xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone

Blame SOURCES/libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch

267d54
From 4e1ea576167520bbc2bad50797119983e133af74 Mon Sep 17 00:00:00 2001
267d54
From: David Drysdale <drysdale@google.com>
267d54
Date: Fri, 20 Nov 2015 11:13:45 +0800
267d54
Subject: [PATCH] CVE-2015-5312 Another entity expansion issue
267d54
To: libvir-list@redhat.com
267d54
267d54
For https://bugzilla.gnome.org/show_bug.cgi?id=756733
267d54
It is one case where the code in place to detect entities expansions
267d54
failed to exit when the situation was detected, leading to DoS
267d54
Problem reported by Kostya Serebryany @ Google
267d54
Patch provided by David Drysdale @ Google
267d54
267d54
Signed-off-by: Daniel Veillard <veillard@redhat.com>
267d54
---
267d54
 parser.c | 4 ++++
267d54
 1 file changed, 4 insertions(+)
267d54
267d54
diff --git a/parser.c b/parser.c
267d54
index a58dda3..e536e54 100644
267d54
--- a/parser.c
267d54
+++ b/parser.c
267d54
@@ -2801,6 +2801,10 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
267d54
 			                      0, 0, 0);
267d54
 		ctxt->depth--;
267d54
 
267d54
+		if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) ||
267d54
+		    (ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))
267d54
+		    goto int_error;
267d54
+
267d54
 		if (rep != NULL) {
267d54
 		    current = rep;
267d54
 		    while (*current != 0) { /* non input consuming loop */
267d54
-- 
267d54
2.5.0
267d54