expat/backport-006-CVE-2024-8176.patch

From bf97ac508110dc390bd5471ed4904d5a4044332b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
Date: Mon, 7 Oct 2024 15:38:53 +0200
Subject: [PATCH 6/7] Add next pointer to storeEntityValue

This commit introduces a new nextPtr parameter to storeEntityValue.
After finishing its execution, storeEntityValue function sets this
parameter in way that it points to the next token to process.

This is useful when we want to leave and reenter storeEntityValue during
its execution since nextPtr will point where we left.

This commit is base to the following commit.

Reference: https://github.com/libexpat/libexpat/pull/973/commits/bf97ac508110dc390bd5471ed4904d5a4044332b
Conflict: NA

---
 lib/xmlparse.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index c86da91..8f556d9 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -498,7 +498,8 @@ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *);
 #if XML_GE == 1
 static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,
                                        const char *start, const char *end,
-                                       enum XML_Account account);
+                                       enum XML_Account account,
+                                       const char **nextPtr);
 #else
 static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity);
 #endif
@@ -4594,7 +4595,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
       }
       /* found end of entity value - can store it now */
       return storeEntityValue(parser, parser->m_encoding, s, end,
-                              XML_ACCOUNT_DIRECT);
+                              XML_ACCOUNT_DIRECT, NULL);
     } else if (tok == XML_TOK_XML_DECL) {
       enum XML_Error result;
       result = processXmlDecl(parser, 0, start, next);
@@ -4721,7 +4722,7 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
         break;
       }
       /* found end of entity value - can store it now */
-      return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT);
+      return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL);
     }
     start = next;
   }
@@ -5166,7 +5167,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
         // parser->m_declEntity->textPtr.
         enum XML_Error result
             = storeEntityValue(parser, enc, s + enc->minBytesPerChar,
-                               next - enc->minBytesPerChar, XML_ACCOUNT_NONE);
+                               next - enc->minBytesPerChar, XML_ACCOUNT_NONE, NULL);
         if (parser->m_declEntity) {
           parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool);
           parser->m_declEntity->textLen
@@ -6324,7 +6325,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
 static enum XML_Error
 storeEntityValue(XML_Parser parser, const ENCODING *enc,
                  const char *entityTextPtr, const char *entityTextEnd,
-                 enum XML_Account account) {
+                 enum XML_Account account, const char **nextPtr) {
   DTD *const dtd = parser->m_dtd; /* save one level of indirection */
   STRING_POOL *pool = &(dtd->entityValuePool);
   enum XML_Error result = XML_ERROR_NONE;
@@ -6342,8 +6343,9 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
       return XML_ERROR_NO_MEMORY;
   }
 
+  const char *next;
   for (;;) {
-    const char *next
+    next
         = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
     int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
 
@@ -6412,7 +6414,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
           result = storeEntityValue(
               parser, parser->m_internalEncoding, (const char *)entity->textPtr,
               (const char *)(entity->textPtr + entity->textLen),
-              XML_ACCOUNT_ENTITY_EXPANSION);
+              XML_ACCOUNT_ENTITY_EXPANSION, NULL);
           entityTrackingOnClose(parser, entity, __LINE__);
           entity->open = XML_FALSE;
           if (result)
@@ -6504,6 +6506,10 @@ endEntityValue:
 #  ifdef XML_DTD
   parser->m_prologState.inEntityValue = oldInEntityValue;
 #  endif /* XML_DTD */
+  // If 'nextPtr' is given, it should be updated during the processing
+  if (nextPtr != NULL) {
+    *nextPtr = next;
+  }
   return result;
 }
 
-- 
2.33.0
fix CVE-2024-8176 2025-03-29 17:01:17 +08:00			`From bf97ac508110dc390bd5471ed4904d5a4044332b Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>`
			`Date: Mon, 7 Oct 2024 15:38:53 +0200`
			`Subject: [PATCH 6/7] Add next pointer to storeEntityValue`

			`This commit introduces a new nextPtr parameter to storeEntityValue.`
			`After finishing its execution, storeEntityValue function sets this`
			`parameter in way that it points to the next token to process.`

