Tree - rpms/libxml2 - CentOS Git server

rpms / libxml2

Blame SOURCES/libxml2-2.9.7-CVE-2022-40303.patch

Blob History Raw

		63b9ac	`From 7afb666b26cfb17689e5da98bed610a417083f9d Mon Sep 17 00:00:00 2001`
		63b9ac	`From: David King <amigadave@amigadave.com>`
		63b9ac	`Date: Tue, 3 Jan 2023 09:57:28 +0000`
		63b9ac	`Subject: [PATCH 1/2] Fix CVE-2022-40303`
		63b9ac
		63b9ac	`Adapted from https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0`
		63b9ac	`---`
		63b9ac	`parser.c \| 232 +++++++++++++++++++++++++++++--------------------------`
		63b9ac	`1 file changed, 121 insertions(+), 111 deletions(-)`
		63b9ac
		63b9ac	`diff --git a/parser.c b/parser.c`
		63b9ac	`index 1c5e036e..e66e4196 100644`
		63b9ac	`--- a/parser.c`
		63b9ac	`+++ b/parser.c`
		63b9ac	`@@ -108,6 +108,8 @@ static void xmlHaltParser(xmlParserCtxtPtr ctxt);`
		63b9ac	`* *`
		63b9ac	`************************************************************************/`
		63b9ac
		63b9ac	`+#define XML_MAX_HUGE_LENGTH 1000000000`
		63b9ac	`+`
		63b9ac	`#define XML_PARSER_BIG_ENTITY 1000`
		63b9ac	`#define XML_PARSER_LOT_ENTITY 5000`
		63b9ac
		63b9ac	`@@ -532,7 +534,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)`
		63b9ac	`errmsg = "Malformed declaration expecting version";`
		63b9ac	`break;`
		63b9ac	`case XML_ERR_NAME_TOO_LONG:`
		63b9ac	`- errmsg = "Name too long use XML_PARSE_HUGE option";`
		63b9ac	`+ errmsg = "Name too long";`
		63b9ac	`break;`
		63b9ac	`#if 0`
		63b9ac	`case:`
		63b9ac	`@@ -3150,6 +3152,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {`
		63b9ac	`int len = 0, l;`
		63b9ac	`int c;`
		63b9ac	`int count = 0;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac
		63b9ac	`#ifdef DEBUG`
		63b9ac	`nbParseNameComplex++;`
		63b9ac	`@@ -3241,13 +3246,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {`
		63b9ac	`if (ctxt->instate == XML_PARSER_EOF)`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`- len += l;`
		63b9ac	`+ if (len <= INT_MAX - l)`
		63b9ac	`+ len += l;`
		63b9ac	`NEXTL(l);`
		63b9ac	`c = CUR_CHAR(l);`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`- if ((len > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`@@ -3286,7 +3291,10 @@ const xmlChar *`
		63b9ac	`xmlParseName(xmlParserCtxtPtr ctxt) {`
		63b9ac	`const xmlChar *in;`
		63b9ac	`const xmlChar *ret;`
		63b9ac	`- int count = 0;`
		63b9ac	`+ size_t count = 0;`
		63b9ac	`+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac
		63b9ac	`GROW;`
		63b9ac
		63b9ac	`@@ -3310,8 +3318,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {`
		63b9ac	`in++;`
		63b9ac	`if ((in > 0) && (in < 0x80)) {`
		63b9ac	`count = in - ctxt->input->cur;`
		63b9ac	`- if ((count > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (count > maxLength) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`@@ -3333,6 +3340,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {`
		63b9ac	`int len = 0, l;`
		63b9ac	`int c;`
		63b9ac	`int count = 0;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac	`size_t startPosition = 0;`
		63b9ac
		63b9ac	`#ifdef DEBUG`
		63b9ac	`@@ -3353,17 +3363,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {`
		63b9ac	`while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */`
		63b9ac	`(xmlIsNameChar(ctxt, c) && (c != ':'))) {`
		63b9ac	`if (count++ > XML_PARSER_CHUNK_SIZE) {`
		63b9ac	`- if ((len > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");`
		63b9ac	`- return(NULL);`
		63b9ac	`- }`
		63b9ac	`count = 0;`
		63b9ac	`GROW;`
		63b9ac	`if (ctxt->instate == XML_PARSER_EOF)`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`- len += l;`
		63b9ac	`+ if (len <= INT_MAX - l)`
		63b9ac	`+ len += l;`
		63b9ac	`NEXTL(l);`
		63b9ac	`c = CUR_CHAR(l);`
		63b9ac	`if (c == 0) {`
		63b9ac	`@@ -3381,8 +3387,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {`
