|
 |
4d3c3c |
From 6aee99f381cc5bdfb6e514ac1e82f5e7b0fa7e2d Mon Sep 17 00:00:00 2001
|
|
|
4d3c3c |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
4d3c3c |
Date: Fri, 25 Feb 2022 16:42:35 -0500
|
|
|
4d3c3c |
Subject: [PATCH 5/6] Add missing validation of encoding (CVE-2022-25235)
|
|
|
4d3c3c |
|
|
|
4d3c3c |
Backported from upstream https://github.com/libexpat/libexpat/pull/562
|
|
|
4d3c3c |
|
|
|
4d3c3c |
Resolves: #2058114
|
|
|
4d3c3c |
---
|
|
|
4d3c3c |
lib/expat/xmltok/xmltok.c | 21 +++++++++++++++------
|
|
|
4d3c3c |
lib/expat/xmltok/xmltok_impl.c | 8 ++++++--
|
|
|
4d3c3c |
2 files changed, 21 insertions(+), 8 deletions(-)
|
|
|
4d3c3c |
|
|
|
4d3c3c |
diff --git a/lib/expat/xmltok/xmltok.c b/lib/expat/xmltok/xmltok.c
|
|
|
4d3c3c |
index 7b31fbb..3b0c950 100644
|
|
|
4d3c3c |
--- a/lib/expat/xmltok/xmltok.c
|
|
|
4d3c3c |
+++ b/lib/expat/xmltok/xmltok.c
|
|
|
4d3c3c |
@@ -61,12 +61,17 @@ We need 8 bits to index into pages, 3 bits to add to that index and
|
|
|
4d3c3c |
? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \
|
|
|
4d3c3c |
: 0))
|
|
|
4d3c3c |
|
|
|
4d3c3c |
+#define UTF8_INVALID2(p) \
|
|
|
4d3c3c |
+ ((*p) < 0xC2 || ((p)[1] & 0x80) == 0 || ((p)[1] & 0xC0) == 0xC0)
|
|
|
4d3c3c |
+
|
|
|
4d3c3c |
#define UTF8_INVALID3(p) \
|
|
|
4d3c3c |
- ((*p) == 0xED \
|
|
|
4d3c3c |
- ? (((p)[1] & 0x20) != 0) \
|
|
|
4d3c3c |
- : ((*p) == 0xEF \
|
|
|
4d3c3c |
- ? ((p)[1] == 0xBF && ((p)[2] == 0xBF || (p)[2] == 0xBE)) \
|
|
|
4d3c3c |
- : 0))
|
|
|
4d3c3c |
+ (((p)[2] & 0x80) == 0 \
|
|
|
4d3c3c |
+ || ((*p) == 0xEF && (p)[1] == 0xBF ? (p)[2] > 0xBD \
|
|
|
4d3c3c |
+ : ((p)[2] & 0xC0) == 0xC0) \
|
|
|
4d3c3c |
+ || ((*p) == 0xE0 \
|
|
|
4d3c3c |
+ ? (p)[1] < 0xA0 || ((p)[1] & 0xC0) == 0xC0 \
|
|
|
4d3c3c |
+ : ((p)[1] & 0x80) == 0 \
|
|
|
4d3c3c |
+ || ((*p) == 0xED ? (p)[1] > 0x9F : ((p)[1] & 0xC0) == 0xC0)))
|
|
|
4d3c3c |
|
|
|
4d3c3c |
#define UTF8_INVALID4(p) ((*p) == 0xF4 && ((p)[1] & 0x30) != 0)
|
|
|
4d3c3c |
|
|
|
4d3c3c |
@@ -104,7 +109,11 @@ int utf8_isNmstrt3(const ENCODING *enc ATTR_UNUSED, const char *p)
|
|
|
4d3c3c |
|
|
|
4d3c3c |
#define utf8_isNmstrt4 isNever
|
|
|
4d3c3c |
|
|
|
4d3c3c |
-#define utf8_isInvalid2 isNever
|
|
|
4d3c3c |
+static
|
|
|
4d3c3c |
+int utf8_isInvalid2(const ENCODING *enc ATTR_UNUSED, const char *p)
|
|
|
4d3c3c |
+{
|
|
|
4d3c3c |
+ return UTF8_INVALID2((const unsigned char *)p);
|
|
|
4d3c3c |
+}
|
|
|
4d3c3c |
|
|
|
4d3c3c |
static
|
|
|
4d3c3c |
int utf8_isInvalid3(const ENCODING *enc ATTR_UNUSED, const char *p)
|
|
|
4d3c3c |
diff --git a/lib/expat/xmltok/xmltok_impl.c b/lib/expat/xmltok/xmltok_impl.c
|
|
|
4d3c3c |
index d035527..bae79b9 100644
|
|
|
4d3c3c |
--- a/lib/expat/xmltok/xmltok_impl.c
|
|
|
4d3c3c |
+++ b/lib/expat/xmltok/xmltok_impl.c
|
|
|
4d3c3c |
@@ -43,7 +43,7 @@ See the file copying.txt for copying permission.
|
|
|
4d3c3c |
case BT_LEAD ## n: \
|
|
|
4d3c3c |
if (end - ptr < n) \
|
|
|
4d3c3c |
return XML_TOK_PARTIAL_CHAR; \
|
|
|
4d3c3c |
- if (!IS_NAME_CHAR(enc, ptr, n)) { \
|
|
|
4d3c3c |
+ if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NAME_CHAR(enc, ptr, n)) { \
|
|
|
4d3c3c |
*nextTokPtr = ptr; \
|
|
|
4d3c3c |
return XML_TOK_INVALID; \
|
|
|
4d3c3c |
} \
|
|
|
4d3c3c |
@@ -71,7 +71,7 @@ See the file copying.txt for copying permission.
|
|
|
4d3c3c |
case BT_LEAD ## n: \
|
|
|
4d3c3c |
if (end - ptr < n) \
|
|
|
4d3c3c |
return XML_TOK_PARTIAL_CHAR; \
|
|
|
4d3c3c |
- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
|
|
|
4d3c3c |
+ if (IS_INVALID_CHAR(enc, ptr, n) || !IS_NMSTRT_CHAR(enc, ptr, n)) { \
|
|
|
4d3c3c |
*nextTokPtr = ptr; \
|
|
|
4d3c3c |
return XML_TOK_INVALID; \
|
|
|
4d3c3c |
} \
|
|
|
4d3c3c |
@@ -1168,6 +1168,10 @@ int PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
|
|
|
4d3c3c |
case BT_LEAD ## n: \
|
|
|
4d3c3c |
if (end - ptr < n) \
|
|
|
4d3c3c |
return XML_TOK_PARTIAL_CHAR; \
|
|
|
4d3c3c |
+ if (IS_INVALID_CHAR(enc, ptr, n)) { \
|
|
|
4d3c3c |
+ *nextTokPtr = ptr; \
|
|
|
4d3c3c |
+ return XML_TOK_INVALID; \
|
|
|
4d3c3c |
+ } \
|
|
|
4d3c3c |
if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
|
|
|
4d3c3c |
ptr += n; \
|
|
|
4d3c3c |
tok = XML_TOK_NAME; \
|
|
|
4d3c3c |
--
|
|
|
4d3c3c |
2.31.1
|
|
|
4d3c3c |
|