|
 |
85626f |
commit 717421569bd8217a441ed10690a8f92cd6968d56
|
|
|
85626f |
Author: Tomas Korbar <tkorbar@redhat.com>
|
|
|
85626f |
Date: Mon Oct 3 13:10:23 2022 +0200
|
|
|
85626f |
|
|
|
85626f |
Fix CVE-2022-40674
|
|
|
85626f |
|
|
|
85626f |
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
|
85626f |
index 989ab8c..4ce7209 100644
|
|
|
85626f |
--- a/lib/xmlparse.c
|
|
|
85626f |
+++ b/lib/xmlparse.c
|
|
|
85626f |
@@ -5221,8 +5221,14 @@ internalEntityProcessor(XML_Parser parser,
|
|
|
85626f |
{
|
|
|
85626f |
processor = contentProcessor;
|
|
|
85626f |
/* see externalEntityContentProcessor vs contentProcessor */
|
|
|
85626f |
- return doContent(parser, parentParser ? 1 : 0, encoding, s, end,
|
|
|
85626f |
- nextPtr, (XML_Bool)!ps_finalBuffer);
|
|
|
85626f |
+ result = doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
|
|
|
85626f |
+ s, end, nextPtr,
|
|
|
85626f |
+ (XML_Bool)! parser->m_parsingStatus.finalBuffer);
|
|
|
85626f |
+ if (result == XML_ERROR_NONE) {
|
|
|
85626f |
+ if (! storeRawNames(parser))
|
|
|
85626f |
+ return XML_ERROR_NO_MEMORY;
|
|
|
85626f |
+ }
|
|
|
85626f |
+ return result;
|
|
|
85626f |
}
|
|
|
85626f |
}
|
|
|
85626f |
|
|
|
85626f |
diff --git a/tests/runtests.c b/tests/runtests.c
|
|
|
85626f |
index c01f096..b83b47e 100644
|
|
|
85626f |
--- a/tests/runtests.c
|
|
|
85626f |
+++ b/tests/runtests.c
|
|
|
85626f |
@@ -1650,6 +1650,77 @@ START_TEST(test_utf8_in_start_tags) {
|
|
|
85626f |
}
|
|
|
85626f |
END_TEST
|
|
|
85626f |
|
|
|
85626f |
+void
|
|
|
85626f |
+suspending_comment_handler(void *userData, const XML_Char *UNUSED_P(data)) {
|
|
|
85626f |
+ XML_Parser parser = (XML_Parser)userData;
|
|
|
85626f |
+ XML_StopParser(parser, XML_TRUE);
|
|
|
85626f |
+}
|
|
|
85626f |
+
|
|
|
85626f |
+START_TEST(test_suspend_resume_internal_entity_issue_629) {
|
|
|
85626f |
+ const char *const text
|
|
|
85626f |
+ = "a'>]>&e;\n"
|
|
|
85626f |
+ "<"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
|
|
85626f |
+ "/>"
|
|
|
85626f |
+ "";
|
|
|
85626f |
+ const size_t firstChunkSizeBytes = 54;
|
|
|
85626f |
+
|
|
|
85626f |
+ XML_Parser parser = XML_ParserCreate(NULL);
|
|
|
85626f |
+ XML_SetUserData(parser, parser);
|
|
|
85626f |
+ XML_SetCommentHandler(parser, suspending_comment_handler);
|
|
|
85626f |
+
|
|
|
85626f |
+ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE)
|
|
|
85626f |
+ != XML_STATUS_SUSPENDED)
|
|
|
85626f |
+ xml_failure(parser);
|
|
|
85626f |
+ if (XML_ResumeParser(parser) != XML_STATUS_OK)
|
|
|
85626f |
+ xml_failure(parser);
|
|
|
85626f |
+ if (XML_Parse(parser, text + firstChunkSizeBytes,
|
|
|
85626f |
+ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE)
|
|
|
85626f |
+ != XML_STATUS_OK)
|
|
|
85626f |
+ xml_failure(parser);
|
|
|
85626f |
+ XML_ParserFree(parser);
|
|
|
85626f |
+}
|
|
|
85626f |
+END_TEST
|
|
|
85626f |
+
|
|
|
85626f |
static Suite *
|
|
|
85626f |
make_suite(void)
|
|
|
85626f |
{
|
|
|
85626f |
@@ -1705,6 +1776,7 @@ make_suite(void)
|
|
|
85626f |
tcase_add_test(tc_basic, test_suspend_parser_between_char_data_calls);
|
|
|
85626f |
tcase_add_test(tc_basic, test_utf8_in_start_tags);
|
|
|
85626f |
tcase_add_test(tc_basic, test_bad_doctype_utf8);
|
|
|
85626f |
+ tcase_add_test(tc_basic, test_suspend_resume_internal_entity_issue_629);
|
|
|
85626f |
|
|
|
85626f |
suite_add_tcase(s, tc_namespace);
|
|
|
85626f |
tcase_add_checked_fixture(tc_namespace,
|