		63b9ac	`c = CUR_CHAR(l);`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`- if ((len > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`@@ -3408,7 +3413,10 @@ static const xmlChar *`
		63b9ac	`xmlParseNCName(xmlParserCtxtPtr ctxt) {`
		63b9ac	`const xmlChar in, e;`
		63b9ac	`const xmlChar *ret;`
		63b9ac	`- int count = 0;`
		63b9ac	`+ size_t count = 0;`
		63b9ac	`+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac
		63b9ac	`#ifdef DEBUG`
		63b9ac	`nbParseNCName++;`
		63b9ac	`@@ -3433,8 +3441,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {`
		63b9ac	`goto complex;`
		63b9ac	`if ((in > 0) && (in < 0x80)) {`
		63b9ac	`count = in - ctxt->input->cur;`
		63b9ac	`- if ((count > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (count > maxLength) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`@@ -3517,6 +3524,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {`
		63b9ac	`const xmlChar cur = str;`
		63b9ac	`int len = 0, l;`
		63b9ac	`int c;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac
		63b9ac	`#ifdef DEBUG`
		63b9ac	`nbParseStringName++;`
		63b9ac	`@@ -3552,12 +3562,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {`
		63b9ac	`if (len + 10 > max) {`
		63b9ac	`xmlChar *tmp;`
		63b9ac
		63b9ac	`- if ((len > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");`
		63b9ac	`- xmlFree(buffer);`
		63b9ac	`- return(NULL);`
		63b9ac	`- }`
		63b9ac	`max *= 2;`
		63b9ac	`tmp = (xmlChar *) xmlRealloc(buffer,`
		63b9ac	`max * sizeof(xmlChar));`
		63b9ac	`@@ -3571,14 +3575,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {`
		63b9ac	`COPY_BUF(l,buffer,len,c);`
		63b9ac	`cur += l;`
		63b9ac	`c = CUR_SCHAR(cur, l);`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");`
		63b9ac	`+ xmlFree(buffer);`
		63b9ac	`+ return(NULL);`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buffer[len] = 0;`
		63b9ac	`*str = cur;`
		63b9ac	`return(buffer);`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`- if ((len > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`@@ -3605,6 +3613,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {`
		63b9ac	`int len = 0, l;`
		63b9ac	`int c;`
		63b9ac	`int count = 0;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac
		63b9ac	`#ifdef DEBUG`
		63b9ac	`nbParseNmToken++;`
		63b9ac	`@@ -3656,12 +3667,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {`
		63b9ac	`if (len + 10 > max) {`
		63b9ac	`xmlChar *tmp;`
		63b9ac
		63b9ac	`- if ((max > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");`
		63b9ac	`- xmlFree(buffer);`
		63b9ac	`- return(NULL);`
		63b9ac	`- }`
		63b9ac	`max *= 2;`
		63b9ac	`tmp = (xmlChar *) xmlRealloc(buffer,`
		63b9ac	`max * sizeof(xmlChar));`
		63b9ac	`@@ -3675,6 +3680,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {`
		63b9ac	`COPY_BUF(l,buffer,len,c);`
		63b9ac	`NEXTL(l);`
		63b9ac	`c = CUR_CHAR(l);`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");`
		63b9ac	`+ xmlFree(buffer);`
		63b9ac	`+ return(NULL);`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buffer[len] = 0;`
		63b9ac	`return(buffer);`
		63b9ac	`@@ -3682,8 +3692,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {`
		63b9ac	`}`
		63b9ac	`if (len == 0)`
		63b9ac	`return(NULL);`
		63b9ac	`- if ((len > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`@@ -3709,6 +3718,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {`
		63b9ac	`int len = 0;`
		63b9ac	`int size = XML_PARSER_BUFFER_SIZE;`
		63b9ac	`int c, l;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac	`xmlChar stop;`
		63b9ac	`xmlChar *ret = NULL;`
		63b9ac	`const xmlChar *cur = NULL;`
		63b9ac	`@@ -3768,6 +3780,14 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {`
		63b9ac	`GROW;`
		63b9ac	`c = CUR_CHAR(l);`
		63b9ac	`}`
		63b9ac	`+`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,`
		63b9ac	`+ "entity value too long\n");`
		63b9ac	`+ if (buf != NULL)`
		63b9ac	`+ xmlFree(buf);`
		63b9ac	`+ return(ret);`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buf[len] = 0;`
