Blame SOURCES/expat-2.1.0-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch

85626f
commit 717421569bd8217a441ed10690a8f92cd6968d56
85626f
Author: Tomas Korbar <tkorbar@redhat.com>
85626f
Date:   Mon Oct 3 13:10:23 2022 +0200
85626f
85626f
    Fix CVE-2022-40674
85626f
85626f
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
85626f
index 989ab8c..4ce7209 100644
85626f
--- a/lib/xmlparse.c
85626f
+++ b/lib/xmlparse.c
85626f
@@ -5221,8 +5221,14 @@ internalEntityProcessor(XML_Parser parser,
85626f
   {
85626f
     processor = contentProcessor;
85626f
     /* see externalEntityContentProcessor vs contentProcessor */
85626f
-    return doContent(parser, parentParser ? 1 : 0, encoding, s, end,
85626f
-                     nextPtr, (XML_Bool)!ps_finalBuffer);
85626f
+    result = doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
85626f
+                      s, end, nextPtr,
85626f
+                      (XML_Bool)! parser->m_parsingStatus.finalBuffer);
85626f
+    if (result == XML_ERROR_NONE) {
85626f
+      if (! storeRawNames(parser))
85626f
+        return XML_ERROR_NO_MEMORY;
85626f
+    }
85626f
+    return result;
85626f
   }
85626f
 }
85626f
 
85626f
diff --git a/tests/runtests.c b/tests/runtests.c
85626f
index c01f096..b83b47e 100644
85626f
--- a/tests/runtests.c
85626f
+++ b/tests/runtests.c
85626f
@@ -1650,6 +1650,77 @@ START_TEST(test_utf8_in_start_tags) {
85626f
 }
85626f
 END_TEST
85626f
 
85626f
+void
85626f
+suspending_comment_handler(void *userData, const XML_Char *UNUSED_P(data)) {
85626f
+  XML_Parser parser = (XML_Parser)userData;
85626f
+  XML_StopParser(parser, XML_TRUE);
85626f
+}
85626f
+
85626f
+START_TEST(test_suspend_resume_internal_entity_issue_629) {
85626f
+  const char *const text
85626f
+      = "a'>]>&e;\n"
85626f
+        "<"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
85626f
+        "/>"
85626f
+        "";
85626f
+  const size_t firstChunkSizeBytes = 54;
85626f
+
85626f
+  XML_Parser parser = XML_ParserCreate(NULL);
85626f
+  XML_SetUserData(parser, parser);
85626f
+  XML_SetCommentHandler(parser, suspending_comment_handler);
85626f
+
85626f
+  if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE)
85626f
+      != XML_STATUS_SUSPENDED)
85626f
+    xml_failure(parser);
85626f
+  if (XML_ResumeParser(parser) != XML_STATUS_OK)
85626f
+    xml_failure(parser);
85626f
+  if (XML_Parse(parser, text + firstChunkSizeBytes,
85626f
+                (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE)
85626f
+      != XML_STATUS_OK)
85626f
+    xml_failure(parser);
85626f
+  XML_ParserFree(parser);
85626f
+}
85626f
+END_TEST
85626f
+
85626f
 static Suite *
85626f
 make_suite(void)
85626f
 {
85626f
@@ -1705,6 +1776,7 @@ make_suite(void)
85626f
     tcase_add_test(tc_basic, test_suspend_parser_between_char_data_calls);
85626f
     tcase_add_test(tc_basic, test_utf8_in_start_tags);
85626f
     tcase_add_test(tc_basic, test_bad_doctype_utf8);
85626f
+    tcase_add_test(tc_basic, test_suspend_resume_internal_entity_issue_629);
85626f
 
85626f
     suite_add_tcase(s, tc_namespace);
85626f
     tcase_add_checked_fixture(tc_namespace,