backport upstream patches

2022-11-21 10:40:23 +08:00 · 2022-11-21 10:40:23 +08:00 · 60c724d23d
commit 60c724d23d
parent 4fc81c9ab2
3 changed files with 126 additions and 1 deletions
--- a/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
+++ b/backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch
@ -0,0 +1,42 @@
+From 1a2d8ddc066143d256fdb8cc554707fe141dd2f6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Oct 2022 13:02:47 +0200
+Subject: [PATCH] parser: Fix potential memory leak in xmlParseAttValueInternal
+
+Fix memory leak in case xmlParseAttValueInternal is called with a NULL
+`len` a non-NULL `alloc` argument. This static function is never called
+with such arguments internally, but the misleading code should be fixed
+nevertheless.
+
+Fixes #422.
+
+Reference:https://github.com/GNOME/libxml2/commit/1a2d8ddc066143d256fdb8cc554707fe141dd2f6
+Conflict:NA
+
+---
+ parser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 7bb47366..337e62f6 100644
+--- a/parser.c
+++ b/parser.c
+@@ -9155,6 +9155,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     in++;
+     col++;
+     if (len != NULL) {
+        if (alloc) *alloc = 0;
+         *len = last - start;
+         ret = (xmlChar *) start;
+     } else {
+@@ -9164,7 +9165,6 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     CUR_PTR = in;
+     ctxt->input->line = line;
+     ctxt->input->col = col;
+-    if (alloc) *alloc = 0;
+     return ret;
+ need_complex:
+     if (alloc) *alloc = 1;
+-- 
+2.27.0
+
--- a/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+++ b/backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
@ -0,0 +1,75 @@
+From 1d4f5d24ac3976012ab1f5b811385e7b00caaecf Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 13 Sep 2022 16:40:31 +0200
+Subject: [PATCH] schemas: Fix null-pointer-deref in
+ xmlSchemaCheckCOSSTDerivedOK
+
+Found by OSS-Fuzz.
+
+Reference:https://github.com/GNOME/libxml2/commit/1d4f5d24ac3976012ab1f5b811385e7b00caaecf
+Conflict:NA
+
+---
+ result/schemas/oss-fuzz-51295_0_0.err |  2 ++
+ test/schemas/oss-fuzz-51295_0.xml     |  1 +
+ test/schemas/oss-fuzz-51295_0.xsd     |  4 ++++
+ xmlschemas.c                          | 15 +++++++++++++--
+ 4 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 result/schemas/oss-fuzz-51295_0_0.err
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xml
+ create mode 100644 test/schemas/oss-fuzz-51295_0.xsd
+
+diff --git a/result/schemas/oss-fuzz-51295_0_0.err b/result/schemas/oss-fuzz-51295_0_0.err
+new file mode 100644
+index 00000000..1e89524f
+--- /dev/null
+++ b/result/schemas/oss-fuzz-51295_0_0.err
+@@ -0,0 +1,2 @@
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+./test/schemas/oss-fuzz-51295_0.xsd:2: element element: Schemas parser error : element decl. 'e': The element declaration 'e' defines a circular substitution group to element declaration 'e'.
+diff --git a/test/schemas/oss-fuzz-51295_0.xml b/test/schemas/oss-fuzz-51295_0.xml
+new file mode 100644
+index 00000000..10a7e703
+--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xml
+@@ -0,0 +1 @@
+<e/>
+diff --git a/test/schemas/oss-fuzz-51295_0.xsd b/test/schemas/oss-fuzz-51295_0.xsd
+new file mode 100644
+index 00000000..fde96af5
+--- /dev/null
+++ b/test/schemas/oss-fuzz-51295_0.xsd
+@@ -0,0 +1,4 @@
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+    <xs:element name="e" substitutionGroup="e"/>
+    <xs:element name="t" substitutionGroup="e" type='xs:decimal'/>
+</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index ade10f78..de6ea2b0 100644
+--- a/xmlschemas.c
+++ b/xmlschemas.c
+@@ -13348,8 +13348,19 @@ xmlSchemaResolveElementReferences(xmlSchemaElementPtr elemDecl,
+ 	    * declaration `resolved` to by the `actual value`
+ 	    * of the substitutionGroup [attribute], if present"
+ 	    */
+-	    if (elemDecl->subtypes == NULL)
+-		elemDecl->subtypes = substHead->subtypes;
+	    if (elemDecl->subtypes == NULL) {
+                if (substHead->subtypes == NULL) {
+                    /*
+                     * This can happen with self-referencing substitution
+                     * groups. The cycle will be detected later, but we have
+                     * to set subtypes to avoid null-pointer dereferences.
+                     */
+	            elemDecl->subtypes = xmlSchemaGetBuiltInType(
+                            XML_SCHEMAS_ANYTYPE);
+                } else {
+		    elemDecl->subtypes = substHead->subtypes;
+                }
+            }
+ 	}
+     }
+     /*
+-- 
+2.27.0
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.14
-Release: 3
+Release: 4
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@ -12,6 +12,8 @@ Patch2: Fix-memory-leaks-for-xmlACatalogAdd.patch
 Patch3: Fix-memory-leaks-in-xmlACatalogAdd-when-xmlHashAddEntry-failed.patch
 Patch4: backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_.patch
 Patch5: backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch
+Patch6: backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
+Patch7: backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@ -167,6 +169,12 @@ rm -fr %{buildroot}


 %changelog
+* Mon Nov 21 2022 fuanan <fuanan3@h-partners.com> - 2.9.14-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport upstream patches
+
 * Tue Nov 08 2022 fuanan <fuanan3@h-partners.com> - 2.9.14-3
 - fix CVE-2022-40303 CVE-2022-40304