		63b9ac	`if (ctxt->instate == XML_PARSER_EOF)`
		63b9ac	`@@ -3855,6 +3875,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {`
		63b9ac	`xmlChar *rep = NULL;`
		63b9ac	`size_t len = 0;`
		63b9ac	`size_t buf_size = 0;`
		63b9ac	`+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac	`int c, l, in_space = 0;`
		63b9ac	`xmlChar *current = NULL;`
		63b9ac	`xmlEntityPtr ent;`
		63b9ac	`@@ -3886,16 +3909,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {`
		63b9ac	`while (((NXT(0) != limit) && /* checked */`
		63b9ac	`(IS_CHAR(c)) && (c != '<')) &&`
		63b9ac	`(ctxt->instate != XML_PARSER_EOF)) {`
		63b9ac	`- /*`
		63b9ac	`- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE`
		63b9ac	`- * special option is given`
		63b9ac	`- */`
		63b9ac	`- if ((len > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`- "AttValue length too long\n");`
		63b9ac	`- goto mem_error;`
		63b9ac	`- }`
		63b9ac	`if (c == 0) break;`
		63b9ac	`if (c == '&') {`
		63b9ac	`in_space = 0;`
		63b9ac	`@@ -4041,6 +4054,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {`
		63b9ac	`}`
		63b9ac	`GROW;`
		63b9ac	`c = CUR_CHAR(l);`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`+ "AttValue length too long\n");`
		63b9ac	`+ goto mem_error;`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`if (ctxt->instate == XML_PARSER_EOF)`
		63b9ac	`goto error;`
		63b9ac	`@@ -4062,16 +4080,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {`
		63b9ac	`} else`
		63b9ac	`NEXT;`
		63b9ac
		63b9ac	`- /*`
		63b9ac	`- * There we potentially risk an overflow, don't allow attribute value of`
		63b9ac	`- * length more than INT_MAX it is a very reasonnable assumption !`
		63b9ac	`- */`
		63b9ac	`- if (len >= INT_MAX) {`
		63b9ac	`- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`- "AttValue length too long\n");`
		63b9ac	`- goto mem_error;`
		63b9ac	`- }`
		63b9ac	`-`
		63b9ac	`if (attlen != NULL) *attlen = (int) len;`
		63b9ac	`return(buf);`
		63b9ac
		63b9ac	`@@ -4142,6 +4150,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {`
		63b9ac	`int len = 0;`
		63b9ac	`int size = XML_PARSER_BUFFER_SIZE;`
		63b9ac	`int cur, l;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac	`xmlChar stop;`
		63b9ac	`int state = ctxt->instate;`
		63b9ac	`int count = 0;`
		63b9ac	`@@ -4169,13 +4180,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {`
		63b9ac	`if (len + 5 >= size) {`
		63b9ac	`xmlChar *tmp;`
		63b9ac
		63b9ac	`- if ((size > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");`
		63b9ac	`- xmlFree(buf);`
		63b9ac	`- ctxt->instate = (xmlParserInputState) state;`
		63b9ac	`- return(NULL);`
		63b9ac	`- }`
		63b9ac	`size *= 2;`
		63b9ac	`tmp = (xmlChar ) xmlRealloc(buf, size sizeof(xmlChar));`
		63b9ac	`if (tmp == NULL) {`
		63b9ac	`@@ -4203,6 +4207,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {`
		63b9ac	`SHRINK;`
		63b9ac	`cur = CUR_CHAR(l);`
		63b9ac	`}`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");`
		63b9ac	`+ xmlFree(buf);`
		63b9ac	`+ ctxt->instate = (xmlParserInputState) state;`
		63b9ac	`+ return(NULL);`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buf[len] = 0;`
		63b9ac	`ctxt->instate = (xmlParserInputState) state;`
		63b9ac	`@@ -4230,6 +4240,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {`
		63b9ac	`xmlChar *buf = NULL;`
		63b9ac	`int len = 0;`
		63b9ac	`int size = XML_PARSER_BUFFER_SIZE;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_TEXT_LENGTH :`
		63b9ac	`+ XML_MAX_NAME_LENGTH;`
		63b9ac	`xmlChar cur;`
		63b9ac	`xmlChar stop;`
		63b9ac	`int count = 0;`
		63b9ac	`@@ -4257,12 +4270,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {`
		63b9ac	`if (len + 1 >= size) {`
		63b9ac	`xmlChar *tmp;`
		63b9ac
		63b9ac	`- if ((size > XML_MAX_NAME_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");`
		63b9ac	`- xmlFree(buf);`
		63b9ac	`- return(NULL);`
		63b9ac	`- }`
		63b9ac	`size *= 2;`
