Tree - rpms/libxml2 - CentOS Git server

rpms / libxml2

Blame SOURCES/CVE-2014-3660-rhel7.patch

Blob History Raw

		6dedca	`commit 8ed73eb939d6c9b79f3fa41b76916cc443196bbc`
		6dedca	`Author: Daniel Veillard <veillard@redhat.com>`
		6dedca	`Date: Thu Oct 2 16:17:09 2014 +0800`
		6dedca
		6dedca	`Fix for CVE-2014-3660`
		6dedca
		6dedca	`Issues related to the billion laugh entity expansion which happened to`
		6dedca	`escape the initial set of fixes`
		6dedca
		6dedca	`diff --git a/parser.c b/parser.c`
		6dedca	`index f30588c..3c72cbb 100644`
		6dedca	`--- a/parser.c`
		6dedca	`+++ b/parser.c`
		6dedca	`@@ -130,6 +130,29 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,`
		6dedca	`return (0);`
		6dedca	`if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)`
		6dedca	`return (1);`
		6dedca	`+`
		6dedca	`+ /*`
		6dedca	`+ * This may look absurd but is needed to detect`
		6dedca	`+ * entities problems`
		6dedca	`+ */`
		6dedca	`+ if ((ent != NULL) && (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) &&`
		6dedca	`+ (ent->content != NULL) && (ent->checked == 0)) {`
		6dedca	`+ unsigned long oldnbent = ctxt->nbentities;`
		6dedca	`+ xmlChar *rep;`
		6dedca	`+`
		6dedca	`+ ent->checked = 1;`
		6dedca	`+`
		6dedca	`+ rep = xmlStringDecodeEntities(ctxt, ent->content,`
		6dedca	`+ XML_SUBSTITUTE_REF, 0, 0, 0);`
		6dedca	`+`
		6dedca	`+ ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;`
		6dedca	`+ if (rep != NULL) {`
		6dedca	`+ if (xmlStrchr(rep, '<'))`
		6dedca	`+ ent->checked \|= 1;`
		6dedca	`+ xmlFree(rep);`
		6dedca	`+ rep = NULL;`
		6dedca	`+ }`
		6dedca	`+ }`
		6dedca	`if (replacement != 0) {`
		6dedca	`if (replacement < XML_MAX_TEXT_LENGTH)`
		6dedca	`return(0);`
		6dedca	`@@ -189,9 +212,12 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,`
		6dedca	`return (0);`
		6dedca	`} else {`
		6dedca	`/*`
		6dedca	`- * strange we got no data for checking just return`
		6dedca	`+ * strange we got no data for checking`
		6dedca	`*/`
		6dedca	`- return (0);`
		6dedca	`+ if (((ctxt->lastError.code != XML_ERR_UNDECLARED_ENTITY) &&`
		6dedca	`+ (ctxt->lastError.code != XML_WAR_UNDECLARED_ENTITY)) \|\|`
		6dedca	`+ (ctxt->nbentities <= 10000))`
		6dedca	`+ return (0);`
		6dedca	`}`
		6dedca	`xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);`
		6dedca	`return (1);`
		6dedca	`@@ -2584,6 +2610,7 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {`
		6dedca	`name, NULL);`
		6dedca	`ctxt->valid = 0;`
		6dedca	`}`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, NULL, 0);`
		6dedca	`} else if (ctxt->input->free != deallocblankswrapper) {`
		6dedca	`input = xmlNewBlanksWrapperInputStream(ctxt, entity);`
		6dedca	`if (xmlPushInput(ctxt, input) < 0)`
		6dedca	`@@ -2737,6 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,`
		6dedca	`if ((ctxt->lastError.code == XML_ERR_ENTITY_LOOP) \|\|`
		6dedca	`(ctxt->lastError.code == XML_ERR_INTERNAL_ERROR))`
		6dedca	`goto int_error;`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		6dedca	`if (ent != NULL)`
		6dedca	`ctxt->nbentities += ent->checked / 2;`
		6dedca	`if ((ent != NULL) &&`
		6dedca	`@@ -2788,6 +2816,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,`
		6dedca	`ent = xmlParseStringPEReference(ctxt, &str);`
		6dedca	`if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)`
		6dedca	`goto int_error;`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		6dedca	`if (ent != NULL)`
		6dedca	`ctxt->nbentities += ent->checked / 2;`
		6dedca	`if (ent != NULL) {`
		6dedca	`@@ -7286,6 +7315,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {`
		6dedca	`(ret != XML_WAR_UNDECLARED_ENTITY)) {`
		6dedca	`xmlFatalErrMsgStr(ctxt, XML_ERR_UNDECLARED_ENTITY,`
		6dedca	`"Entity '%s' failed to parse\n", ent->name);`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		6dedca	`} else if (list != NULL) {`
		6dedca	`xmlFreeNodeList(list);`
		6dedca	`list = NULL;`
		6dedca	`@@ -7392,7 +7422,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {`
		6dedca	`/*`
		6dedca	`* We are copying here, make sure there is no abuse`
		6dedca	`*/`
		6dedca	`- ctxt->sizeentcopy += ent->length;`
		6dedca	`+ ctxt->sizeentcopy += ent->length + 5;`
		6dedca	`if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))`
		6dedca	`return;`
		6dedca
		6dedca	`@@ -7440,7 +7470,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {`
		6dedca	`/*`
		6dedca	`* We are copying here, make sure there is no abuse`
		6dedca	`*/`
		6dedca	`- ctxt->sizeentcopy += ent->length;`
		6dedca	`+ ctxt->sizeentcopy += ent->length + 5;`
		6dedca	`if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))`
		6dedca	`return;`
		6dedca
		6dedca	`@@ -7626,6 +7656,7 @@ xmlParseEntityRef(xmlParserCtxtPtr ctxt) {`
		6dedca	`ctxt->sax->reference(ctxt->userData, name);`
		6dedca	`}`
		6dedca	`}`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		6dedca	`ctxt->valid = 0;`
		6dedca	`}`
		6dedca
		6dedca	`@@ -7819,6 +7850,7 @@ xmlParseStringEntityRef(xmlParserCtxtPtr ctxt, const xmlChar ** str) {`
		6dedca	`"Entity '%s' not defined\n",`
		6dedca	`name);`
		6dedca	`}`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, ent, 0);`
		6dedca	`/* TODO ? check regressions ctxt->valid = 0; */`
		6dedca	`}`
		6dedca
		6dedca	`@@ -7978,6 +8010,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)`
		6dedca	`name, NULL);`
		6dedca	`ctxt->valid = 0;`
		6dedca	`}`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, NULL, 0);`
		6dedca	`} else {`
		6dedca	`/*`
		6dedca	`* Internal checking in case the entity quest barfed`
		6dedca	`@@ -8217,6 +8250,7 @@ xmlParseStringPEReference(xmlParserCtxtPtr ctxt, const xmlChar **str) {`
		6dedca	`name, NULL);`
		6dedca	`ctxt->valid = 0;`
		6dedca	`}`
		6dedca	`+ xmlParserEntityCheck(ctxt, 0, NULL, 0);`
		6dedca	`} else {`
		6dedca	`/*`
		6dedca	`* Internal checking in case the entity quest barfed`

rpms / libxml2

Source Code

Blame SOURCES/CVE-2014-3660-rhel7.patch