add testcase for CVE-2024-50602

(cherry picked from commit 18500b9c8879a75ab6029cd51e930a5c513c3fc0)
2024-10-29 19:34:45 +08:00 · 2024-10-29 19:34:45 +08:00 · ca53218800
commit ca53218800
parent 1ab989a431
2 changed files with 94 additions and 1 deletions
--- a/backport-CVE-2024-50602-testcase.patch
+++ b/backport-CVE-2024-50602-testcase.patch
@ -0,0 +1,89 @@
+From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 20 Oct 2024 23:24:27 +0200
+Subject: [PATCH 3/3] tests: Cover XML_StopParser's new handling of status
+ XML_INITIALIZED
+
+Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing
+would crash with a NULL pointer dereference in function normal_updatePosition.
+This was the AddressSanitizer output:
+
+> AddressSanitizer:DEADLYSIGNAL
+> =================================================================
+> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0)
+> ==19700==The signal is caused by a READ memory access.
+> ==19700==Hint: address points to the zero page.
+>     #0 0x5623e07ad85f in normal_updatePosition [..]/lib/xmltok_impl.c:1781:13
+>     #1 0x5623e07a52ff in initUpdatePosition [..]/lib/xmltok.c:1031:3
+>     #2 0x5623e0762760 in XML_ResumeParser [..]/lib/xmlparse.c:2297:3
+>     #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp
+>     #4 0x5623e074e228 in srunner_run_all ([..]/build_asan_fuzzers/tests/runtests_cxx+0x136228)
+>     #5 0x5623e0753d2d in main ([..]/build_asan_fuzzers/tests/runtests_cxx+0x13bd2d)
+>     #6 0x7f802a39af79  (/lib64/libc.so.6+0x25f79)
+>     #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034)
+>     #8 0x5623e064f340 in _start ([..]/build_asan_fuzzers/tests/runtests_cxx+0x37340)
+>
+> AddressSanitizer can not provide additional info.
+> SUMMARY: AddressSanitizer: SEGV [..]/lib/xmltok_impl.c:1781:13 in normal_updatePosition
+> ==19700==ABORTING
+
+And this the UndefinedBehaviorSanitizer output:
+
+> [..]/lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char'
+> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior [..]/lib/xmltok_impl.c:1781:13 in
+---
+tests/runtests.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 4649359..2c88c7f 100644
+--- a/tests/runtests.c
+++ b/tests/runtests.c
+@@ -8207,6 +8207,35 @@ START_TEST(test_misc_tag_mismatch_reset_leak) {
+ }
+ END_TEST
+ 
+START_TEST(test_misc_resumeparser_not_crashing) {
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_GetBuffer(parser, 1);
+  XML_StopParser(parser, /*resumable=*/XML_TRUE);
+  XML_ResumeParser(parser); // could crash here, previously
+  XML_ParserFree(parser);
+}
+END_TEST
+
+START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
+  const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
+  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
+    const XML_Bool resumable = cases[i];
+    XML_Parser parser = XML_ParserCreate(NULL);
+
+    if (XML_GetErrorCode(parser) != XML_ERROR_NONE) 
+       fail("There was not supposed to be any initial parse error.");
+
+   if (XML_StopParser(parser, resumable) != XML_STATUS_ERROR) 
+       fail("Attempting to suspend a subordinate parser not faulted.");
+
+   if (XML_GetErrorCode(parser) != XML_ERROR_NOT_STARTED)
+       fail("parser not started.");
+    XML_ParserFree(parser);
+  }
+}
+END_TEST
+
+
+ static void
+ alloc_setup(void) {
+   XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
+@@ -12707,6 +12736,8 @@ make_suite(void) {
+   tcase_add_test__ifdef_xml_dtd(
+       tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
+   tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
+  tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
+  tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
+ 
+   suite_add_tcase(s, tc_alloc);
+   tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
+-- 
+2.27.0
+
--- a/expat.spec
+++ b/expat.spec
@ -1,7 +1,7 @@
 %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
 Name:           expat
 Version:        2.5.0
-Release:        6
+Release:        7
 Summary:        An XML parser library
 License:        MIT
 URL:            https://libexpat.github.io/
@ -30,6 +30,7 @@ Patch20:        backport-003-CVE-2024-45490.patch
 Patch21:        backport-CVE-2024-45491.patch
 Patch22:        backport-CVE-2024-45492.patch
 Patch23:        backport-CVE-2024-50602.patch
+Patch24:        backport-CVE-2024-50602-testcase.patch

 BuildRequires:  sed,autoconf,automake,gcc-c++,libtool,xmlto

@ -78,6 +79,9 @@ find %{buildroot} -type f -name changelog -delete
 %{_mandir}/man1/*

 %changelog
+* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-7
+- add testcase for CVE-2024-50602
+
 * Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-6
 - fix CVE-2024-50602