!100 use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild

From: @fly_fzc Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-02-26 00:59:18 +00:00 · 2022-02-26 00:59:18 +00:00 · 126e1b5971
commit 126e1b5971
parent 5b3ef6585f adf0ba7094
3 changed files with 112 additions and 33 deletions
--- a/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch
+++ b/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch
@ -1,31 +0,0 @@
-From ace5aece17b5ecaafee286fc943616fdee03d885 Mon Sep 17 00:00:00 2001
-From: panxiaohe <panxiaohe@huawei.com>
-Date: Thu, 11 Nov 2021 16:45:04 +0800
-Subject: [PATCH] Fix heap-use-after-free in xmlAddNextSibling and xmlAddChild
-
---
- xinclude.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/xinclude.c b/xinclude.c
-index b2e6ea1..d39ff7d 100644
--- a/xinclude.c
-+++ b/xinclude.c
-@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
- 	    }
- 	    if (tmp != NULL) {
- 		if (level == lastLevel)
-		    xmlAddNextSibling(last, tmp);
-+		    last = xmlAddNextSibling(last, tmp);
- 		else {
-		    xmlAddChild(last, tmp);
-+		    last = xmlAddChild(last, tmp);
- 		    lastLevel = level;
- 		}
-		last = tmp;
- 	    }
- 	}
- 	/*
-- 
-1.8.3.1
-
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.12
-Release: 3
+Release: 4
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -10,7 +10,7 @@ Patch0: libxml2-multilib.patch
 Patch1: Fix-XPath-recursion-limit.patch
 Patch2: Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch
 Patch3: Fix-memleaks-in-xmlXIncludeProcessFlags.patch
-Patch4: Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch
+Patch4: xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch
 Patch5: Work-around-lxml-API-abuse.patch
 Patch6: Fix-regression-in-xmlNodeDumpOutputInternal.patch
 Patch7: Fix-whitespace-when-serializing-empty-HTML-documents.patch
@ -176,6 +176,12 @@ rm -fr %{buildroot}


 %changelog
+* Fri Feb 11 2022 fuanan <fuanan3@h-partners.com> - 2.9.12-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild
+
 * Fri Nov 12 2021 panxiaohe <panxiaohe@huawei.com> - 2.9.12-3
 - Type:bugfix
 - ID:NA
--- a/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch
+++ b/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch
@ -0,0 +1,104 @@
+From 8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Wed, 7 Jul 2021 19:24:36 -0700
+Subject: [PATCH] xmlAddChild() and xmlAddNextSibling() may not attach their
+ second argument
+
+Use the return value of xmlAddChild() and xmlAddNextSibling()
+instead of the second argument directly.
+
+Found by OSS-Fuzz.
+
+Fixes #316
+---
+ xinclude.c | 14 ++++++--------
+ xpointer.c | 13 ++++++-------
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index b2e6ea1..2a0614d 100644
+--- a/xinclude.c
+++ b/xinclude.c
+@@ -1014,15 +1014,15 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
+ 		if (list == NULL) {
+ 		    list = tmp;
+ 		    listParent = cur->parent;
+		    last = tmp;
+ 		} else {
+ 		    if (level == lastLevel)
+-			xmlAddNextSibling(last, tmp);
+			last = xmlAddNextSibling(last, tmp);
+ 		    else {
+-			xmlAddChild(last, tmp);
+			last = xmlAddChild(last, tmp);
+ 			lastLevel = level;
+ 		    }
+ 		}
+-		last = tmp;
+ 
+ 		if (index2 > 1) {
+ 		    end = xmlXIncludeGetNthChild(cur, index2 - 1);
+@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
+ 	    }
+ 	    if (tmp != NULL) {
+ 		if (level == lastLevel)
+-		    xmlAddNextSibling(last, tmp);
+		    last = xmlAddNextSibling(last, tmp);
+ 		else {
+-		    xmlAddChild(last, tmp);
+		    last = xmlAddChild(last, tmp);
+ 		    lastLevel = level;
+ 		}
+-		last = tmp;
+ 	    }
+ 	}
+ 	/*
+@@ -1186,8 +1185,7 @@ xmlXIncludeCopyXPointer(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
+ 				    if (last == NULL) {
+ 					list = last = tmp;
+ 				    } else {
+-					xmlAddNextSibling(last, tmp);
+-					last = tmp;
+					last = xmlAddNextSibling(last, tmp);
+ 				    }
+ 				    cur = cur->next;
+ 				    continue;
+diff --git a/xpointer.c b/xpointer.c
+index 27a6a8c..fe2fca5 100644
+--- a/xpointer.c
+++ b/xpointer.c
+@@ -1483,16 +1483,16 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) {
+ 		return(list);
+ 	    } else {
+ 		tmp = xmlCopyNode(cur, 0);
+-		if (list == NULL)
+		if (list == NULL) {
+ 		    list = tmp;
+-		else {
+		    parent = tmp;
+		} else {
+ 		    if (last != NULL)
+-			xmlAddNextSibling(last, tmp);
+			parent = xmlAddNextSibling(last, tmp);
+ 		    else
+-			xmlAddChild(parent, tmp);
+			parent = xmlAddChild(parent, tmp);
+ 		}
+ 		last = NULL;
+-		parent = tmp;
+ 
+ 		if (index2 > 1) {
+ 		    end = xmlXPtrGetNthChild(cur, index2 - 1);
+@@ -1574,8 +1574,7 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) {
+ 		if (last != NULL)
+ 		    xmlAddNextSibling(last, tmp);
+ 		else {
+-		    xmlAddChild(parent, tmp);
+-		    last = tmp;
+		    last = xmlAddChild(parent, tmp);
+ 		}
+ 	    }
+ 	}
+-- 
+1.8.3.1
+