|
 |
71bd0b |
From 9ae2f94df1721e002941b40665efb762aefcea1a Mon Sep 17 00:00:00 2001
|
|
|
71bd0b |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
71bd0b |
Date: Mon, 17 Aug 2020 03:42:11 +0200
|
|
|
71bd0b |
Subject: [PATCH 1/3] Stop using maxParserDepth XPath limit
|
|
|
71bd0b |
|
|
|
71bd0b |
This will be removed again from libxml2.
|
|
|
71bd0b |
---
|
|
|
71bd0b |
tests/fuzz/fuzz.c | 6 ++----
|
|
|
71bd0b |
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
|
71bd0b |
|
|
|
71bd0b |
diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
|
|
|
71bd0b |
index f502ca2c..75234ad6 100644
|
|
|
71bd0b |
--- a/tests/fuzz/fuzz.c
|
|
|
71bd0b |
+++ b/tests/fuzz/fuzz.c
|
|
|
71bd0b |
@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
|
|
|
71bd0b |
xpctxt = tctxt->xpathCtxt;
|
|
|
71bd0b |
|
|
|
71bd0b |
/* Resource limits to avoid timeouts and call stack overflows */
|
|
|
71bd0b |
- xpctxt->maxParserDepth = 15;
|
|
|
71bd0b |
- xpctxt->maxDepth = 100;
|
|
|
71bd0b |
+ xpctxt->maxDepth = 500;
|
|
|
71bd0b |
xpctxt->opLimit = 500000;
|
|
|
71bd0b |
|
|
|
71bd0b |
/* Test namespaces used in xpath.xml */
|
|
|
71bd0b |
@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
|
|
|
71bd0b |
|
|
|
71bd0b |
static void
|
|
|
71bd0b |
xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
|
|
|
71bd0b |
- ctxt->maxParserDepth = 15;
|
|
|
71bd0b |
- ctxt->maxDepth = 100;
|
|
|
71bd0b |
+ ctxt->maxDepth = 200;
|
|
|
71bd0b |
ctxt->opLimit = 100000;
|
|
|
71bd0b |
}
|
|
|
71bd0b |
|
|
|
71bd0b |
--
|
|
|
71bd0b |
2.34.1
|
|
|
71bd0b |
|
|
|
71bd0b |
|
|
|
71bd0b |
From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001
|
|
|
71bd0b |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
71bd0b |
Date: Mon, 17 Aug 2020 04:27:13 +0200
|
|
|
71bd0b |
Subject: [PATCH 2/3] Transfer XPath limits to XPtr context
|
|
|
71bd0b |
|
|
|
71bd0b |
Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
|
|
|
71bd0b |
XPath limits.
|
|
|
71bd0b |
---
|
|
|
71bd0b |
libxslt/functions.c | 14 +++++++++++++-
|
|
|
71bd0b |
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
|
71bd0b |
|
|
|
71bd0b |
diff --git a/libxslt/functions.c b/libxslt/functions.c
|
|
|
71bd0b |
index b350545a..975ea790 100644
|
|
|
71bd0b |
--- a/libxslt/functions.c
|
|
|
71bd0b |
+++ b/libxslt/functions.c
|
|
|
71bd0b |
@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
|
|
|
71bd0b |
goto out_fragment;
|
|
|
71bd0b |
}
|
|
|
71bd0b |
|
|
|
71bd0b |
+#if LIBXML_VERSION >= 20911 || \
|
|
|
71bd0b |
+ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
|
|
|
71bd0b |
+ xptrctxt->opLimit = ctxt->context->opLimit;
|
|
|
71bd0b |
+ xptrctxt->opCount = ctxt->context->opCount;
|
|
|
71bd0b |
+ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
|
|
|
71bd0b |
+
|
|
|
71bd0b |
+ resObj = xmlXPtrEval(fragment, xptrctxt);
|
|
|
71bd0b |
+
|
|
|
71bd0b |
+ ctxt->context->opCount = xptrctxt->opCount;
|
|
|
71bd0b |
+#else
|
|
|
71bd0b |
resObj = xmlXPtrEval(fragment, xptrctxt);
|
|
|
71bd0b |
- xmlXPathFreeContext(xptrctxt);
|
|
|
71bd0b |
#endif
|
|
|
71bd0b |
|
|
|
71bd0b |
+ xmlXPathFreeContext(xptrctxt);
|
|
|
71bd0b |
+#endif /* LIBXML_XPTR_ENABLED */
|
|
|
71bd0b |
+
|
|
|
71bd0b |
if (resObj == NULL)
|
|
|
71bd0b |
goto out_fragment;
|
|
|
71bd0b |
|
|
|
71bd0b |
--
|
|
|
71bd0b |
2.34.1
|
|
|
71bd0b |
|
|
|
71bd0b |
|
|
|
71bd0b |
From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001
|
|
|
71bd0b |
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
|
71bd0b |
Date: Wed, 26 Aug 2020 00:34:38 +0200
|
|
|
71bd0b |
Subject: [PATCH 3/3] Don't set maxDepth in XPath contexts
|
|
|
71bd0b |
|
|
|
71bd0b |
The maximum recursion depth is hardcoded in libxml2 now.
|
|
|
71bd0b |
---
|
|
|
71bd0b |
libxslt/functions.c | 2 +-
|
|
|
71bd0b |
tests/fuzz/fuzz.c | 11 ++---------
|
|
|
71bd0b |
2 files changed, 3 insertions(+), 10 deletions(-)
|
|
|
71bd0b |
|
|
|
71bd0b |
diff --git a/libxslt/functions.c b/libxslt/functions.c
|
|
|
71bd0b |
index 975ea790..7887dda7 100644
|
|
|
71bd0b |
--- a/libxslt/functions.c
|
|
|
71bd0b |
+++ b/libxslt/functions.c
|
|
|
71bd0b |
@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
|
|
|
71bd0b |
defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
|
|
|
71bd0b |
xptrctxt->opLimit = ctxt->context->opLimit;
|
|
|
71bd0b |
xptrctxt->opCount = ctxt->context->opCount;
|
|
|
71bd0b |
- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
|
|
|
71bd0b |
+ xptrctxt->depth = ctxt->context->depth;
|
|
|
71bd0b |
|
|
|
71bd0b |
resObj = xmlXPtrEval(fragment, xptrctxt);
|
|
|
71bd0b |
|
|
|
71bd0b |
diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
|
|
|
71bd0b |
index 75234ad6..780c2d41 100644
|
|
|
71bd0b |
--- a/tests/fuzz/fuzz.c
|
|
|
71bd0b |
+++ b/tests/fuzz/fuzz.c
|
|
|
71bd0b |
@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
|
|
|
71bd0b |
xpctxt = tctxt->xpathCtxt;
|
|
|
71bd0b |
|
|
|
71bd0b |
/* Resource limits to avoid timeouts and call stack overflows */
|
|
|
71bd0b |
- xpctxt->maxDepth = 500;
|
|
|
71bd0b |
xpctxt->opLimit = 500000;
|
|
|
71bd0b |
|
|
|
71bd0b |
/* Test namespaces used in xpath.xml */
|
|
|
71bd0b |
@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
|
|
|
71bd0b |
return 0;
|
|
|
71bd0b |
}
|
|
|
71bd0b |
|
|
|
71bd0b |
-static void
|
|
|
71bd0b |
-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
|
|
|
71bd0b |
- ctxt->maxDepth = 200;
|
|
|
71bd0b |
- ctxt->opLimit = 100000;
|
|
|
71bd0b |
-}
|
|
|
71bd0b |
-
|
|
|
71bd0b |
xmlChar *
|
|
|
71bd0b |
xsltFuzzXslt(const char *data, size_t size) {
|
|
|
71bd0b |
xmlDocPtr xsltDoc;
|
|
|
71bd0b |
@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) {
|
|
|
71bd0b |
xmlFreeDoc(xsltDoc);
|
|
|
71bd0b |
return NULL;
|
|
|
71bd0b |
}
|
|
|
71bd0b |
- xsltSetXPathResourceLimits(sheet->xpathCtxt);
|
|
|
71bd0b |
+ sheet->xpathCtxt->opLimit = 100000;
|
|
|
71bd0b |
sheet->xpathCtxt->opCount = 0;
|
|
|
71bd0b |
if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) {
|
|
|
71bd0b |
xsltFreeStylesheet(sheet);
|
|
|
71bd0b |
@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) {
|
|
|
71bd0b |
xsltSetCtxtSecurityPrefs(sec, ctxt);
|
|
|
71bd0b |
ctxt->maxTemplateDepth = 100;
|
|
|
71bd0b |
ctxt->opLimit = 20000;
|
|
|
71bd0b |
- xsltSetXPathResourceLimits(ctxt->xpathCtxt);
|
|
|
71bd0b |
+ ctxt->xpathCtxt->opLimit = 100000;
|
|
|
71bd0b |
ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount;
|
|
|
71bd0b |
|
|
|
71bd0b |
result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt);
|
|
|
71bd0b |
--
|
|
|
71bd0b |
2.34.1
|
|
|
71bd0b |
|