xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch

6dedca
From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001
6dedca
From: Peter Simons <psimons@suse.com>
6dedca
Date: Fri, 15 Apr 2016 11:56:55 +0200
6dedca
Subject: [PATCH] Add missing increments of recursion depth counter to XML
6dedca
 parser.
6dedca
To: libvir-list@redhat.com
6dedca
6dedca
For https://bugzilla.gnome.org/show_bug.cgi?id=765207
6dedca
CVE-2016-3705
6dedca
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
6dedca
xmlStringDecodeEntities() in a recursive context without incrementing the
6dedca
'depth' counter in the parser context. Because of that omission, the parser
6dedca
failed to detect attribute recursions in certain documents before running out
6dedca
of stack space.
6dedca
6dedca
Signed-off-by: Daniel Veillard <veillard@redhat.com>
6dedca
---
6dedca
 parser.c | 8 ++++++++
6dedca
 1 file changed, 8 insertions(+)
6dedca
6dedca
diff --git a/parser.c b/parser.c
6dedca
index 0accf54..32293d0 100644
6dedca
--- a/parser.c
6dedca
+++ b/parser.c
6dedca
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
6dedca
 
6dedca
 	ent->checked = 1;
6dedca
 
6dedca
+        ++ctxt->depth;
6dedca
 	rep = xmlStringDecodeEntities(ctxt, ent->content,
6dedca
 				  XML_SUBSTITUTE_REF, 0, 0, 0);
6dedca
+        --ctxt->depth;
6dedca
 
6dedca
 	ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
6dedca
 	if (rep != NULL) {
6dedca
@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
6dedca
 	 * an entity declaration, it is bypassed and left as is.
6dedca
 	 * so XML_SUBSTITUTE_REF is not set here.
6dedca
 	 */
6dedca
+        ++ctxt->depth;
6dedca
 	ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
6dedca
 				      0, 0, 0);
6dedca
+        --ctxt->depth;
6dedca
 	if (orig != NULL)
6dedca
 	    *orig = buf;
6dedca
 	else
6dedca
@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
6dedca
 		} else if ((ent != NULL) &&
6dedca
 		           (ctxt->replaceEntities != 0)) {
6dedca
 		    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
6dedca
+			++ctxt->depth;
6dedca
 			rep = xmlStringDecodeEntities(ctxt, ent->content,
6dedca
 						      XML_SUBSTITUTE_REF,
6dedca
 						      0, 0, 0);
6dedca
+			--ctxt->depth;
6dedca
 			if (rep != NULL) {
6dedca
 			    current = rep;
6dedca
 			    while (*current != 0) { /* non input consuming */
6dedca
@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
6dedca
 			(ent->content != NULL) && (ent->checked == 0)) {
6dedca
 			unsigned long oldnbent = ctxt->nbentities;
6dedca
 
6dedca
+			++ctxt->depth;
6dedca
 			rep = xmlStringDecodeEntities(ctxt, ent->content,
6dedca
 						  XML_SUBSTITUTE_REF, 0, 0, 0);
6dedca
+			--ctxt->depth;
6dedca
 
6dedca
 			ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
6dedca
 			if (rep != NULL) {
6dedca
-- 
6dedca
2.5.5
6dedca