		63b9ac	`tmp = (xmlChar ) xmlRealloc(buf, size sizeof(xmlChar));`
		63b9ac	`if (tmp == NULL) {`
		63b9ac	`@@ -4289,6 +4296,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {`
		63b9ac	`SHRINK;`
		63b9ac	`cur = CUR;`
		63b9ac	`}`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");`
		63b9ac	`+ xmlFree(buf);`
		63b9ac	`+ return(NULL);`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buf[len] = 0;`
		63b9ac	`if (cur != stop) {`
		63b9ac	`@@ -4686,6 +4698,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,`
		63b9ac	`int r, rl;`
		63b9ac	`int cur, l;`
		63b9ac	`size_t count = 0;`
		63b9ac	`+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac	`int inputid;`
		63b9ac
		63b9ac	`inputid = ctxt->input->id;`
		63b9ac	`@@ -4731,13 +4746,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,`
		63b9ac	`if ((r == '-') && (q == '-')) {`
		63b9ac	`xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);`
		63b9ac	`}`
		63b9ac	`- if ((len > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,`
		63b9ac	`- "Comment too big found", NULL);`
		63b9ac	`- xmlFree (buf);`
		63b9ac	`- return;`
		63b9ac	`- }`
		63b9ac	`if (len + 5 >= size) {`
		63b9ac	`xmlChar *new_buf;`
		63b9ac	`size_t new_size;`
		63b9ac	`@@ -4774,6 +4782,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,`
		63b9ac	`GROW;`
		63b9ac	`cur = CUR_CHAR(l);`
		63b9ac	`}`
		63b9ac	`+`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,`
		63b9ac	`+ "Comment too big found", NULL);`
		63b9ac	`+ xmlFree (buf);`
		63b9ac	`+ return;`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buf[len] = 0;`
		63b9ac	`if (cur == 0) {`
		63b9ac	`@@ -4818,6 +4833,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {`
		63b9ac	`xmlChar *buf = NULL;`
		63b9ac	`size_t size = XML_PARSER_BUFFER_SIZE;`
		63b9ac	`size_t len = 0;`
		63b9ac	`+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac	`xmlParserInputState state;`
		63b9ac	`const xmlChar *in;`
		63b9ac	`size_t nbchar = 0;`
		63b9ac	`@@ -4901,8 +4919,7 @@ get_more:`
		63b9ac	`buf[len] = 0;`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`- if ((len > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,`
		63b9ac	`"Comment too big found", NULL);`
		63b9ac	`xmlFree (buf);`
		63b9ac	`@@ -5098,6 +5115,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {`
		63b9ac	`xmlChar *buf = NULL;`
		63b9ac	`size_t len = 0;`
		63b9ac	`size_t size = XML_PARSER_BUFFER_SIZE;`
		63b9ac	`+ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac	`int cur, l;`
		63b9ac	`const xmlChar *target;`
		63b9ac	`xmlParserInputState state;`
		63b9ac	`@@ -5172,14 +5192,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {`
		63b9ac	`return;`
		63b9ac	`}`
		63b9ac	`count = 0;`
		63b9ac	`- if ((len > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,`
		63b9ac	`- "PI %s too big found", target);`
		63b9ac	`- xmlFree(buf);`
		63b9ac	`- ctxt->instate = state;`
		63b9ac	`- return;`
		63b9ac	`- }`
		63b9ac	`}`
		63b9ac	`COPY_BUF(l,buf,len,cur);`
		63b9ac	`NEXTL(l);`
		63b9ac	`@@ -5189,15 +5201,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {`
		63b9ac	`GROW;`
		63b9ac	`cur = CUR_CHAR(l);`
		63b9ac	`}`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,`
		63b9ac	`+ "PI %s too big found", target);`
		63b9ac	`+ xmlFree(buf);`
		63b9ac	`+ ctxt->instate = state;`
		63b9ac	`+ return;`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`- if ((len > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,`
		63b9ac	`- "PI %s too big found", target);`
		63b9ac	`- xmlFree(buf);`
		63b9ac	`- ctxt->instate = state;`
		63b9ac	`- return;`
		63b9ac	`- }`
		63b9ac	`buf[len] = 0;`
		63b9ac	`if (cur != '?') {`
		63b9ac	`xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,`
		63b9ac	`@@ -8851,6 +8862,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,`
		63b9ac	`const xmlChar in = NULL, start, end, last;`
		63b9ac	`xmlChar *ret = NULL;`
		63b9ac	`int line, col;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac
