|
 |
63b9ac |
From a8fa5f7b5c3c745397b3178405d6be9fdb3cfcbc Mon Sep 17 00:00:00 2001
|
|
|
63b9ac |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
63b9ac |
Date: Wed, 31 Aug 2022 22:11:25 +0200
|
|
|
63b9ac |
Subject: [PATCH 2/2] Fix dict corruption caused by entity reference cycles
|
|
|
63b9ac |
|
|
|
63b9ac |
When an entity reference cycle is detected, the entity content is
|
|
|
63b9ac |
cleared by setting its first byte to zero. But the entity content might
|
|
|
63b9ac |
be allocated from a dict. In this case, the dict entry becomes corrupted
|
|
|
63b9ac |
leading to all kinds of logic errors, including memory errors like
|
|
|
63b9ac |
double-frees.
|
|
|
63b9ac |
|
|
|
63b9ac |
Stop storing entity content, orig, ExternalID and SystemID in a dict.
|
|
|
63b9ac |
These values are unlikely to occur multiple times in a document, so they
|
|
|
63b9ac |
shouldn't have been stored in a dict in the first place.
|
|
|
63b9ac |
|
|
|
63b9ac |
Thanks to Ned Williamson and Nathan Wachholz working with Google Project
|
|
|
63b9ac |
Zero for the report!
|
|
|
63b9ac |
---
|
|
|
63b9ac |
entities.c | 55 ++++++++++++++++--------------------------------------
|
|
|
63b9ac |
1 file changed, 16 insertions(+), 39 deletions(-)
|
|
|
63b9ac |
|
|
|
63b9ac |
diff --git a/entities.c b/entities.c
|
|
|
63b9ac |
index c8193376..3bf1c3ce 100644
|
|
|
63b9ac |
--- a/entities.c
|
|
|
63b9ac |
+++ b/entities.c
|
|
|
63b9ac |
@@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity)
|
|
|
63b9ac |
if ((entity->children) && (entity->owner == 1) &&
|
|
|
63b9ac |
(entity == (xmlEntityPtr) entity->children->parent))
|
|
|
63b9ac |
xmlFreeNodeList(entity->children);
|
|
|
63b9ac |
- if (dict != NULL) {
|
|
|
63b9ac |
- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name)))
|
|
|
63b9ac |
- xmlFree((char *) entity->name);
|
|
|
63b9ac |
- if ((entity->ExternalID != NULL) &&
|
|
|
63b9ac |
- (!xmlDictOwns(dict, entity->ExternalID)))
|
|
|
63b9ac |
- xmlFree((char *) entity->ExternalID);
|
|
|
63b9ac |
- if ((entity->SystemID != NULL) &&
|
|
|
63b9ac |
- (!xmlDictOwns(dict, entity->SystemID)))
|
|
|
63b9ac |
- xmlFree((char *) entity->SystemID);
|
|
|
63b9ac |
- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI)))
|
|
|
63b9ac |
- xmlFree((char *) entity->URI);
|
|
|
63b9ac |
- if ((entity->content != NULL)
|
|
|
63b9ac |
- && (!xmlDictOwns(dict, entity->content)))
|
|
|
63b9ac |
- xmlFree((char *) entity->content);
|
|
|
63b9ac |
- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
|
|
|
63b9ac |
- xmlFree((char *) entity->orig);
|
|
|
63b9ac |
- } else {
|
|
|
63b9ac |
- if (entity->name != NULL)
|
|
|
63b9ac |
- xmlFree((char *) entity->name);
|
|
|
63b9ac |
- if (entity->ExternalID != NULL)
|
|
|
63b9ac |
- xmlFree((char *) entity->ExternalID);
|
|
|
63b9ac |
- if (entity->SystemID != NULL)
|
|
|
63b9ac |
- xmlFree((char *) entity->SystemID);
|
|
|
63b9ac |
- if (entity->URI != NULL)
|
|
|
63b9ac |
- xmlFree((char *) entity->URI);
|
|
|
63b9ac |
- if (entity->content != NULL)
|
|
|
63b9ac |
- xmlFree((char *) entity->content);
|
|
|
63b9ac |
- if (entity->orig != NULL)
|
|
|
63b9ac |
- xmlFree((char *) entity->orig);
|
|
|
63b9ac |
- }
|
|
|
63b9ac |
+ if ((entity->name != NULL) &&
|
|
|
63b9ac |
+ ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
|
|
|
63b9ac |
+ xmlFree((char *) entity->name);
|
|
|
63b9ac |
+ if (entity->ExternalID != NULL)
|
|
|
63b9ac |
+ xmlFree((char *) entity->ExternalID);
|
|
|
63b9ac |
+ if (entity->SystemID != NULL)
|
|
|
63b9ac |
+ xmlFree((char *) entity->SystemID);
|
|
|
63b9ac |
+ if (entity->URI != NULL)
|
|
|
63b9ac |
+ xmlFree((char *) entity->URI);
|
|
|
63b9ac |
+ if (entity->content != NULL)
|
|
|
63b9ac |
+ xmlFree((char *) entity->content);
|
|
|
63b9ac |
+ if (entity->orig != NULL)
|
|
|
63b9ac |
+ xmlFree((char *) entity->orig);
|
|
|
63b9ac |
xmlFree(entity);
|
|
|
63b9ac |
}
|
|
|
63b9ac |
|
|
|
63b9ac |
@@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
|
|
|
63b9ac |
ret->SystemID = xmlStrdup(SystemID);
|
|
|
63b9ac |
} else {
|
|
|
63b9ac |
ret->name = xmlDictLookup(dict, name, -1);
|
|
|
63b9ac |
- if (ExternalID != NULL)
|
|
|
63b9ac |
- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1);
|
|
|
63b9ac |
- if (SystemID != NULL)
|
|
|
63b9ac |
- ret->SystemID = xmlDictLookup(dict, SystemID, -1);
|
|
|
63b9ac |
+ ret->ExternalID = xmlStrdup(ExternalID);
|
|
|
63b9ac |
+ ret->SystemID = xmlStrdup(SystemID);
|
|
|
63b9ac |
}
|
|
|
63b9ac |
if (content != NULL) {
|
|
|
63b9ac |
ret->length = xmlStrlen(content);
|
|
|
63b9ac |
- if ((dict != NULL) && (ret->length < 5))
|
|
|
63b9ac |
- ret->content = (xmlChar *)
|
|
|
63b9ac |
- xmlDictLookup(dict, content, ret->length);
|
|
|
63b9ac |
- else
|
|
|
63b9ac |
- ret->content = xmlStrndup(content, ret->length);
|
|
|
63b9ac |
+ ret->content = xmlStrndup(content, ret->length);
|
|
|
63b9ac |
} else {
|
|
|
63b9ac |
ret->length = 0;
|
|
|
63b9ac |
ret->content = NULL;
|
|
|
63b9ac |
--
|
|
|
63b9ac |
2.39.0
|
|
|
63b9ac |
|