gentleknife / rpms / expat

Forked from rpms/expat 4 years ago
Clone

Blame SOURCES/expat-2.2.5-CVE-2019-15903.patch

dd5dd7
dd5dd7
https://bugzilla.redhat.com/show_bug.cgi?id=1752592
dd5dd7
dd5dd7
https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
dd5dd7
dd5dd7
--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve15903
dd5dd7
+++ libexpat-R_2_2_5/expat/lib/xmlparse.c
dd5dd7
@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser);
dd5dd7
 static enum XML_Error
dd5dd7
 doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
dd5dd7
          const char *end, int tok, const char *next, const char **nextPtr,
dd5dd7
-         XML_Bool haveMore);
dd5dd7
+                               XML_Bool haveMore, XML_Bool allowClosingDoctype);
dd5dd7
 static enum XML_Error
dd5dd7
 processInternalEntity(XML_Parser parser, ENTITY *entity,
dd5dd7
                       XML_Bool betweenDecl);
dd5dd7
@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse
dd5dd7
 
dd5dd7
   parser->m_processor = prologProcessor;
dd5dd7
   return doProlog(parser, parser->m_encoding, s, end, tok, next,
dd5dd7
-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
dd5dd7
+                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
dd5dd7
 }
dd5dd7
 
dd5dd7
 static enum XML_Error PTRCALL
dd5dd7
@@ -4268,19 +4268,13 @@ prologProcessor(XML_Parser parser,
dd5dd7
   const char *next = s;
dd5dd7
   int tok = XmlPrologTok(parser->m_encoding, s, end, &next;;
dd5dd7
   return doProlog(parser, parser->m_encoding, s, end, tok, next,
dd5dd7
-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
dd5dd7
+                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
dd5dd7
 }
dd5dd7
 
dd5dd7
 static enum XML_Error
dd5dd7
-doProlog(XML_Parser parser,
dd5dd7
-         const ENCODING *enc,
dd5dd7
-         const char *s,
dd5dd7
-         const char *end,
dd5dd7
-         int tok,
dd5dd7
-         const char *next,
dd5dd7
-         const char **nextPtr,
dd5dd7
-         XML_Bool haveMore)
dd5dd7
-{
dd5dd7
+doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
dd5dd7
+         int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
dd5dd7
+         XML_Bool allowClosingDoctype) {
dd5dd7
 #ifdef XML_DTD
dd5dd7
   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
dd5dd7
 #endif /* XML_DTD */
dd5dd7
@@ -4458,6 +4452,11 @@ doProlog(XML_Parser parser,
dd5dd7
       }
dd5dd7
       break;
dd5dd7
     case XML_ROLE_DOCTYPE_CLOSE:
dd5dd7
+      if (allowClosingDoctype != XML_TRUE) {
dd5dd7
+        /* Must not close doctype from within expanded parameter entities */
dd5dd7
+        return XML_ERROR_INVALID_TOKEN;
dd5dd7
+      }
dd5dd7
+
dd5dd7
       if (parser->m_doctypeName) {
dd5dd7
         parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
dd5dd7
                                 parser->m_doctypeSysid, parser->m_doctypePubid, 0);
dd5dd7
@@ -5395,7 +5394,7 @@ processInternalEntity(XML_Parser parser,
dd5dd7
   if (entity->is_param) {
dd5dd7
     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next;;
dd5dd7
     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
dd5dd7
-                      next, &next, XML_FALSE);
dd5dd7
+                      next, &next, XML_FALSE, XML_FALSE);
dd5dd7
   }
dd5dd7
   else
dd5dd7
 #endif /* XML_DTD */
dd5dd7
@@ -5442,7 +5441,7 @@ internalEntityProcessor(XML_Parser parse
dd5dd7
   if (entity->is_param) {
dd5dd7
     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next;;
dd5dd7
     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
dd5dd7
-                      next, &next, XML_FALSE);
dd5dd7
+                      next, &next, XML_FALSE, XML_TRUE);
dd5dd7
   }
dd5dd7
   else
dd5dd7
 #endif /* XML_DTD */
dd5dd7
@@ -5469,7 +5468,7 @@ internalEntityProcessor(XML_Parser parse
dd5dd7
     parser->m_processor = prologProcessor;
dd5dd7
     tok = XmlPrologTok(parser->m_encoding, s, end, &next;;
dd5dd7
     return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
dd5dd7
-                    (XML_Bool)!parser->m_parsingStatus.finalBuffer);
dd5dd7
+                    (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
dd5dd7
   }
dd5dd7
   else
dd5dd7
 #endif /* XML_DTD */
dd5dd7
--- libexpat-R_2_2_5/expat/tests/runtests.c.cve15903
dd5dd7
+++ libexpat-R_2_2_5/expat/tests/runtests.c
dd5dd7
@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co
dd5dd7
     CharData_AppendXMLChars(storage, XCS("\n"), 1);
dd5dd7
 }
dd5dd7
 
