From d9825f106532a898bb6df46effa0bf099ec16a47 Mon Sep 17 00:00:00 2001

From: Daniel Veillard <veillard@redhat.com>

Date: Fri, 20 Nov 2015 16:06:59 +0800

Subject: [PATCH] CVE-2015-7500 Fix memory access error due to incorrect

 entities boundaries

To: libvir-list@redhat.com

For https://bugzilla.gnome.org/show_bug.cgi?id=756525

handle properly the case where we popped out of the current entity

while processing a start tag

Reported by Kostya Serebryany @ Google

Signed-off-by: Daniel Veillard <veillard@redhat.com>

---

 parser.c | 28 ++++++++++++++++++++++------

 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/parser.c b/parser.c

index cc45e17..f4fc310 100644

--- a/parser.c

+++ b/parser.c

@@ -9309,7 +9309,7 @@ xmlParseStartTag2(xmlParserCtxtPtr ctxt, const xmlChar **pref,

     const xmlChar **atts = ctxt->atts;

     int maxatts = ctxt->maxatts;

     int nratts, nbatts, nbdef;

-    int i, j, nbNs, attval, oldline, oldcol;

+    int i, j, nbNs, attval, oldline, oldcol, inputNr;

     const xmlChar *base;

     unsigned long cur;

     int nsNr = ctxt->nsNr;

@@ -9328,6 +9328,7 @@ reparse:

     SHRINK;

     base = ctxt->input->base;

     cur = ctxt->input->cur - ctxt->input->base;

+    inputNr = ctxt->inputNr;

     oldline = ctxt->input->line;

     oldcol = ctxt->input->col;

     nbatts = 0;

@@ -9353,7 +9354,8 @@ reparse:

      */

     SKIP_BLANKS;

     GROW;

-    if (ctxt->input->base != base) goto base_changed;

+    if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))

+        goto base_changed;

     while (((RAW != '>') &&

 	   ((RAW != '/') || (NXT(1) != '>')) &&

@@ -9364,7 +9366,7 @@ reparse:

 	attname = xmlParseAttribute2(ctxt, prefix, localname,

 	                             &aprefix, &attvalue, &len, &alloc);

-	if (ctxt->input->base != base) {

+	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) {

 	    if ((attvalue != NULL) && (alloc != 0))

 	        xmlFree(attvalue);

 	    attvalue = NULL;

@@ -9493,7 +9495,8 @@ skip_default_ns:

 skip_ns:

 		if (alloc != 0) xmlFree(attvalue);

 		SKIP_BLANKS;

-		if (ctxt->input->base != base) goto base_changed;

+		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))

+		    goto base_changed;

 		continue;

 	    }

@@ -9530,7 +9533,8 @@ failed:

 	GROW

         if (ctxt->instate == XML_PARSER_EOF)

             break;

-	if (ctxt->input->base != base) goto base_changed;

+	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))

+	    goto base_changed;

 	if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))

 	    break;

 	if (!IS_BLANK_CH(RAW)) {

@@ -9546,7 +9550,8 @@ failed:

 	    break;

 	}

         GROW;

-	if (ctxt->input->base != base) goto base_changed;

+	if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))

+	    goto base_changed;

     }

     /*

@@ -9713,6 +9718,17 @@ base_changed:

 	    if ((ctxt->attallocs[j] != 0) && (atts[i] != NULL))

 	        xmlFree((xmlChar *) atts[i]);

     }

+

+    /*

+     * We can't switch from one entity to another in the middle

+     * of a start tag

+     */

+    if (inputNr != ctxt->inputNr) {

+        xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,

+		    "Start tag doesn't start and stop in the same entity\n");

+	return(NULL);

+    }

+

     ctxt->input->cur = ctxt->input->base + cur;

     ctxt->input->line = oldline;

     ctxt->input->col = oldcol;

-- 

2.5.0