packages/expat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add testcase for CVE-2024-50602

Browse Source 
(cherry picked from commit 18500b9c8879a75ab6029cd51e930a5c513c3fc0)
This commit is contained in:
liningjie 2024-10-29 19:34:45 +08:00 committed by openeuler-sync-bot
parent 1ab989a431
commit ca53218800
2 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
backport-CVE-2024-50602-testcase.patch Normal file
View File

@ -0,0 +1,89 @@
From b3836ff534c7cc78128fe7b935aad3d4353814ed Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 20 Oct 2024 23:24:27 +0200
Subject: [PATCH 3/3] tests: Cover XML_StopParser's new handling of status
XML_INITIALIZED
Prior to the fix to XML_StopParser, test test_misc_resumeparser_not_crashing
would crash with a NULL pointer dereference in function normal_updatePosition.
This was the AddressSanitizer output:
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5623e07ad85f bp 0x7ffcf40da650 sp 0x7ffcf40da590 T0)
> ==19700==The signal is caused by a READ memory access.
> ==19700==Hint: address points to the zero page.
> #0 0x5623e07ad85f in normal_updatePosition [..]/lib/xmltok_impl.c:1781:13
> #1 0x5623e07a52ff in initUpdatePosition [..]/lib/xmltok.c:1031:3
> #2 0x5623e0762760 in XML_ResumeParser [..]/lib/xmlparse.c:2297:3
> #3 0x5623e074f7c1 in test_misc_resumeparser_not_crashing() misc_tests_cxx.cpp
> #4 0x5623e074e228 in srunner_run_all ([..]/build_asan_fuzzers/tests/runtests_cxx+0x136228)
> #5 0x5623e0753d2d in main ([..]/build_asan_fuzzers/tests/runtests_cxx+0x13bd2d)
> #6 0x7f802a39af79 (/lib64/libc.so.6+0x25f79)
> #7 0x7f802a39b034 in __libc_start_main (/lib64/libc.so.6+0x26034)
> #8 0x5623e064f340 in _start ([..]/build_asan_fuzzers/tests/runtests_cxx+0x37340)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV [..]/lib/xmltok_impl.c:1781:13 in normal_updatePosition
> ==19700==ABORTING
And this the UndefinedBehaviorSanitizer output:
> [..]/lib/xmltok_impl.c:1781:13: runtime error: load of null pointer of type 'const char'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior [..]/lib/xmltok_impl.c:1781:13 in
---
tests/runtests.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/tests/runtests.c b/tests/runtests.c
index 4649359..2c88c7f 100644
--- a/tests/runtests.c
+++ b/tests/runtests.c
@@ -8207,6 +8207,35 @@ START_TEST(test_misc_tag_mismatch_reset_leak) {
}
END_TEST
+START_TEST(test_misc_resumeparser_not_crashing) {
+ XML_Parser parser = XML_ParserCreate(NULL);
+ XML_GetBuffer(parser, 1);
+ XML_StopParser(parser, /*resumable=*/XML_TRUE);
+ XML_ResumeParser(parser); // could crash here, previously
+ XML_ParserFree(parser);
+}
+END_TEST
+
+START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
+ const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
+ const XML_Bool resumable = cases[i];
+ XML_Parser parser = XML_ParserCreate(NULL);
+
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
+ fail("There was not supposed to be any initial parse error.");
+
+ if (XML_StopParser(parser, resumable) != XML_STATUS_ERROR)
+ fail("Attempting to suspend a subordinate parser not faulted.");
+
+ if (XML_GetErrorCode(parser) != XML_ERROR_NOT_STARTED)
+ fail("parser not started.");
+ XML_ParserFree(parser);
+ }
+}
+END_TEST
+
+
static void
alloc_setup(void) {
XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
@@ -12707,6 +12736,8 @@ make_suite(void) {
tcase_add_test__ifdef_xml_dtd(
tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
+ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
+ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
suite_add_tcase(s, tc_alloc);
tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
--
2.27.0

6
expat.spec
View File

@ -1,7 +1,7 @@
%define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/') %define Rversion %(echo %{version} | sed -e 's/\\./_/g' -e 's/^/R_/')
Name: expat Name: expat
Version: 2.5.0 Version: 2.5.0
Release: 6 Release: 7
Summary: An XML parser library Summary: An XML parser library
License: MIT License: MIT
URL: https://libexpat.github.io/ URL: https://libexpat.github.io/
@ -30,6 +30,7 @@ Patch20: backport-003-CVE-2024-45490.patch
Patch21: backport-CVE-2024-45491.patch Patch21: backport-CVE-2024-45491.patch
Patch22: backport-CVE-2024-45492.patch Patch22: backport-CVE-2024-45492.patch
Patch23: backport-CVE-2024-50602.patch Patch23: backport-CVE-2024-50602.patch
Patch24: backport-CVE-2024-50602-testcase.patch
BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto BuildRequires: sed,autoconf,automake,gcc-c++,libtool,xmlto
@ -78,6 +79,9 @@ find %{buildroot} -type f -name changelog -delete
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-7
- add testcase for CVE-2024-50602
* Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-6 * Tue Oct 29 2024 liningjie <liningjie@xfusion.com> - 2.5.0-6
- fix CVE-2024-50602 - fix CVE-2024-50602