xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/CVE-2014-3660-rhel7.patch

6dedca
commit 8ed73eb939d6c9b79f3fa41b76916cc443196bbc
6dedca
Author: Daniel Veillard <veillard@redhat.com>
6dedca
Date:   Thu Oct 2 16:17:09 2014 +0800
6dedca
6dedca
    Fix for CVE-2014-3660
6dedca
    
6dedca
    Issues related to the billion laugh entity expansion which happened to
6dedca
    escape the initial set of fixes
6dedca
6dedca
diff --git a/parser.c b/parser.c
6dedca
index f30588c..3c72cbb 100644
6dedca
--- a/parser.c
6dedca
+++ b/parser.c
6dedca
@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
6dedca
         return (0);
6dedca
     if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
6dedca
         return (1);
6dedca
+
6dedca
+    /*
6dedca
+     * This may look absurd but is needed to detect
6dedca
+     * entities problems
6dedca
+     */
6dedca
+    if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&
6dedca
+	(ent->content != NULL) && (ent->checked == 0)) {
6dedca
+	unsigned long oldnbent = ctxt->nbentities;
6dedca
+	xmlChar *rep;
6dedca
+
6dedca
+	ent->checked = 1;
6dedca
+
6dedca
+	rep = xmlStringDecodeEntities(ctxt, ent->content,
6dedca
+				  XML_SUBSTITUTE_REF, 0, 0, 0);
6dedca
+
6dedca
+	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
6dedca
+	if (rep != NULL) {
6dedca
+	    if (xmlStrchr(rep, '<'))
6dedca
+		ent->checked |= 1;
6dedca
+	    xmlFree(rep);
6dedca
+	    rep = NULL;
6dedca
+	}
6dedca
+    }
6dedca
     if (replacement != 0) {
6dedca
 	if (replacement < XML_MAX_TEXT_LENGTH)
6dedca
 	    return(0);
6dedca
@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
6dedca
             return (0);
6dedca
     } else {
6dedca
         /*
6dedca
-         * strange we got no data for checking just return
6dedca
+         * strange we got no data for checking
6dedca
          */
6dedca
-        return (0);
6dedca
+	if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&
6dedca
+	     (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) ||
6dedca
+	    (ctxt->nbentities <= 10000))
6dedca
+	    return (0);
6dedca
     }
6dedca
     xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
6dedca
     return (1);
6dedca
@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
6dedca
 				      name, NULL);
6dedca
 		    ctxt->valid = 0;
6dedca
 		}
6dedca
+		xmlParserEntityCheck(ctxt, 0, NULL, 0);
6dedca
 	    } else if (ctxt->input->free != deallocblankswrapper) {
6dedca
 		    input = xmlNewBlanksWrapperInputStream(ctxt, entity);
6dedca
 		    if (xmlPushInput(ctxt, input) < 0)
6dedca
@@ -2737,6 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
6dedca
 	    if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
6dedca
 	        (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
6dedca
 	        goto int_error;
6dedca
+	    xmlParserEntityCheck(ctxt, 0, ent, 0);
6dedca
 	    if (ent != NULL)
6dedca
 	        ctxt->nbentities += ent->checked / 2;
6dedca
 	    if ((ent != NULL) &&
6dedca
@@ -2788,6 +2816,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
6dedca
 	    ent = xmlParseStringPEReference(ctxt, &str);
6dedca
 	    if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
6dedca
 	        goto int_error;
6dedca
+	    xmlParserEntityCheck(ctxt, 0, ent, 0);
6dedca
 	    if (ent != NULL)
6dedca
 	        ctxt->nbentities += ent->checked / 2;
6dedca
 	    if (ent != NULL) {
6dedca
@@ -7286,6 +7315,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
6dedca
 		   (ret != XML_WAR_UNDECLARED_ENTITY)) {
6dedca
 	    xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,
6dedca
 		     "Entity '%s' failed to parse\n", ent->name);
6dedca
+	    xmlParserEntityCheck(ctxt, 0, ent, 0);
6dedca
 	} else if (list != NULL) {
6dedca
 	    xmlFreeNodeList(list);
6dedca
 	    list = NULL;
6dedca
@@ -7392,7 +7422,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
6dedca
 		/*
6dedca
 		 * We are copying here, make sure there is no abuse
6dedca
 		 */
6dedca
-		ctxt->sizeentcopy += ent->length;
6dedca
+		ctxt->sizeentcopy += ent->length + 5;
6dedca
 		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
6dedca
 		    return;
6dedca
 
6dedca
@@ -7440,7 +7470,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
6dedca
 		/*
6dedca
 		 * We are copying here, make sure there is no abuse
6dedca
 		 */
6dedca
-		ctxt->sizeentcopy += ent->length;
6dedca
+		ctxt->sizeentcopy += ent->length + 5;
6dedca
 		if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
6dedca
 		    return;
6dedca
 
6dedca
@@ -7626,6 +7656,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {
6dedca
 		ctxt->sax->reference(ctxt->userData, name);
6dedca
 	    }
6dedca
 	}
6dedca
+	xmlParserEntityCheck(ctxt, 0, ent, 0);
6dedca
 	ctxt->valid = 0;
6dedca
     }
6dedca
 
6dedca
@@ -7819,6 +7850,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {
6dedca
 			  "Entity '%s' not defined\n",
6dedca
 			  name);
6dedca
 	}
6dedca
+	xmlParserEntityCheck(ctxt, 0, ent, 0);
6dedca
 	/* TODO ? check regressions ctxt->valid = 0; */
6dedca
     }
6dedca
 
6dedca
@@ -7978,6 +8010,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
6dedca
 			  name, NULL);
6dedca
 	    ctxt->valid = 0;
6dedca
 	}
6dedca
+	xmlParserEntityCheck(ctxt, 0, NULL, 0);
6dedca
     } else {
6dedca
 	/*
6dedca
 	 * Internal checking in case the entity quest barfed
6dedca
@@ -8217,6 +8250,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {
6dedca
 			  name, NULL);
6dedca
 	    ctxt->valid = 0;
6dedca
 	}
6dedca
+	xmlParserEntityCheck(ctxt, 0, NULL, 0);
6dedca
     } else {
6dedca
 	/*
6dedca
 	 * Internal checking in case the entity quest barfed