1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From bdd66182ef53fe1f7209ab6535fda56366bd7ac9 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 May 2016 12:27:58 +0800
Subject: [PATCH] Avoid building recursive entities
For https://bugzilla.gnome.org/show_bug.cgi?id=762100
When we detect a recusive entity we should really not
build the associated data, moreover if someone bypass
libxml2 fatal errors and still tries to serialize a broken
entity make sure we don't risk to get ito a recursion
* parser.c: xmlParserEntityCheck() don't build if entity loop
were found and remove the associated text content
* tree.c: xmlStringGetNodeList() avoid a potential recursion
Upstream-Status: Backport
CVE: CVE-2016-3627
Signed-off-by: Armin Kuster <akuster@mvsita.com
---
parser.c | 6 +++++-
tree.c | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index ea0e89e..53a6b7f 100644
--- a/parser.c
+++ b/parser.c
@@ -138,7 +138,8 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
* entities problems
*/
if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
- (ent->content != NULL) && (ent->checked == 0)) {
+ (ent->content != NULL) && (ent->checked == 0) &&
+ (ctxt->errNo != XML_ERR_ENTITY_LOOP)) {
unsigned long oldnbent = ctxt->nbentities;
xmlChar *rep;
@@ -148,6 +149,9 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
+ if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
+ ent->content[0] = 0;
+ }
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
if (rep != NULL) {
diff --git a/tree.c b/tree.c
index 7fbca6e..9d330b8 100644
--- a/tree.c
+++ b/tree.c
@@ -1593,6 +1593,7 @@ xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
+ ent->children = (xmlNodePtr) -1;
ent->children = xmlStringGetNodeList(doc,
(const xmlChar*)node->content);
ent->owner = 1;
--
2.3.5
|
