Tree - rpms/libxml2 - CentOS Git server

rpms / libxml2

Blame SOURCES/CVE-2014-3660-rhel7.patch

Blob History Raw

		8f6325	`commit 8ed73eb939d6c9b79f3fa41b76916cc443196bbc`
		8f6325	`Author: Daniel Veillard <veillard@redhat.com>`
		8f6325	`Date: Thu Oct 2 16:17:09 2014 +0800`
		8f6325
		8f6325	`Fix for CVE-2014-3660`
		8f6325
		8f6325	`Issues related to the billion laugh entity expansion which happened to`
		8f6325	`escape the initial set of fixes`
		8f6325
		8f6325	`diff --git a/parser.c b/parser.c`
		8f6325	`index f30588c..3c72cbb 100644`
		8f6325	`--- a/parser.c`
		8f6325	`+++ b/parser.c`
		8f6325	`@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,`
		8f6325	`return (0);`
		8f6325	`if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)`
		8f6325	`return (1);`
		8f6325	`+`
		8f6325	`+ /*`
		8f6325	`+ * This may look absurd but is needed to detect`
		8f6325	`+ * entities problems`
		8f6325	`+ */`
		8f6325	`+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&`
		8f6325	`+ (ent->content != NULL) && (ent->checked == 0)) {`
		8f6325	`+ unsigned long oldnbent = ctxt->nbentities;`
		8f6325	`+ xmlChar *rep;`
		8f6325	`+`
		8f6325	`+ ent->checked = 1;`
		8f6325	`+`
		8f6325	`+ rep = xmlStringDecodeEntities(ctxt, ent->content,`
		8f6325	`+ XML_SUBSTITUTE_REF, 0, 0, 0);`
		8f6325	`+`
		8f6325	`+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;`
		8f6325	`+ if (rep != NULL) {`
		8f6325	`+ if (xmlStrchr(rep, '<'))`
		8f6325	`+ ent->checked \|= 1;`
		8f6325	`+ xmlFree(rep);`
		8f6325	`+ rep = NULL;`
		8f6325	`+ }`
		8f6325	`+ }`
		8f6325	`if (replacement != 0) {`
		8f6325	`if (replacement < XML_MAX_TEXT_LENGTH)`
		8f6325	`return(0);`
		8f6325	`@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,`
		8f6325	`return (0);`
		8f6325	`} else {`
		8f6325	`/*`
		8f6325	`- * strange we got no data for checking just return`
		8f6325	`+ * strange we got no data for checking`
		8f6325	`*/`
		8f6325	`- return (0);`
		8f6325	`+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&`
		8f6325	`+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) \|\|`
		8f6325	`+ (ctxt->nbentities <= 10000))`
		8f6325	`+ return (0);`
		8f6325	`}`
		8f6325	`xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);`
		8f6325	`return (1);`
		8f6325	`@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {`
		8f6325	`name, NULL);`
		8f6325	`ctxt->valid = 0;`
		8f6325	`}`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, NULL, 0);`
		8f6325	`} else if (ctxt->input->free != deallocblankswrapper) {`
		8f6325	`input = xmlNewBlanksWrapperInputStream(ctxt, entity);`
		8f6325	`if (xmlPushInput(ctxt, input) < 0)`
		8f6325	`@@ -2737,6 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,`
		8f6325	`if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) \|\|`
		8f6325	`(ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))`
		8f6325	`goto int_error;`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		8f6325	`if (ent != NULL)`
		8f6325	`ctxt->nbentities += ent->checked / 2;`
		8f6325	`if ((ent != NULL) &&`
		8f6325	`@@ -2788,6 +2816,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,`
		8f6325	`ent = xmlParseStringPEReference(ctxt, &str);`
		8f6325	`if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)`
		8f6325	`goto int_error;`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		8f6325	`if (ent != NULL)`
		8f6325	`ctxt->nbentities += ent->checked / 2;`
		8f6325	`if (ent != NULL) {`
		8f6325	`@@ -7286,6 +7315,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {`
		8f6325	`(ret != XML_WAR_UNDECLARED_ENTITY)) {`
		8f6325	`xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,`
		8f6325	`"Entity '%s' failed to parse\n", ent->name);`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		8f6325	`} else if (list != NULL) {`
		8f6325	`xmlFreeNodeList(list);`
		8f6325	`list = NULL;`
		8f6325	`@@ -7392,7 +7422,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {`
		8f6325	`/*`
		8f6325	`* We are copying here, make sure there is no abuse`
		8f6325	`*/`
		8f6325	`- ctxt->sizeentcopy += ent->length;`
		8f6325	`+ ctxt->sizeentcopy += ent->length + 5;`
		8f6325	`if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))`
		8f6325	`return;`
		8f6325
		8f6325	`@@ -7440,7 +7470,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {`
		8f6325	`/*`
		8f6325	`* We are copying here, make sure there is no abuse`
		8f6325	`*/`
		8f6325	`- ctxt->sizeentcopy += ent->length;`
		8f6325	`+ ctxt->sizeentcopy += ent->length + 5;`
		8f6325	`if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))`
		8f6325	`return;`
		8f6325
		8f6325	`@@ -7626,6 +7656,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {`
		8f6325	`ctxt->sax->reference(ctxt->userData, name);`
		8f6325	`}`
		8f6325	`}`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		8f6325	`ctxt->valid = 0;`
		8f6325	`}`
		8f6325
		8f6325	`@@ -7819,6 +7850,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {`
		8f6325	`"Entity '%s' not defined\n",`
		8f6325	`name);`
		8f6325	`}`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		8f6325	`/* TODO ? check regressions ctxt->valid = 0; */`
		8f6325	`}`
		8f6325
		8f6325	`@@ -7978,6 +8010,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)`
		8f6325	`name, NULL);`
		8f6325	`ctxt->valid = 0;`
		8f6325	`}`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, NULL, 0);`
		8f6325	`} else {`
		8f6325	`/*`
		8f6325	`* Internal checking in case the entity quest barfed`
		8f6325	`@@ -8217,6 +8250,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {`
		8f6325	`name, NULL);`
		8f6325	`ctxt->valid = 0;`
		8f6325	`}`
		8f6325	`+ xmlParserEntityCheck(ctxt, 0, NULL, 0);`
		8f6325	`} else {`
		8f6325	`/*`
		8f6325	`* Internal checking in case the entity quest barfed`

rpms / libxml2

Source Code

Blame SOURCES/CVE-2014-3660-rhel7.patch