libxml2/Never-expand-parameter-entities-in-text-declaration.patch

From a28f7d8789e63f5e2ac63b42083754cba58f1a0e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 10 Jun 2020 13:41:13 +0200
Subject: [PATCH] Never expand parameter entities in text declaration

When parsing the text declaration of external DTDs or entities, make
sure that parameter entities are not expanded. This also fixes a memory
leak in certain error cases.

The change to xmlSkipBlankChars assumes that the parser state is
maintained correctly when parsing external DTDs or parameter entities,
and might expose bugs in the code that were hidden previously.

Found by OSS-Fuzz.
---
 parser.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/parser.c b/parser.c
index 046f1cec3..3559aaaec 100644
--- a/parser.c
+++ b/parser.c
@@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
      * It's Okay to use CUR/NEXT here since all the blanks are on
      * the ASCII range.
      */
-    if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) {
+    if (ctxt->instate != XML_PARSER_DTD) {
 	const xmlChar *cur;
 	/*
 	 * if we are in the document content, go really fast
@@ -6852,6 +6852,7 @@ void
 xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
     xmlChar *version;
     const xmlChar *encoding;
+    int oldstate;
 
     /*
      * We know that '<?xml' is here.
@@ -6863,6 +6864,10 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
 	return;
     }
 
+    /* Avoid expansion of parameter entities when skipping blanks. */
+    oldstate = ctxt->instate;
+    ctxt->instate = XML_PARSER_START;
+
     if (SKIP_BLANKS == 0) {
 	xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
 		       "Space needed after '<?xml'\n");
@@ -6890,6 +6895,7 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
 	/*
 	 * The XML REC instructs us to stop parsing right here
 	 */
+        ctxt->instate = oldstate;
         return;
     }
     if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) {
@@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
 	MOVETO_ENDTAG(CUR_PTR);
 	NEXT;
     }
+
+    ctxt->instate = oldstate;
 }
 
 /**
-- 
GitLab
Fix use after free with validating render 2020-07-28 09:54:25 +08:00			`From a28f7d8789e63f5e2ac63b42083754cba58f1a0e Mon Sep 17 00:00:00 2001`
			`From: Nick Wellnhofer <wellnhofer@aevum.de>`
			`Date: Wed, 10 Jun 2020 13:41:13 +0200`
			`Subject: [PATCH] Never expand parameter entities in text declaration`

			`When parsing the text declaration of external DTDs or entities, make`
			`sure that parameter entities are not expanded. This also fixes a memory`
			`leak in certain error cases.`

			`The change to xmlSkipBlankChars assumes that the parser state is`
			`maintained correctly when parsing external DTDs or parameter entities,`
			`and might expose bugs in the code that were hidden previously.`

			`Found by OSS-Fuzz.`
			`---`
			`parser.c \| 10 +++++++++-`
			`1 file changed, 9 insertions(+), 1 deletion(-)`

			`diff --git a/parser.c b/parser.c`
			`index 046f1cec3..3559aaaec 100644`
			`--- a/parser.c`
			`+++ b/parser.c`
			`@@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {`
			`* It's Okay to use CUR/NEXT here since all the blanks are on`
			`* the ASCII range.`
			`*/`
			`- if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) {`
			`+ if (ctxt->instate != XML_PARSER_DTD) {`
			`const xmlChar *cur;`
			`/*`
			`* if we are in the document content, go really fast`
			`@@ -6852,6 +6852,7 @@ void`
			`xmlParseTextDecl(xmlParserCtxtPtr ctxt) {`
			`xmlChar *version;`
			`const xmlChar *encoding;`
			`+ int oldstate;`

			`/*`
			`* We know that '<?xml' is here.`
			`@@ -6863,6 +6864,10 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {`
			`return;`
			`}`

			`+ /* Avoid expansion of parameter entities when skipping blanks. */`
			`+ oldstate = ctxt->instate;`
			`+ ctxt->instate = XML_PARSER_START;`
			`+`
			`if (SKIP_BLANKS == 0) {`
			`xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,`
			`"Space needed after '<?xml'\n");`
			`@@ -6890,6 +6895,7 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {`
			`/*`
			`* The XML REC instructs us to stop parsing right here`
			`*/`
			`+ ctxt->instate = oldstate;`
			`return;`
			`}`
			`if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) {`
			`@@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {`
			`MOVETO_ENDTAG(CUR_PTR);`
			`NEXT;`
			`}`
			`+`
			`+ ctxt->instate = oldstate;`
			`}`

			`/**`
			`--`
			`GitLab`