed, 31 Aug 2022 22:11:25 +0200 | ||
4 | Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity | ||
5 | reference cycles | ||
6 | |||
7 | When an entity reference cycle is detected, the entity content is | ||
8 | cleared by setting its first byte to zero. But the entity content might | ||
9 | be allocated from a dict. In this case, the dict entry becomes corrupted | ||
10 | leading to all kinds of logic errors, including memory errors like | ||
11 | double-frees. | ||
12 | |||
13 | Stop storing entity content, orig, ExternalID and SystemID in a dict. | ||
14 | These values are unlikely to occur multiple times in a document, so they | ||
15 | shouldn't have been stored in a dict in the first place. | ||
16 | |||
17 | Thanks to Ned Williamson and Nathan Wachholz working with Google Project | ||
18 | Zero for the report! | ||
19 | |||
20 | CVE: CVE-2022-40304 | ||
21 | Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b] | ||
22 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
23 | --- | ||
24 | entities.c | 55 ++++++++++++++++-------------------------------------- | ||
25 | 1 file changed, 16 insertions(+), 39 deletions(-) | ||
26 | |||
27 | diff --git a/entities.c b/entities.c | ||
28 | index 84435515..d4e5412e 100644 | ||
29 | --- a/entities.c | ||
30 | +++ b/entities.c | ||
31 | @@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) | ||
32 | if ((entity->children) && (entity->owner == 1) && | ||
33 | (entity == (xmlEntityPtr) entity->children->parent)) | ||
34 | xmlFreeNodeList(entity->children); | ||
35 | - if (dict != NULL) { | ||
36 | - if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) | ||
37 | - xmlFree((char *) entity->name); | ||
38 | - if ((entity->ExternalID != NULL) && | ||
39 | - (!xmlDictOwns(dict, entity->ExternalID))) | ||
40 | - xmlFree((char *) entity->ExternalID); | ||
41 | - if ((entity->SystemID != NULL) && | ||
42 | - (!xmlDictOwns(dict, entity->SystemID))) | ||
43 | - xmlFree((char *) entity->SystemID); | ||
44 | - if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) | ||
45 | - xmlFree((char *) entity->URI); | ||
46 | - if ((entity->content != NULL) | ||
47 | - && (!xmlDictOwns(dict, entity->content))) | ||
48 | - xmlFree((char *) entity->content); | ||
49 | - if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) | ||
50 | - xmlFree((char *) entity->orig); | ||
51 | - } else { | ||
52 | - if (entity->name != NULL) | ||
53 | - xmlFree((char *) entity->name); | ||
54 | - if (entity->ExternalID != NULL) | ||
55 | - xmlFree((char *) entity->ExternalID); | ||
56 | - if (entity->SystemID != NULL) | ||
57 | - xmlFree((char *) entity->SystemID); | ||
58 | - if (entity->URI != NULL) | ||
59 | - xmlFree((char *) entity->URI); | ||
60 | - if (entity->content != NULL) | ||
61 | - xmlFree((char *) entity->content); | ||
62 | - if (entity->orig != NULL) | ||
63 | - xmlFree((char *) entity->orig); | ||
64 | - } | ||
65 | + if ((entity->name != NULL) && | ||
66 | + ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) | ||
67 | + xmlFree((char *) entity->name); | ||
68 | + if (entity->ExternalID != NULL) | ||
69 | + xmlFree((char *) entity->ExternalID); | ||
70 | + if (entity->SystemID != NULL) | ||
71 | + xmlFree((char *) entity->SystemID); | ||
72 | + if (entity->URI != NULL) | ||
73 | + xmlFree((char *) entity->URI); | ||
74 | + if (entity->content != NULL) | ||
75 | + xmlFree((char *) entity->content); | ||
76 | + if (entity->orig != NULL) | ||
77 | + xmlFree((char *) entity->orig); | ||
78 | xmlFree(entity); | ||
79 | } | ||
80 | |||
81 | @@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, | ||
82 | ret->SystemID = xmlStrdup(SystemID); | ||
83 | } else { | ||
84 | ret->name = xmlDictLookup(dict, name, -1); | ||
85 | - if (ExternalID != NULL) | ||
86 | - ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); | ||
87 | - if (SystemID != NULL) | ||
88 | - ret->SystemID = xmlDictLookup(dict, SystemID, -1); | ||
89 | + ret->ExternalID = xmlStrdup(ExternalID); | ||
90 | + ret->SystemID = xmlStrdup(SystemID); | ||
91 | } | ||
92 | if (content != NULL) { | ||
93 | ret->length = xmlStrlen(content); | ||
94 | - if ((dict != NULL) && (ret->length < 5)) | ||
95 | - ret->content = (xmlChar *) | ||
96 | - xmlDictLookup(dict, content, ret->length); | ||
97 | - else | ||
98 | - ret->content = xmlStrndup(content, ret->length); | ||
99 | + ret->content = xmlStrndup(content, ret->length); | ||
100 | } else { | ||
101 | ret->length = 0; | ||
102 | ret->content = NULL; | ||
103 | -- | ||
104 | GitLab | ||