		63b9ac	`GROW;`
		63b9ac	`in = (xmlChar *) CUR_PTR;`
		63b9ac	`@@ -8906,8 +8920,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,`
		63b9ac	`in = in + delta;`
		63b9ac	`}`
		63b9ac	`end = ctxt->input->end;`
		63b9ac	`- if (((in - start) > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if ((in - start) > maxLength) {`
		63b9ac	`xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`"AttValue length too long\n");`
		63b9ac	`return(NULL);`
		63b9ac	`@@ -8929,8 +8942,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,`
		63b9ac	`in = in + delta;`
		63b9ac	`}`
		63b9ac	`end = ctxt->input->end;`
		63b9ac	`- if (((in - start) > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if ((in - start) > maxLength) {`
		63b9ac	`xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`"AttValue length too long\n");`
		63b9ac	`return(NULL);`
		63b9ac	`@@ -8963,16 +8975,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,`
		63b9ac	`last = last + delta;`
		63b9ac	`}`
		63b9ac	`end = ctxt->input->end;`
		63b9ac	`- if (((in - start) > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if ((in - start) > maxLength) {`
		63b9ac	`xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`"AttValue length too long\n");`
		63b9ac	`return(NULL);`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`- if (((in - start) > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if ((in - start) > maxLength) {`
		63b9ac	`xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`"AttValue length too long\n");`
		63b9ac	`return(NULL);`
		63b9ac	`@@ -8994,8 +9004,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,`
		63b9ac	`in = in + delta;`
		63b9ac	`}`
		63b9ac	`end = ctxt->input->end;`
		63b9ac	`- if (((in - start) > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if ((in - start) > maxLength) {`
		63b9ac	`xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`"AttValue length too long\n");`
		63b9ac	`return(NULL);`
		63b9ac	`@@ -9003,8 +9012,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int len, int alloc,`
		63b9ac	`}`
		63b9ac	`}`
		63b9ac	`last = in;`
		63b9ac	`- if (((in - start) > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`+ if ((in - start) > maxLength) {`
		63b9ac	`xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,`
		63b9ac	`"AttValue length too long\n");`
		63b9ac	`return(NULL);`
		63b9ac	`@@ -9711,6 +9719,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {`
		63b9ac	`int s, sl;`
		63b9ac	`int cur, l;`
		63b9ac	`int count = 0;`
		63b9ac	`+ int maxLength = (ctxt->options & XML_PARSE_HUGE) ?`
		63b9ac	`+ XML_MAX_HUGE_LENGTH :`
		63b9ac	`+ XML_MAX_TEXT_LENGTH;`
		63b9ac
		63b9ac	`/* Check 2.6.0 was NXT(0) not RAW */`
		63b9ac	`if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {`
		63b9ac	`@@ -9744,13 +9755,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {`
		63b9ac	`if (len + 5 >= size) {`
		63b9ac	`xmlChar *tmp;`
		63b9ac
		63b9ac	`- if ((size > XML_MAX_TEXT_LENGTH) &&`
		63b9ac	`- ((ctxt->options & XML_PARSE_HUGE) == 0)) {`
		63b9ac	`- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,`
		63b9ac	`- "CData section too big found", NULL);`
		63b9ac	`- xmlFree (buf);`
		63b9ac	`- return;`
		63b9ac	`- }`
		63b9ac	`tmp = (xmlChar ) xmlRealloc(buf, size 2 * sizeof(xmlChar));`
		63b9ac	`if (tmp == NULL) {`
		63b9ac	`xmlFree(buf);`
		63b9ac	`@@ -9776,6 +9780,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {`
		63b9ac	`}`
		63b9ac	`NEXTL(l);`
		63b9ac	`cur = CUR_CHAR(l);`
		63b9ac	`+ if (len > maxLength) {`
		63b9ac	`+ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,`
		63b9ac	`+ "CData section too big found\n");`
		63b9ac	`+ xmlFree(buf);`
		63b9ac	`+ return;`
		63b9ac	`+ }`
		63b9ac	`}`
		63b9ac	`buf[len] = 0;`
		63b9ac	`ctxt->instate = XML_PARSER_CONTENT;`
		63b9ac	`--`
		63b9ac	`2.39.0`
		63b9ac

rpms / libxml2

Source Code

Blame SOURCES/libxml2-2.9.7-CVE-2022-40303.patch