xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone
Source Code
GIT

Blame SOURCES/libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9-beta
  1.   7219ebb7c53b80409f3f8fa3433d3ecf35665f84
  2.   SOURCES
  3.   libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
Blob History Raw
1c8959 
From 7d23a33fbf8fe09fe52f9abafeafb9f438229603 Mon Sep 17 00:00:00 2001
1c8959 
From: David Kilzer <ddkilzer@apple.com>
1c8959 
Date: Tue, 26 Jan 2016 16:57:03 -0800
1c8959 
Subject: [PATCH] Heap-based buffer-underreads due to xmlParseName
1c8959 
To: libvir-list@redhat.com
1c8959
1c8959 
For https://bugzilla.gnome.org/show_bug.cgi?id=759573
1c8959
1c8959 
* parser.c:
1c8959 
(xmlParseElementDecl): Return early on invalid input to fix
1c8959 
non-minimized test case (759573-2.xml).  Otherwise the parser
1c8959 
gets into a bad state in SKIP(3) at the end of the function.
1c8959 
(xmlParseConditionalSections): Halt parsing when hitting invalid
1c8959 
input that would otherwise caused xmlParserHandlePEReference()
1c8959 
to recurse unexpectedly.  This fixes the minimized test case
1c8959 
(759573.xml).
1c8959
1c8959 
* result/errors/759573-2.xml: Add.
1c8959 
* result/errors/759573-2.xml.err: Add.
1c8959 
* result/errors/759573-2.xml.str: Add.
1c8959 
* result/errors/759573.xml: Add.
1c8959 
* result/errors/759573.xml.err: Add.
1c8959 
* result/errors/759573.xml.str: Add.
1c8959 
* test/errors/759573-2.xml: Add.
1c8959 
* test/errors/759573.xml: Add.
1c8959
1c8959 
Had to fixup by removing test 759573-2
1c8959
1c8959 
Signed-off-by: Daniel Veillard <veillard@redhat.com>
1c8959 
---
1c8959 
 parser.c                     |  2 ++
1c8959 
 result/errors/759573.xml     |  0
1c8959 
 result/errors/759573.xml.err | 31 +++++++++++++++++++++++++++++++
1c8959 
 result/errors/759573.xml.str |  4 ++++
1c8959 
 test/errors/759573.xml       |  1 +
1c8959 
 5 files changed, 38 insertions(+)
1c8959 
 create mode 100644 result/errors/759573.xml
1c8959 
 create mode 100644 result/errors/759573.xml.err
1c8959 
 create mode 100644 result/errors/759573.xml.str
1c8959 
 create mode 100644 test/errors/759573.xml
1c8959
1c8959 
diff --git a/parser.c b/parser.c
1c8959 
index 133df95..0accf54 100644
1c8959 
--- a/parser.c
1c8959 
+++ b/parser.c
1c8959 
@@ -6683,6 +6683,7 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) {
1c8959 
 	if (!IS_BLANK_CH(CUR)) {
1c8959 
 	    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
1c8959 
 		           "Space required after 'ELEMENT'\n");
1c8959 
+	    return(-1);
1c8959 
 	}
1c8959 
         SKIP_BLANKS;
1c8959 
         name = xmlParseName(ctxt);
1c8959 
@@ -6834,6 +6835,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
1c8959
1c8959 
 	    if ((CUR_PTR == check) && (cons == ctxt->input->consumed)) {
1c8959 
 		xmlFatalErr(ctxt, XML_ERR_EXT_SUBSET_NOT_FINISHED, NULL);
1c8959 
+		xmlHaltParser(ctxt);
1c8959 
 		break;
1c8959 
 	    }
1c8959 
 	}
1c8959 
diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err
1c8959 
new file mode 100644
1c8959 
index 0000000..2c21e9a
1c8959 
--- /dev/null
1c8959 
+++ b/result/errors/759573.xml.err
1c8959 
@@ -0,0 +1,31 @@
1c8959 
+./test/errors/759573.xml:1: parser error : Space required after '
1c8959 
+ELEMENT t (A)>
1c8959 
+                                                                               ^
1c8959 
+./test/errors/759573.xml:1: parser error : Space required after the entity name
1c8959 
+LEMENT t (A)>
1c8959 
+                                                                               ^
1c8959 
+./test/errors/759573.xml:1: parser error : Entity value required
1c8959 
+LEMENT t (A)>
1c8959 
+                                                                               ^
1c8959 
+Entity: line 1: parser error : PEReference: no name
1c8959 
+ %xx;
1c8959 
+     ^
1c8959 
+Entity: line 1:
1c8959 
+%
1c8959 
+ ^
1c8959 
+Entity: line 1: parser error : Content error in the external subset
1c8959 
+ %xx;
1c8959 
+     ^
1c8959 
+Entity: line 1:
1c8959 
+%
1c8959 
+            ^
1c8959 
+./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
1c8959 
+
1c8959 
+T t (A)>%xx;
1c8959 
+                                                                               ^
1c8959 
+./test/errors/759573.xml:1: parser error : DOCTYPE improperly terminated
1c8959 
+T t (A)>%xx;
1c8959 
+                                                                               ^
1c8959 
+./test/errors/759573.xml:1: parser error : Start tag expected, '<' not found
1c8959 
+T t (A)>%xx;
1c8959 
+                                                                               ^
1c8959 
diff --git a/result/errors/759573.xml.str b/result/errors/759573.xml.str
1c8959 
new file mode 100644
1c8959 
index 0000000..1b6addb
1c8959 
--- /dev/null
1c8959 
+++ b/result/errors/759573.xml.str
1c8959 
@@ -0,0 +1,4 @@
1c8959 
+./test/errors/759573.xml:1: parser error : Extra content at the end of the document
1c8959 
+
1c8959 
+               ^
1c8959 
+./test/errors/759573.xml : failed to parse
1c8959 
diff --git a/test/errors/759573.xml b/test/errors/759573.xml
1c8959 
new file mode 100644
1c8959 
index 0000000..69ebb57
1c8959 
--- /dev/null
1c8959 
+++ b/test/errors/759573.xml
1c8959 
@@ -0,0 +1 @@
1c8959 
+%xx;
1c8959 
\ No newline at end of file
1c8959 
--
1c8959 
2.5.5
1c8959

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation