xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch

1c8959
From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001
1c8959
From: Peter Simons <psimons@suse.com>
1c8959
Date: Fri, 15 Apr 2016 11:56:55 +0200
1c8959
Subject: [PATCH] Add missing increments of recursion depth counter to XML
1c8959
 parser.
1c8959
To: libvir-list@redhat.com
1c8959
1c8959
For https://bugzilla.gnome.org/show_bug.cgi?id=765207
1c8959
CVE-2016-3705
1c8959
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
1c8959
xmlStringDecodeEntities() in a recursive context without incrementing the
1c8959
'depth' counter in the parser context. Because of that omission, the parser
1c8959
failed to detect attribute recursions in certain documents before running out
1c8959
of stack space.
1c8959
1c8959
Signed-off-by: Daniel Veillard <veillard@redhat.com>
1c8959
---
1c8959
 parser.c | 8 ++++++++
1c8959
 1 file changed, 8 insertions(+)
1c8959
1c8959
diff --git a/parser.c b/parser.c
1c8959
index 0accf54..32293d0 100644
1c8959
--- a/parser.c
1c8959
+++ b/parser.c
1c8959
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
1c8959
 
1c8959
 	ent->checked = 1;
1c8959
 
1c8959
+        ++ctxt->depth;
1c8959
 	rep = xmlStringDecodeEntities(ctxt, ent->content,
1c8959
 				  XML_SUBSTITUTE_REF, 0, 0, 0);
1c8959
+        --ctxt->depth;
1c8959
 
1c8959
 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
1c8959
 	if (rep != NULL) {
1c8959
@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
1c8959
 	 * an entity declaration, it is bypassed and left as is.
1c8959
 	 * so XML_SUBSTITUTE_REF is not set here.
1c8959
 	 */
1c8959
+        ++ctxt->depth;
1c8959
 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
1c8959
 				      0, 0, 0);
1c8959
+        --ctxt->depth;
1c8959
 	if (orig != NULL)
1c8959
 	    *orig = buf;
1c8959
 	else
1c8959
@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
1c8959
 		} else if ((ent != NULL) &&
1c8959
 		           (ctxt->replaceEntities != 0)) {
1c8959
 		    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
1c8959
+			++ctxt->depth;
1c8959
 			rep = xmlStringDecodeEntities(ctxt, ent->content,
1c8959
 						      XML_SUBSTITUTE_REF,
1c8959
 						      0, 0, 0);
1c8959
+			--ctxt->depth;
1c8959
 			if (rep != NULL) {
1c8959
 			    current = rep;
1c8959
 			    while (*current != 0) { /* non input consuming */
1c8959
@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
1c8959
 			(ent->content != NULL) && (ent->checked == 0)) {
1c8959
 			unsigned long oldnbent = ctxt->nbentities;
1c8959
 
1c8959
+			++ctxt->depth;
1c8959
 			rep = xmlStringDecodeEntities(ctxt, ent->content,
1c8959
 						  XML_SUBSTITUTE_REF, 0, 0, 0);
1c8959
+			--ctxt->depth;
1c8959
 
1c8959
 			ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
1c8959
 			if (rep != NULL) {
1c8959
-- 
1c8959
2.5.5
1c8959