dd5dd7
+#ifdef XML_DTD
dd5dd7
+START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
dd5dd7
+  const char *const inputOne = "
dd5dd7
+                               "<d/>'>\n"
dd5dd7
+                               "\n"
dd5dd7
+                               "%e;";
dd5dd7
+  const char *const inputTwo = "
dd5dd7
+                               "<d/>'>\n"
dd5dd7
+                               "\n"
dd5dd7
+                               "%e2;";
dd5dd7
+  const char *const inputThree = "
dd5dd7
+                                 "<d'>\n"
dd5dd7
+                                 "\n"
dd5dd7
+                                 "%e;";
dd5dd7
+  const char *const inputIssue317 = "
dd5dd7
+                                    "\n"
dd5dd7
+                                    "<doc>Hell<oc (#PCDATA)*>'>\n"
dd5dd7
+                                    "%foo;\n"
dd5dd7
+                                    "]>\n"
dd5dd7
+                                    "<doc>Hello, world</dVc>";
dd5dd7
+
dd5dd7
+  const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
dd5dd7
+  size_t inputIndex = 0;
dd5dd7
+
dd5dd7
+  for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
dd5dd7
+    XML_Parser parser;
dd5dd7
+    enum XML_Status parseResult;
dd5dd7
+    int setParamEntityResult;
dd5dd7
+    XML_Size lineNumber;
dd5dd7
+    XML_Size columnNumber;
dd5dd7
+    const char *const input = inputs[inputIndex];
dd5dd7
+
dd5dd7
+    parser = XML_ParserCreate(NULL);
dd5dd7
+    setParamEntityResult
dd5dd7
+        = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
dd5dd7
+    if (setParamEntityResult != 1)
dd5dd7
+      fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
dd5dd7
+
dd5dd7
+    parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
dd5dd7
+    if (parseResult != XML_STATUS_ERROR) {
dd5dd7
+      parseResult = XML_Parse(parser, "", 0, 1);
dd5dd7
+      if (parseResult != XML_STATUS_ERROR) {
dd5dd7
+        fail("Parsing was expected to fail but succeeded.");
dd5dd7
+      }
dd5dd7
+    }
dd5dd7
+
dd5dd7
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
dd5dd7
+      fail("Error code does not match XML_ERROR_INVALID_TOKEN");
dd5dd7
+
dd5dd7
+    lineNumber = XML_GetCurrentLineNumber(parser);
dd5dd7
+    if (lineNumber != 4)
dd5dd7
+      fail("XML_GetCurrentLineNumber does not work as expected.");
dd5dd7
+
dd5dd7
+    columnNumber = XML_GetCurrentColumnNumber(parser);
dd5dd7
+    if (columnNumber != 0)
dd5dd7
+      fail("XML_GetCurrentColumnNumber does not work as expected.");
dd5dd7
+
dd5dd7
+    XML_ParserFree(parser);
dd5dd7
+  }
dd5dd7
+}
dd5dd7
+END_TEST
dd5dd7
+#endif
dd5dd7
+
dd5dd7
 static void
dd5dd7
 run_ns_tagname_overwrite_test(const char *text, const XML_Char *result)
dd5dd7
 {
dd5dd7
@@ -12210,6 +12273,10 @@ make_suite(void)
dd5dd7
     tcase_add_test(tc_misc, test_misc_features);
dd5dd7
     tcase_add_test(tc_misc, test_misc_attribute_leak);
dd5dd7
     tcase_add_test(tc_misc, test_misc_utf16le);
dd5dd7
+#ifdef XML_DTD
dd5dd7
+    tcase_add_test(tc_misc,
dd5dd7
+                   test_misc_deny_internal_entity_closing_doctype_issue_317);
dd5dd7
+#endif
dd5dd7
 
dd5dd7
     suite_add_tcase(s, tc_alloc);
dd5dd7
     tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);