|
|
6dedca |
From d88b1b5e55b9ba0962408ff5e0327bf71a79e37a Mon Sep 17 00:00:00 2001
|
|
|
6dedca |
From: Peter Simons <psimons@suse.com>
|
|
|
6dedca |
Date: Fri, 15 Apr 2016 11:56:55 +0200
|
|
|
6dedca |
Subject: [PATCH] Add missing increments of recursion depth counter to XML
|
|
|
6dedca |
parser.
|
|
|
6dedca |
To: libvir-list@redhat.com
|
|
|
6dedca |
|
|
|
6dedca |
For https://bugzilla.gnome.org/show_bug.cgi?id=765207
|
|
|
6dedca |
CVE-2016-3705
|
|
|
6dedca |
The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
|
|
|
6dedca |
xmlStringDecodeEntities() in a recursive context without incrementing the
|
|
|
6dedca |
'depth' counter in the parser context. Because of that omission, the parser
|
|
|
6dedca |
failed to detect attribute recursions in certain documents before running out
|
|
|
6dedca |
of stack space.
|
|
|
6dedca |
|
|
|
6dedca |
Signed-off-by: Daniel Veillard <veillard@redhat.com>
|
|
|
6dedca |
---
|
|
|
6dedca |
parser.c | 8 ++++++++
|
|
|
6dedca |
1 file changed, 8 insertions(+)
|
|
|
6dedca |
|
|
|
6dedca |
diff --git a/parser.c b/parser.c
|
|
|
6dedca |
index 0accf54..32293d0 100644
|
|
|
6dedca |
--- a/parser.c
|
|
|
6dedca |
+++ b/parser.c
|
|
|
6dedca |
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
|
|
|
6dedca |
|
|
|
6dedca |
ent->checked = 1;
|
|
|
6dedca |
|
|
|
6dedca |
+ ++ctxt->depth;
|
|
|
6dedca |
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
|
|
6dedca |
XML_SUBSTITUTE_REF, 0, 0, 0);
|
|
|
6dedca |
+ --ctxt->depth;
|
|
|
6dedca |
|
|
|
6dedca |
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
|
|
6dedca |
if (rep != NULL) {
|
|
|
6dedca |
@@ -3963,8 +3965,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
|
|
|
6dedca |
* an entity declaration, it is bypassed and left as is.
|
|
|
6dedca |
* so XML_SUBSTITUTE_REF is not set here.
|
|
|
6dedca |
*/
|
|
|
6dedca |
+ ++ctxt->depth;
|
|
|
6dedca |
ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
|
|
|
6dedca |
0, 0, 0);
|
|
|
6dedca |
+ --ctxt->depth;
|
|
|
6dedca |
if (orig != NULL)
|
|
|
6dedca |
*orig = buf;
|
|
|
6dedca |
else
|
|
|
6dedca |
@@ -4089,9 +4093,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
|
6dedca |
} else if ((ent != NULL) &&
|
|
|
6dedca |
(ctxt->replaceEntities != 0)) {
|
|
|
6dedca |
if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
|
|
|
6dedca |
+ ++ctxt->depth;
|
|
|
6dedca |
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
|
|
6dedca |
XML_SUBSTITUTE_REF,
|
|
|
6dedca |
0, 0, 0);
|
|
|
6dedca |
+ --ctxt->depth;
|
|
|
6dedca |
if (rep != NULL) {
|
|
|
6dedca |
current = rep;
|
|
|
6dedca |
while (*current != 0) { /* non input consuming */
|
|
|
6dedca |
@@ -4127,8 +4133,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
|
|
|
6dedca |
(ent->content != NULL) && (ent->checked == 0)) {
|
|
|
6dedca |
unsigned long oldnbent = ctxt->nbentities;
|
|
|
6dedca |
|
|
|
6dedca |
+ ++ctxt->depth;
|
|
|
6dedca |
rep = xmlStringDecodeEntities(ctxt, ent->content,
|
|
|
6dedca |
XML_SUBSTITUTE_REF, 0, 0, 0);
|
|
|
6dedca |
+ --ctxt->depth;
|
|
|
6dedca |
|
|
|
6dedca |
ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
|
|
|
6dedca |
if (rep != NULL) {
|
|
|
6dedca |
--
|
|
|
6dedca |
2.5.5
|
|
|
6dedca |
|