			`This is useful when we want to leave and reenter storeEntityValue during`
			`its execution since nextPtr will point where we left.`

			`This commit is base to the following commit.`

			`Reference: https://github.com/libexpat/libexpat/pull/973/commits/bf97ac508110dc390bd5471ed4904d5a4044332b`
			`Conflict: NA`

			`---`
			`lib/xmlparse.c \| 20 +++++++++++++-------`
			`1 file changed, 13 insertions(+), 7 deletions(-)`

			`diff --git a/lib/xmlparse.c b/lib/xmlparse.c`
			`index c86da91..8f556d9 100644`
			`--- a/lib/xmlparse.c`
			`+++ b/lib/xmlparse.c`
			`@@ -498,7 +498,8 @@ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *);`
			`#if XML_GE == 1`
			`static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,`
			`const char start, const char end,`
			`- enum XML_Account account);`
			`+ enum XML_Account account,`
			`+ const char **nextPtr);`
			`#else`
			`static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity);`
			`#endif`
			`@@ -4594,7 +4595,7 @@ entityValueInitProcessor(XML_Parser parser, const char s, const char end,`
			`}`
			`/* found end of entity value - can store it now */`
			`return storeEntityValue(parser, parser->m_encoding, s, end,`
			`- XML_ACCOUNT_DIRECT);`
			`+ XML_ACCOUNT_DIRECT, NULL);`
			`} else if (tok == XML_TOK_XML_DECL) {`
			`enum XML_Error result;`
			`result = processXmlDecl(parser, 0, start, next);`
			`@@ -4721,7 +4722,7 @@ entityValueProcessor(XML_Parser parser, const char s, const char end,`
			`break;`
			`}`
			`/* found end of entity value - can store it now */`
			`- return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT);`
			`+ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL);`
			`}`
			`start = next;`
			`}`
			`@@ -5166,7 +5167,7 @@ doProlog(XML_Parser parser, const ENCODING enc, const char s, const char *end,`
			`// parser->m_declEntity->textPtr.`
			`enum XML_Error result`
			`= storeEntityValue(parser, enc, s + enc->minBytesPerChar,`
			`- next - enc->minBytesPerChar, XML_ACCOUNT_NONE);`
			`+ next - enc->minBytesPerChar, XML_ACCOUNT_NONE, NULL);`
			`if (parser->m_declEntity) {`
			`parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool);`
			`parser->m_declEntity->textLen`
			`@@ -6324,7 +6325,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,`
			`static enum XML_Error`
			`storeEntityValue(XML_Parser parser, const ENCODING *enc,`
			`const char entityTextPtr, const char entityTextEnd,`
			`- enum XML_Account account) {`
			`+ enum XML_Account account, const char **nextPtr) {`
			`DTD const dtd = parser->m_dtd; / save one level of indirection */`
			`STRING_POOL *pool = &(dtd->entityValuePool);`
			`enum XML_Error result = XML_ERROR_NONE;`
			`@@ -6342,8 +6343,9 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,`
			`return XML_ERROR_NO_MEMORY;`
			`}`

			`+ const char *next;`
			`for (;;) {`
			`- const char *next`
			`+ next`
			`= entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */`
			`int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);`

			`@@ -6412,7 +6414,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,`
			`result = storeEntityValue(`
			`parser, parser->m_internalEncoding, (const char *)entity->textPtr,`
			`(const char *)(entity->textPtr + entity->textLen),`
			`- XML_ACCOUNT_ENTITY_EXPANSION);`
			`+ XML_ACCOUNT_ENTITY_EXPANSION, NULL);`
			`entityTrackingOnClose(parser, entity, __LINE__);`
			`entity->open = XML_FALSE;`
			`if (result)`
			`@@ -6504,6 +6506,10 @@ endEntityValue:`
			`# ifdef XML_DTD`
			`parser->m_prologState.inEntityValue = oldInEntityValue;`
			`# endif /* XML_DTD */`
			`+ // If 'nextPtr' is given, it should be updated during the processing`
			`+ if (nextPtr != NULL) {`
			`+ *nextPtr = next;`
			`+ }`
			`return result;`
			`}`

			`--`
			`2.33.0`