From 7e7d820f4efb41eccf3bc6c2a98cfc930629b1c4 Mon Sep 17 00:00:00 2001 From: zhuofeng <1107893276@qq.com> Date: Tue, 8 Apr 2025 02:25:29 +0000 Subject: [PATCH] backport upstream patches Signed-off-by: zhuofeng <1107893276@qq.com> --- ...e-parser-m_eventPtr-handling-clearer.patch | 65 +++++++++++++++++++ ...ating-m_eventPtr-on-exit-for-reentry.patch | 52 +++++++++++++++ expat.spec | 7 +- 3 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 backport-Make-parser-m_eventPtr-handling-clearer.patch create mode 100644 backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch diff --git a/backport-Make-parser-m_eventPtr-handling-clearer.patch b/backport-Make-parser-m_eventPtr-handling-clearer.patch new file mode 100644 index 0000000..502dbad --- /dev/null +++ b/backport-Make-parser-m_eventPtr-handling-clearer.patch @@ -0,0 +1,65 @@ +From bcf353990c651d589c74aa0f283f9b392bbb68bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= +Date: Wed, 19 Mar 2025 15:37:21 +0100 +Subject: [PATCH] Make parser->m_eventPtr handling clearer + +Reference: https://github.com/libexpat/libexpat/pull/989/commits/bcf353990c651d589c74aa0f283f9b392bbb68bf +Conflict: NA + +--- + lib/xmlparse.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 67bd3a54..f8ae864a 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -4334,12 +4334,13 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + /* LCOV_EXCL_STOP */ + } + +- *eventPP = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ *eventPP = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ *eventPP = next; + return XML_ERROR_ABORTED; + case XML_PARSING: + if (parser->m_reenter) { +@@ -4347,6 +4348,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + } + /* Fall through */ + default:; ++ *eventPP = s = next; + } + } + /* not reached */ +@@ -5953,12 +5955,13 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end, + default: + return XML_ERROR_JUNK_AFTER_DOC_ELEMENT; + } +- parser->m_eventPtr = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ parser->m_eventPtr = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ parser->m_eventPtr = next; + return XML_ERROR_ABORTED; + case XML_PARSING: + if (parser->m_reenter) { +@@ -5966,6 +5969,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end, + } + /* Fall through */ + default:; ++ parser->m_eventPtr = s = next; + } + } + } +-- +2.37.3 + diff --git a/backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch b/backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch new file mode 100644 index 0000000..1aafae4 --- /dev/null +++ b/backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch @@ -0,0 +1,52 @@ +From 89a9c6807c982b4fa8aa806dd72771d6642dd8a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= +Date: Wed, 19 Mar 2025 02:20:49 +0100 +Subject: [PATCH] Stop updating m_eventPtr on exit for reentry + +The fix for recursive entity processing introduced a reenter flag that +returns the execution from the current function and switches to entity +processing. + +The same fix also updates the m_eventPtr during this switch. However +this update changes the behaviour in certain cases as the older version +does not update the m_eventPtr while recursing into entity processing. + +This commit removes the pointer update and restores the old behaviour. + +Reference: https://github.com/libexpat/libexpat/pull/989/commits/89a9c6807c982b4fa8aa806dd72771d6642dd8a1 +Conflict: NA + +--- + lib/xmlparse.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 626f56af..67bd3a54 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -3402,12 +3402,13 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + break; + /* LCOV_EXCL_STOP */ + } +- *eventPP = s = next; + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: ++ *eventPP = next; + *nextPtr = next; + return XML_ERROR_NONE; + case XML_FINISHED: ++ *eventPP = next; + return XML_ERROR_ABORTED; + case XML_PARSING: + if (parser->m_reenter) { +@@ -3416,6 +3417,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + } + /* Fall through */ + default:; ++ *eventPP = s = next; + } + } + /* not reached */ +-- +2.37.3 + diff --git a/expat.spec b/expat.spec index 624fb1d..6aba21e 100644 --- a/expat.spec +++ b/expat.spec @@ -1,7 +1,7 @@ %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') Name: expat Version: 2.5.0 -Release: 8 +Release: 9 Summary: An XML parser library License: MIT URL: https://libexpat.github.io/ @@ -42,6 +42,8 @@ Patch32: backport-008-CVE-2024-8176.patch Patch33: backport-009-CVE-2024-8176.patch Patch34: backport-010-CVE-2024-8176.patch Patch35: backport-011-CVE-2024-8176.patch +Patch36: backport-Stop-updating-m_eventPtr-on-exit-for-reentry.patch +Patch37: backport-Make-parser-m_eventPtr-handling-clearer.patch BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto @@ -90,6 +92,9 @@ find %{buildroot} -type f -name changelog -delete %{_mandir}/man1/* %changelog +* Tue Apr 08 2025 zhuofeng <1107893276@qq.com> - 2.5.0-9 +- backport upstream patches + * Fri Mar 28 2025 zhuofeng <1107893276@qq.com> - 2.5.0-8 - fix CVE-2024-8176