rpms / libxml2

Clone
Source Code
GIT

Blame SOURCES/libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   6dedcab9a440c414eda8569ea4df2f0fe0adb565
  2.   SOURCES
  3.   libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
Blob History Raw
6dedca 
From 7eca8fef0d19c65bd2004ba73347575a38e8d08e Mon Sep 17 00:00:00 2001
6dedca 
From: Pranjal Jumde <pjumde@apple.com>
6dedca 
Date: Mon, 7 Mar 2016 14:04:08 -0800
6dedca 
Subject: [PATCH] Heap use-after-free in xmlSAX2AttributeNs
6dedca 
To: libvir-list@redhat.com
6dedca
6dedca 
For https://bugzilla.gnome.org/show_bug.cgi?id=759020
6dedca
6dedca 
* parser.c:
6dedca 
(xmlParseStartTag2): Attribute strings are only valid if the
6dedca 
base does not change, so add another check where the base may
6dedca 
change.  Make sure to set 'attvalue' to NULL after freeing it.
6dedca 
* result/errors/759020.xml: Added.
6dedca 
* result/errors/759020.xml.err: Added.
6dedca 
* result/errors/759020.xml.str: Added.
6dedca 
* test/errors/759020.xml: Added test case.
6dedca
6dedca 
Signed-off-by: Daniel Veillard <veillard@redhat.com>
6dedca 
---
6dedca 
 parser.c                     | 26 +++++++++++++++++++++++--
6dedca 
 result/errors/759020.xml     |  0
6dedca 
 result/errors/759020.xml.err |  6 ++++++
6dedca 
 result/errors/759020.xml.str |  7 +++++++
6dedca 
 test/errors/759020.xml       | 46 ++++++++++++++++++++++++++++++++++++++++++++
6dedca 
 5 files changed, 83 insertions(+), 2 deletions(-)
6dedca 
 create mode 100644 result/errors/759020.xml
6dedca 
 create mode 100644 result/errors/759020.xml.err
6dedca 
 create mode 100644 result/errors/759020.xml.str
6dedca 
 create mode 100644 test/errors/759020.xml
6dedca
6dedca 
diff --git a/parser.c b/parser.c
6dedca 
index 1936599..133df95 100644
6dedca 
--- a/parser.c
6dedca 
+++ b/parser.c
6dedca 
@@ -9438,8 +9438,20 @@ reparse:
6dedca 
 		else
6dedca 
 		    if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
6dedca 
 skip_default_ns:
6dedca 
-		if (alloc != 0) xmlFree(attvalue);
6dedca 
+		if ((attvalue != NULL) && (alloc != 0)) {
6dedca 
+		    xmlFree(attvalue);
6dedca 
+		    attvalue = NULL;
6dedca 
+		}
6dedca 
+		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
6dedca 
+		    break;
6dedca 
+		if (!IS_BLANK_CH(RAW)) {
6dedca 
+		    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
6dedca 
+				   "attributes construct error\n");
6dedca 
+		    break;
6dedca 
+		}
6dedca 
 		SKIP_BLANKS;
6dedca 
+		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
6dedca 
+		    goto base_changed;
6dedca 
 		continue;
6dedca 
 	    }
6dedca 
             if (aprefix == ctxt->str_xmlns) {
6dedca 
@@ -9511,7 +9523,17 @@ skip_default_ns:
6dedca 
 		else
6dedca 
 		    if (nsPush(ctxt, attname, URL) > 0) nbNs++;
6dedca 
 skip_ns:
6dedca 
-		if (alloc != 0) xmlFree(attvalue);
6dedca 
+		if ((attvalue != NULL) && (alloc != 0)) {
6dedca 
+		    xmlFree(attvalue);
6dedca 
+		    attvalue = NULL;
6dedca 
+		}
6dedca 
+		if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
6dedca 
+		    break;
6dedca 
+		if (!IS_BLANK_CH(RAW)) {
6dedca 
+		    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
6dedca 
+				   "attributes construct error\n");
6dedca 
+		    break;
6dedca 
+		}
6dedca 
 		SKIP_BLANKS;
6dedca 
 		if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
6dedca 
 		    goto base_changed;
6dedca 
diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err
6dedca 
new file mode 100644
6dedca 
index 0000000..a0d3051
6dedca 
--- /dev/null
6dedca 
+++ b/result/errors/759020.xml.err
6dedca 
@@ -0,0 +1,6 @@
6dedca 
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
6dedca 
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
6dedca 
+                                                                               ^
6dedca 
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
6dedca 
+
6dedca 
+                                                                   ^
6dedca 
diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str
6dedca 
new file mode 100644
6dedca 
index 0000000..998d6d2
6dedca 
--- /dev/null
6dedca 
+++ b/result/errors/759020.xml.str
6dedca 
@@ -0,0 +1,7 @@
6dedca 
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
6dedca 
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
6dedca 
+                                                                               ^
6dedca 
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
6dedca 
+
6dedca 
+                                                                   ^
6dedca 
+./test/errors/759020.xml : failed to parse
6dedca 
diff --git a/test/errors/759020.xml b/test/errors/759020.xml
6dedca 
new file mode 100644
6dedca 
index 0000000..db23275
6dedca 
--- /dev/null
6dedca 
+++ b/test/errors/759020.xml
6dedca 
@@ -0,0 +1,46 @@
6dedca 
+
6dedca 
+
6dedca 
+ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
+
6dedca 
\ No newline at end of file
6dedca 
--
6dedca 
2.5.5
6dedca

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation