|
|
bba68d |
|
|
|
bba68d |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15903
|
|
|
bba68d |
|
|
|
bba68d |
https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
|
|
|
bba68d |
|
|
|
bba68d |
--- expat-2.1.0/lib/xmlparse.c.cve15903
|
|
|
bba68d |
+++ expat-2.1.0/lib/xmlparse.c
|
|
|
bba68d |
@@ -331,7 +331,7 @@
|
|
|
bba68d |
static enum XML_Error
|
|
|
bba68d |
doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
|
|
|
bba68d |
const char *end, int tok, const char *next, const char **nextPtr,
|
|
|
bba68d |
- XML_Bool haveMore);
|
|
|
bba68d |
+ XML_Bool haveMore, XML_Bool allowClosingDoctype);
|
|
|
bba68d |
static enum XML_Error
|
|
|
bba68d |
processInternalEntity(XML_Parser parser, ENTITY *entity,
|
|
|
bba68d |
XML_Bool betweenDecl);
|
|
|
bba68d |
@@ -3699,7 +3699,7 @@
|
|
|
bba68d |
|
|
|
bba68d |
processor = prologProcessor;
|
|
|
bba68d |
return doProlog(parser, encoding, s, end, tok, next,
|
|
|
bba68d |
- nextPtr, (XML_Bool)!ps_finalBuffer);
|
|
|
bba68d |
+ nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
|
|
|
bba68d |
}
|
|
|
bba68d |
|
|
|
bba68d |
static enum XML_Error PTRCALL
|
|
|
bba68d |
@@ -3749,7 +3749,7 @@
|
|
|
bba68d |
const char *next = s;
|
|
|
bba68d |
int tok = XmlPrologTok(encoding, s, end, &next;;
|
|
|
bba68d |
return doProlog(parser, encoding, s, end, tok, next,
|
|
|
bba68d |
- nextPtr, (XML_Bool)!ps_finalBuffer);
|
|
|
bba68d |
+ nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
|
|
|
bba68d |
}
|
|
|
bba68d |
|
|
|
bba68d |
static enum XML_Error
|
|
|
bba68d |
@@ -3760,7 +3760,8 @@
|
|
|
bba68d |
int tok,
|
|
|
bba68d |
const char *next,
|
|
|
bba68d |
const char **nextPtr,
|
|
|
bba68d |
- XML_Bool haveMore)
|
|
|
bba68d |
+ XML_Bool haveMore,
|
|
|
bba68d |
+ XML_Bool allowClosingDoctype)
|
|
|
bba68d |
{
|
|
|
bba68d |
#ifdef XML_DTD
|
|
|
bba68d |
static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
|
|
|
bba68d |
@@ -3936,6 +3937,11 @@
|
|
|
bba68d |
}
|
|
|
bba68d |
break;
|
|
|
bba68d |
case XML_ROLE_DOCTYPE_CLOSE:
|
|
|
bba68d |
+ if (allowClosingDoctype != XML_TRUE) {
|
|
|
bba68d |
+ /* Must not close doctype from within expanded parameter entities */
|
|
|
bba68d |
+ return XML_ERROR_INVALID_TOKEN;
|
|
|
bba68d |
+ }
|
|
|
bba68d |
+
|
|
|
bba68d |
if (doctypeName) {
|
|
|
bba68d |
startDoctypeDeclHandler(handlerArg, doctypeName,
|
|
|
bba68d |
doctypeSysid, doctypePubid, 0);
|
|
|
bba68d |
@@ -4837,7 +4843,7 @@
|
|
|
bba68d |
if (entity->is_param) {
|
|
|
bba68d |
int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next;;
|
|
|
bba68d |
result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
|
|
|
bba68d |
- next, &next, XML_FALSE);
|
|
|
bba68d |
+ next, &next, XML_FALSE, XML_FALSE);
|
|
|
bba68d |
}
|
|
|
bba68d |
else
|
|
|
bba68d |
#endif /* XML_DTD */
|
|
|
bba68d |
@@ -4882,7 +4888,7 @@
|
|
|
bba68d |
if (entity->is_param) {
|
|
|
bba68d |
int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next;;
|
|
|
bba68d |
result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
|
|
|
bba68d |
- next, &next, XML_FALSE);
|
|
|
bba68d |
+ next, &next, XML_FALSE, XML_TRUE);
|
|
|
bba68d |
}
|
|
|
bba68d |
else
|
|
|
bba68d |
#endif /* XML_DTD */
|
|
|
bba68d |
@@ -4909,7 +4915,7 @@
|
|
|
bba68d |
processor = prologProcessor;
|
|
|
bba68d |
tok = XmlPrologTok(encoding, s, end, &next;;
|
|
|
bba68d |
return doProlog(parser, encoding, s, end, tok, next, nextPtr,
|
|
|
bba68d |
- (XML_Bool)!ps_finalBuffer);
|
|
|
bba68d |
