summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch')
-rw-r--r--meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch138
1 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch b/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch
new file mode 100644
index 0000000..a86b9ee
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/Fix-a-bug-on-name-parsing-at-the-end-of-current-input.patch
@@ -0,0 +1,138 @@
1From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
2From: Daniel Veillard <veillard@redhat.com>
3Date: Tue, 15 Sep 2015 16:50:32 +0800
4Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
5
6For https://bugzilla.gnome.org/show_bug.cgi?id=754946
7
8When hitting the end of the current input buffer while parsing
9a name we could end up loosing the beginning of the name, which
10led to various issues.
11
12Upstream-Status: backport
13
14Depend patch for CVE-2015-7500
15
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17---
18 parser.c | 29 ++++++++++++++++++++---------
19 result/errors/754946.xml | 0
20 result/errors/754946.xml.err | 16 ++++++++++++++++
21 result/errors/754946.xml.str | 4 ++++
22 test/errors/754946.xml | 1 +
23 5 files changed, 41 insertions(+), 9 deletions(-)
24 create mode 100644 result/errors/754946.xml
25 create mode 100644 result/errors/754946.xml.err
26 create mode 100644 result/errors/754946.xml.str
27 create mode 100644 test/errors/754946.xml
28
29diff --git a/parser.c b/parser.c
30index 0edd53b..fd29a39 100644
31--- a/parser.c
32+++ b/parser.c
33@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
34 c = CUR_CHAR(l);
35 if (c == 0) {
36 count = 0;
37+ /*
38+ * when shrinking to extend the buffer we really need to preserve
39+ * the part of the name we already parsed. Hence rolling back
40+ * by current lenght.
41+ */
42+ ctxt->input->cur -= l;
43 GROW;
44+ ctxt->input->cur += l;
45 if (ctxt->instate == XML_PARSER_EOF)
46 return(NULL);
47 end = ctxt->input->cur;
48@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
49
50 static const xmlChar *
51 xmlParseNCName(xmlParserCtxtPtr ctxt) {
52- const xmlChar *in;
53+ const xmlChar *in, *e;
54 const xmlChar *ret;
55 int count = 0;
56
57@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
58 * Accelerator for simple ASCII names
59 */
60 in = ctxt->input->cur;
61- if (((*in >= 0x61) && (*in <= 0x7A)) ||
62- ((*in >= 0x41) && (*in <= 0x5A)) ||
63- (*in == '_')) {
64+ e = ctxt->input->end;
65+ if ((((*in >= 0x61) && (*in <= 0x7A)) ||
66+ ((*in >= 0x41) && (*in <= 0x5A)) ||
67+ (*in == '_')) && (in < e)) {
68 in++;
69- while (((*in >= 0x61) && (*in <= 0x7A)) ||
70- ((*in >= 0x41) && (*in <= 0x5A)) ||
71- ((*in >= 0x30) && (*in <= 0x39)) ||
72- (*in == '_') || (*in == '-') ||
73- (*in == '.'))
74+ while ((((*in >= 0x61) && (*in <= 0x7A)) ||
75+ ((*in >= 0x41) && (*in <= 0x5A)) ||
76+ ((*in >= 0x30) && (*in <= 0x39)) ||
77+ (*in == '_') || (*in == '-') ||
78+ (*in == '.')) && (in < e))
79 in++;
80+ if (in >= e)
81+ goto complex;
82 if ((*in > 0) && (*in < 0x80)) {
83 count = in - ctxt->input->cur;
84 if ((count > XML_MAX_NAME_LENGTH) &&
85@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
86 return(ret);
87 }
88 }
89+complex:
90 return(xmlParseNCNameComplex(ctxt));
91 }
92
93diff --git a/result/errors/754946.xml b/result/errors/754946.xml
94new file mode 100644
95index 0000000..e69de29
96diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
97new file mode 100644
98index 0000000..423dff5
99--- /dev/null
100+++ b/result/errors/754946.xml.err
101@@ -0,0 +1,16 @@
102+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
103+
104+ %SYSTEM;
105+ ^
106+Entity: line 1:
107+A<lbbbbbbbbbbbbbbbbbbb_
108+^
109+Entity: line 1: parser error : DOCTYPE improperly terminated
110+ %SYSTEM;
111+ ^
112+Entity: line 1:
113+A<lbbbbbbbbbbbbbbbbbbb_
114+^
115+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
116+<!DOCTYPEA[<!ENTITY %
117+ ^
118diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
119new file mode 100644
120index 0000000..3b748cc
121--- /dev/null
122+++ b/result/errors/754946.xml.str
123@@ -0,0 +1,4 @@
124+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
125+<!DOCTYPEA[<!ENTITY %
126+ ^
127+./test/errors/754946.xml : failed to parse
128diff --git a/test/errors/754946.xml b/test/errors/754946.xml
129new file mode 100644
130index 0000000..6b5f9b0
131--- /dev/null
132+++ b/test/errors/754946.xml
133@@ -0,0 +1 @@
134+<!DOCTYPEA[<!ENTITY % SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_" >%SYSTEM;<![
135\ No newline at end of file
136--
1372.3.5
138