xzyang / rpms / libxml2

Forked from rpms/libxml2 3 years ago
Clone
Source Code
GIT

Blame SOURCES/libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9-beta
  1.   7219ebb7c53b80409f3f8fa3433d3ecf35665f84
  2.   SOURCES
  3.   libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
Blob History Raw
1c8959 
From 7eca8fef0d19c65bd2004ba73347575a38e8d08e Mon Sep 17 00:00:00 2001
1c8959 
From: Pranjal Jumde <pjumde@apple.com>
1c8959 
Date: Mon, 7 Mar 2016 14:04:08 -0800
1c8959 
Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
1c8959 
To: libvir-list@redhat.com
1c8959
1c8959 
For https://bugzilla.gnome.org/show_bug.cgi?id=759020
1c8959
1c8959 
* parser.c:
1c8959 
(xmlParseStartTag2): Attribute strings are only valid if the
1c8959 
base does not change, so add another check where the base may
1c8959 
change.  Make sure to set 'attvalue' to NULL after freeing it.
1c8959 
* result/errors/759020.xml: Added.
1c8959 
* result/errors/759020.xml.err: Added.
1c8959 
* result/errors/759020.xml.str: Added.
1c8959 
* test/errors/759020.xml: Added test case.
1c8959
1c8959 
Signed-off-by: Daniel Veillard <veillard@redhat.com>
1c8959 
---
1c8959 
 parser.c                     | 26 +++++++++++++++++++++++--
1c8959 
 result/errors/759020.xml     |  0
1c8959 
 result/errors/759020.xml.err |  6 ++++++
1c8959 
 result/errors/759020.xml.str |  7 +++++++
1c8959 
 test/errors/759020.xml       | 46 ++++++++++++++++++++++++++++++++++++++++++++
1c8959 
 5 files changed, 83 insertions(+), 2 deletions(-)
1c8959 
 create mode 100644 result/errors/759020.xml
1c8959 
 create mode 100644 result/errors/759020.xml.err
1c8959 
 create mode 100644 result/errors/759020.xml.str
1c8959 
 create mode 100644 test/errors/759020.xml
1c8959
1c8959 
diff --git a/parser.c b/parser.c
1c8959 
index 1936599..133df95 100644
1c8959 
--- a/parser.c
1c8959 
+++ b/parser.c
1c8959 
@@ -9438,8 +9438,20 @@ reparse:
1c8959 
 		else
1c8959 
 		    if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
1c8959 
 skip_default_ns:
1c8959 
-		if (alloc != 0) xmlFree(attvalue);
1c8959 
+		if ((attvalue != NULL) && (alloc != 0)) {
1c8959 
+		    xmlFree(attvalue);
1c8959 
+		    attvalue = NULL;
1c8959 
+		}
1c8959 
+		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
1c8959 
+		    break;
1c8959 
+		if (!IS_BLANK_CH(RAW)) {
1c8959 
+		    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
1c8959 
+				   "attributes construct error\n");
1c8959 
+		    break;
1c8959 
+		}
1c8959 
 		SKIP_BLANKS;
1c8959 
+		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
1c8959 
+		    goto base_changed;
1c8959 
 		continue;
1c8959 
 	    }
1c8959 
             if (aprefix == ctxt->str_xmlns) {
1c8959 
@@ -9511,7 +9523,17 @@ skip_default_ns:
1c8959 
 		else
1c8959 
 		    if (nsPush(ctxt, attname, URL) > 0) nbNs++;
1c8959 
 skip_ns:
1c8959 
-		if (alloc != 0) xmlFree(attvalue);
1c8959 
+		if ((attvalue != NULL) && (alloc != 0)) {
1c8959 
+		    xmlFree(attvalue);
1c8959 
+		    attvalue = NULL;
1c8959 
+		}
1c8959 
+		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
1c8959 
+		    break;
1c8959 
+		if (!IS_BLANK_CH(RAW)) {
1c8959 
+		    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
1c8959 
+				   "attributes construct error\n");
1c8959 
+		    break;
1c8959 
+		}
1c8959 
 		SKIP_BLANKS;
1c8959 
 		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
1c8959 
 		    goto base_changed;
1c8959 
diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err
1c8959 
new file mode 100644
1c8959 
index 0000000..a0d3051
1c8959 
--- /dev/null
1c8959 
+++ b/result/errors/759020.xml.err
1c8959 
@@ -0,0 +1,6 @@
1c8959 
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
1c8959 
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
1c8959 
+                                                                               ^
1c8959 
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
1c8959 
+
1c8959 
+                                                                   ^
1c8959 
diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str
1c8959 
new file mode 100644
1c8959 
index 0000000..998d6d2
1c8959 
--- /dev/null
1c8959 
+++ b/result/errors/759020.xml.str
1c8959 
@@ -0,0 +1,7 @@
1c8959 
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
1c8959 
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
1c8959 
+                                                                               ^
1c8959 
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
1c8959 
+
1c8959 
+                                                                   ^
1c8959 
+./test/errors/759020.xml : failed to parse
1c8959 
diff --git a/test/errors/759020.xml b/test/errors/759020.xml
1c8959 
new file mode 100644
1c8959 
index 0000000..db23275
1c8959 
--- /dev/null
1c8959 
+++ b/test/errors/759020.xml
1c8959 
@@ -0,0 +1,46 @@
1c8959 
+
1c8959 
+
1c8959 
+ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
+
1c8959 
\ No newline at end of file
1c8959 
--
1c8959 
2.5.5
1c8959

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation