From 9ae2f94df1721e002941b40665efb762aefcea1a Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 17 Aug 2020 03:42:11 +0200 Subject: [PATCH 1/3] Stop using maxParserDepth XPath limit This will be removed again from libxml2. --- tests/fuzz/fuzz.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c index f502ca2c..75234ad6 100644 --- a/tests/fuzz/fuzz.c +++ b/tests/fuzz/fuzz.c @@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, xpctxt = tctxt->xpathCtxt; /* Resource limits to avoid timeouts and call stack overflows */ - xpctxt->maxParserDepth = 15; - xpctxt->maxDepth = 100; + xpctxt->maxDepth = 500; xpctxt->opLimit = 500000; /* Test namespaces used in xpath.xml */ @@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, static void xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { - ctxt->maxParserDepth = 15; - ctxt->maxDepth = 100; + ctxt->maxDepth = 200; ctxt->opLimit = 100000; } -- 2.34.1 From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Mon, 17 Aug 2020 04:27:13 +0200 Subject: [PATCH 2/3] Transfer XPath limits to XPtr context Expressions like document('doc.xml#xpointer(evil_expr)') ignored the XPath limits. --- libxslt/functions.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libxslt/functions.c b/libxslt/functions.c index b350545a..975ea790 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) goto out_fragment; } +#if LIBXML_VERSION >= 20911 || \ + defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) + xptrctxt->opLimit = ctxt->context->opLimit; + xptrctxt->opCount = ctxt->context->opCount; + xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; + + resObj = xmlXPtrEval(fragment, xptrctxt); + + ctxt->context->opCount = xptrctxt->opCount; +#else resObj = xmlXPtrEval(fragment, xptrctxt); - xmlXPathFreeContext(xptrctxt); #endif + xmlXPathFreeContext(xptrctxt); +#endif /* LIBXML_XPTR_ENABLED */ + if (resObj == NULL) goto out_fragment; -- 2.34.1 From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 26 Aug 2020 00:34:38 +0200 Subject: [PATCH 3/3] Don't set maxDepth in XPath contexts The maximum recursion depth is hardcoded in libxml2 now. --- libxslt/functions.c | 2 +- tests/fuzz/fuzz.c | 11 ++--------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/libxslt/functions.c b/libxslt/functions.c index 975ea790..7887dda7 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) xptrctxt->opLimit = ctxt->context->opLimit; xptrctxt->opCount = ctxt->context->opCount; - xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; + xptrctxt->depth = ctxt->context->depth; resObj = xmlXPtrEval(fragment, xptrctxt); diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c index 75234ad6..780c2d41 100644 --- a/tests/fuzz/fuzz.c +++ b/tests/fuzz/fuzz.c @@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, xpctxt = tctxt->xpathCtxt; /* Resource limits to avoid timeouts and call stack overflows */ - xpctxt->maxDepth = 500; xpctxt->opLimit = 500000; /* Test namespaces used in xpath.xml */ @@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, return 0; } -static void -xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { - ctxt->maxDepth = 200; - ctxt->opLimit = 100000; -} - xmlChar * xsltFuzzXslt(const char *data, size_t size) { xmlDocPtr xsltDoc; @@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) { xmlFreeDoc(xsltDoc); return NULL; } - xsltSetXPathResourceLimits(sheet->xpathCtxt); + sheet->xpathCtxt->opLimit = 100000; sheet->xpathCtxt->opCount = 0; if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) { xsltFreeStylesheet(sheet); @@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) { xsltSetCtxtSecurityPrefs(sec, ctxt); ctxt->maxTemplateDepth = 100; ctxt->opLimit = 20000; - xsltSetXPathResourceLimits(ctxt->xpathCtxt); + ctxt->xpathCtxt->opLimit = 100000; ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount; result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt); -- 2.34.1