From 7d7ac87831a4be45c9038ac2035582de0c1887d8 Mon Sep 17 00:00:00 2001 From: Fan Xin Date: Fri, 26 May 2017 11:39:06 +0900 Subject: libxslt: Fix CVE-2017-5029 Backport upstream patch to fix CVE-2017-5029. (From OE-Core rev: 5266e74c990df1cf965d162d9695eb5a698883ae) (From OE-Core rev: 172f76a1a43921d92a385d6d123dffaf27eb368f) Signed-off-by: Fan Xin Signed-off-by: Richard Purdie --- ...for-integer-overflow-in-xsltAddTextString.patch | 80 ++++++++++++++++++++++ meta/recipes-support/libxslt/libxslt_1.1.29.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch diff --git a/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch new file mode 100644 index 0000000000..57aaacc587 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/0001-Check-for-integer-overflow-in-xsltAddTextString.patch @@ -0,0 +1,80 @@ +From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 12 Jan 2017 15:39:52 +0100 +Subject: [PATCH] Check for integer overflow in xsltAddTextString + +Limit buffer size in xsltAddTextString to INT_MAX. The issue can be +exploited to trigger an out of bounds write on 64-bit systems. + +Originally reported to Chromium: + +https://crbug.com/676623 + +CVE: CVE-2017-5029 +Upstream-Status: Backport + +Signed-off-by: Fan Xin + +--- + libxslt/transform.c | 25 ++++++++++++++++++++++--- + libxslt/xsltInternals.h | 4 ++-- + 2 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 519133f..02bff34 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, + return(target); + + if (ctxt->lasttext == target->content) { ++ int minSize; + +- if (ctxt->lasttuse + len >= ctxt->lasttsize) { ++ /* Check for integer overflow accounting for NUL terminator. */ ++ if (len >= INT_MAX - ctxt->lasttuse) { ++ xsltTransformError(ctxt, NULL, target, ++ "xsltCopyText: text allocation failed\n"); ++ return(NULL); ++ } ++ minSize = ctxt->lasttuse + len + 1; ++ ++ if (ctxt->lasttsize < minSize) { + xmlChar *newbuf; + int size; ++ int extra; ++ ++ /* Double buffer size but increase by at least 100 bytes. */ ++ extra = minSize < 100 ? 100 : minSize; ++ ++ /* Check for integer overflow. */ ++ if (extra > INT_MAX - ctxt->lasttsize) { ++ size = INT_MAX; ++ } ++ else { ++ size = ctxt->lasttsize + extra; ++ } + +- size = ctxt->lasttsize + len + 100; +- size *= 2; + newbuf = (xmlChar *) xmlRealloc(target->content,size); + if (newbuf == NULL) { + xsltTransformError(ctxt, NULL, target, +diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h +index 060b178..5ad1771 100644 +--- a/libxslt/xsltInternals.h ++++ b/libxslt/xsltInternals.h +@@ -1754,8 +1754,8 @@ struct _xsltTransformContext { + * Speed optimization when coalescing text nodes + */ + const xmlChar *lasttext; /* last text node content */ +- unsigned int lasttsize; /* last text node size */ +- unsigned int lasttuse; /* last text node use */ ++ int lasttsize; /* last text node size */ ++ int lasttuse; /* last text node use */ + /* + * Per Context Debugging + */ +-- +1.9.1 + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.29.bb b/meta/recipes-support/libxslt/libxslt_1.1.29.bb index 2946a745e9..d27c706602 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.29.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.29.bb @@ -12,6 +12,7 @@ SRC_URI = "ftp://xmlsoft.org/libxslt/libxslt-${PV}.tar.gz \ file://pkgconfig_fix.patch \ file://0001-Use-pkg-config-to-find-gcrypt-and-libxml2.patch \ file://0001-Link-libraries-with-libm.patch \ + file://0001-Check-for-integer-overflow-in-xsltAddTextString.patch \ " SRC_URI[md5sum] = "a129d3c44c022de3b9dcf6d6f288d72e" -- cgit v1.2.3-54-g00ecf