packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 libxml2

Browse Source 
Merge pull request !7 from syyhao/master
This commit is contained in:
openeuler-ci-bot 2020-07-29 10:42:41 +08:00 committed by Gitee
commit 919545d0cf
3 changed files with 168 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
Fix-use-after-free-with-validating-reader.patch Normal file
View File

@ -0,0 +1,91 @@
From 2af3c2a8b974cb5896cd3beb74561ba979de9f34 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 8 Jun 2020 12:49:51 +0200
Subject: [PATCH] Fix use-after-free with validating reader
Just like IDs, IDREF attributes must be removed from the document's
refs table when they're freed by a reader. This bug is often hidden
because xmlAttr structs are reused and strings are stored in a
dictionary unless XML_PARSE_NODICT is specified.
Found by OSS-Fuzz.
---
xmlreader.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/xmlreader.c b/xmlreader.c
index 3fd9aa4c0..6ae6e9229 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -278,6 +278,59 @@ xmlTextReaderRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
return(0);
}
+/**
+ * xmlTextReaderWalkRemoveRef:
+ * @data: Contents of current link
+ * @user: Value supplied by the user
+ *
+ * Returns 0 to abort the walk or 1 to continue
+ */
+static int
+xmlTextReaderWalkRemoveRef(const void *data, void *user)
+{
+ xmlRefPtr ref = (xmlRefPtr)data;
+ xmlAttrPtr attr = (xmlAttrPtr)user;
+
+ if (ref->attr == attr) { /* Matched: remove and terminate walk */
+ ref->name = xmlStrdup(attr->name);
+ ref->attr = NULL;
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * xmlTextReaderRemoveRef:
+ * @doc: the document
+ * @attr: the attribute
+ *
+ * Remove the given attribute from the Ref table maintained internally.
+ *
+ * Returns -1 if the lookup failed and 0 otherwise
+ */
+static int
+xmlTextReaderRemoveRef(xmlDocPtr doc, xmlAttrPtr attr) {
+ xmlListPtr ref_list;
+ xmlRefTablePtr table;
+ xmlChar *ID;
+
+ if (doc == NULL) return(-1);
+ if (attr == NULL) return(-1);
+ table = (xmlRefTablePtr) doc->refs;
+ if (table == NULL)
+ return(-1);
+
+ ID = xmlNodeListGetString(doc, attr->children, 1);
+ if (ID == NULL)
+ return(-1);
+ ref_list = xmlHashLookup(table, ID);
+ xmlFree(ID);
+ if(ref_list == NULL)
+ return (-1);
+ xmlListWalk(ref_list, xmlTextReaderWalkRemoveRef, attr);
+ return(0);
+}
+
/**
* xmlTextReaderFreeProp:
* @reader: the xmlTextReaderPtr used
@@ -304,6 +357,8 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) {
(cur->parent->doc->extSubset != NULL))) {
if (xmlIsID(cur->parent->doc, cur->parent, cur))
xmlTextReaderRemoveID(cur->parent->doc, cur);
+ if (xmlIsRef(cur->parent->doc, cur->parent, cur))
+ xmlTextReaderRemoveRef(cur->parent->doc, cur);
}
if (cur->children != NULL)
xmlTextReaderFreeNodeList(reader, cur->children);
--
GitLab

70
Never-expand-parameter-entities-in-text-declaration.patch Normal file
View File

@ -0,0 +1,70 @@
From a28f7d8789e63f5e2ac63b42083754cba58f1a0e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 10 Jun 2020 13:41:13 +0200
Subject: [PATCH] Never expand parameter entities in text declaration
When parsing the text declaration of external DTDs or entities, make
sure that parameter entities are not expanded. This also fixes a memory
leak in certain error cases.
The change to xmlSkipBlankChars assumes that the parser state is
maintained correctly when parsing external DTDs or parameter entities,
and might expose bugs in the code that were hidden previously.
Found by OSS-Fuzz.
---
parser.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index 046f1cec3..3559aaaec 100644
--- a/parser.c
+++ b/parser.c
@@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) {
* It's Okay to use CUR/NEXT here since all the blanks are on
* the ASCII range.
*/
- if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) {
+ if (ctxt->instate != XML_PARSER_DTD) {
const xmlChar *cur;
/*
* if we are in the document content, go really fast
@@ -6852,6 +6852,7 @@ void
xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
xmlChar *version;
const xmlChar *encoding;
+ int oldstate;
/*
* We know that '<?xml' is here.
@@ -6863,6 +6864,10 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
return;
}
+ /* Avoid expansion of parameter entities when skipping blanks. */
+ oldstate = ctxt->instate;
+ ctxt->instate = XML_PARSER_START;
+
if (SKIP_BLANKS == 0) {
xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
"Space needed after '<?xml'\n");
@@ -6890,6 +6895,7 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
/*
* The XML REC instructs us to stop parsing right here
*/
+ ctxt->instate = oldstate;
return;
}
if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) {
@@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) {
MOVETO_ENDTAG(CUR_PTR);
NEXT;
}
+
+ ctxt->instate = oldstate;
}
/**
--
GitLab

8
libxml2.spec
View File

@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.10
Release: 2
Release: 3
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -24,6 +24,8 @@ Patch14: Fix-copying-of-entities-in-xmlParseReference.patch
Patch15: Copy-some-XMLReader-option-flags-to-parser-context.patch
Patch16: Merge-code-paths-loading-external-entities.patch
Patch17: Don-t-load-external-entity-from-xmlSAX2GetEntity.patch
Patch18: Fix-use-after-free-with-validating-reader.patch
Patch19: Never-expand-parameter-entities-in-text-declaration.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python2-devel
@ -215,6 +217,10 @@ rm -fr %{buildroot}
%changelog
* Tue Jul 28 2020 shenyangyang <shenyangyang4@huawei.com> - 2.9.10-3
- Fix-use-after-free-with-validating-reader and
Never-expand-parameter-entities-in-text-declaration
* Fri Jul 3 2020 wangchen <wangchen137@huawei.com> - 2.9.10-2
- Sync some patches from community