+ (XML_Bool)!ps_finalBuffer, XML_TRUE);
|
|
|
bba68d |
}
|
|
|
bba68d |
else
|
|
|
bba68d |
#endif /* XML_DTD */
|
|
|
bba68d |
--- expat-2.1.0/tests/runtests.c.cve15903
|
|
|
bba68d |
+++ expat-2.1.0/tests/runtests.c
|
|
|
bba68d |
@@ -1157,6 +1157,69 @@
|
|
|
bba68d |
CharData_AppendString(storage, "\n");
|
|
|
bba68d |
}
|
|
|
bba68d |
|
|
|
bba68d |
+#ifdef XML_DTD
|
|
|
bba68d |
+START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
|
|
|
bba68d |
+ const char *const inputOne = "
|
|
|
bba68d |
+ "<d/>'>\n"
|
|
|
bba68d |
+ "\n"
|
|
|
bba68d |
+ "%e;";
|
|
|
bba68d |
+ const char *const inputTwo = "
|
|
|
bba68d |
+ "<d/>'>\n"
|
|
|
bba68d |
+ "\n"
|
|
|
bba68d |
+ "%e2;";
|
|
|
bba68d |
+ const char *const inputThree = "
|
|
|
bba68d |
+ "<d'>\n"
|
|
|
bba68d |
+ "\n"
|
|
|
bba68d |
+ "%e;";
|
|
|
bba68d |
+ const char *const inputIssue317 = "
|
|
|
bba68d |
+ "\n"
|
|
|
bba68d |
+ "<doc>Hell<oc (#PCDATA)*>'>\n"
|
|
|
bba68d |
+ "%foo;\n"
|
|
|
bba68d |
+ "]>\n"
|
|
|
bba68d |
+ "<doc>Hello, world</dVc>";
|
|
|
bba68d |
+
|
|
|
bba68d |
+ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
|
|
|
bba68d |
+ size_t inputIndex = 0;
|
|
|
bba68d |
+
|
|
|
bba68d |
+ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
|
|
|
bba68d |
+ XML_Parser parser;
|
|
|
bba68d |
+ enum XML_Status parseResult;
|
|
|
bba68d |
+ int setParamEntityResult;
|
|
|
bba68d |
+ XML_Size lineNumber;
|
|
|
bba68d |
+ XML_Size columnNumber;
|
|
|
bba68d |
+ const char *const input = inputs[inputIndex];
|
|
|
bba68d |
+
|
|
|
bba68d |
+ parser = XML_ParserCreate(NULL);
|
|
|
bba68d |
+ setParamEntityResult
|
|
|
bba68d |
+ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
|
|
|
bba68d |
+ if (setParamEntityResult != 1)
|
|
|
bba68d |
+ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
|
|
|
bba68d |
+
|
|
|
bba68d |
+ parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
|
|
|
bba68d |
+ if (parseResult != XML_STATUS_ERROR) {
|
|
|
bba68d |
+ parseResult = XML_Parse(parser, "", 0, 1);
|
|
|
bba68d |
+ if (parseResult != XML_STATUS_ERROR) {
|
|
|
bba68d |
+ fail("Parsing was expected to fail but succeeded.");
|
|
|
bba68d |
+ }
|
|
|
bba68d |
+ }
|
|
|
bba68d |
+
|
|
|
bba68d |
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
|
|
|
bba68d |
+ fail("Error code does not match XML_ERROR_INVALID_TOKEN");
|
|
|
bba68d |
+
|
|
|
bba68d |
+ lineNumber = XML_GetCurrentLineNumber(parser);
|
|
|
bba68d |
+ if (lineNumber != 4)
|
|
|
bba68d |
+ fail("XML_GetCurrentLineNumber does not work as expected.");
|
|
|
bba68d |
+
|
|
|
bba68d |
+ columnNumber = XML_GetCurrentColumnNumber(parser);
|
|
|
bba68d |
+ if (columnNumber != 0)
|
|
|
bba68d |
+ fail("XML_GetCurrentColumnNumber does not work as expected.");
|
|
|
bba68d |
+
|
|
|
bba68d |
+ XML_ParserFree(parser);
|
|
|
bba68d |
+ }
|
|
|
bba68d |
+}
|
|
|
bba68d |
+END_TEST
|
|
|
bba68d |
+#endif
|
|
|
bba68d |
+
|
|
|
bba68d |
static void
|
|
|
bba68d |
run_ns_tagname_overwrite_test(char *text, char *result)
|
|
|
bba68d |
{
|
|
|
bba68d |
@@ -1479,6 +1542,11 @@
|
|
|
bba68d |
tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_attribute);
|
|
|
bba68d |
tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element);
|
|
|
bba68d |
|
|
|
bba68d |
+#ifdef XML_DTD
|
|
|
bba68d |
+ tcase_add_test(tc_basic,
|
|
|
bba68d |
+ test_misc_deny_internal_entity_closing_doctype_issue_317);
|
|
|
bba68d |
+#endif
|
|
|
bba68d |
+
|
|
|
bba68d |
return s;
|
|
|
bba68d |
}
|
|
|
bba68d |
|