packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild

Browse Source
This commit is contained in:
fuanan 2022-02-11 14:28:50 +08:00
parent 5b3ef6585f
commit adf0ba7094
3 changed files with 112 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch
View File

@ -1,31 +0,0 @@
From ace5aece17b5ecaafee286fc943616fdee03d885 Mon Sep 17 00:00:00 2001
From: panxiaohe <panxiaohe@huawei.com>
Date: Thu, 11 Nov 2021 16:45:04 +0800
Subject: [PATCH] Fix heap-use-after-free in xmlAddNextSibling and xmlAddChild
---
xinclude.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/xinclude.c b/xinclude.c
index b2e6ea1..d39ff7d 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
}
if (tmp != NULL) {
if (level == lastLevel)
- xmlAddNextSibling(last, tmp);
+ last = xmlAddNextSibling(last, tmp);
else {
- xmlAddChild(last, tmp);
+ last = xmlAddChild(last, tmp);
lastLevel = level;
}
- last = tmp;
}
}
/*
--
1.8.3.1

10
libxml2.spec
View File

@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support Summary: Library providing XML and HTML support
Name: libxml2 Name: libxml2
Version: 2.9.12 Version: 2.9.12
Release: 3 Release: 4
License: MIT License: MIT
Group: Development/Libraries Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -10,7 +10,7 @@ Patch0: libxml2-multilib.patch
Patch1: Fix-XPath-recursion-limit.patch Patch1: Fix-XPath-recursion-limit.patch
Patch2: Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch Patch2: Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch
Patch3: Fix-memleaks-in-xmlXIncludeProcessFlags.patch Patch3: Fix-memleaks-in-xmlXIncludeProcessFlags.patch
Patch4: Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch Patch4: xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch
Patch5: Work-around-lxml-API-abuse.patch Patch5: Work-around-lxml-API-abuse.patch
Patch6: Fix-regression-in-xmlNodeDumpOutputInternal.patch Patch6: Fix-regression-in-xmlNodeDumpOutputInternal.patch
Patch7: Fix-whitespace-when-serializing-empty-HTML-documents.patch Patch7: Fix-whitespace-when-serializing-empty-HTML-documents.patch
@ -176,6 +176,12 @@ rm -fr %{buildroot}
%changelog %changelog
* Fri Feb 11 2022 fuanan <fuanan3@h-partners.com> - 2.9.12-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild
* Fri Nov 12 2021 panxiaohe <panxiaohe@huawei.com> - 2.9.12-3 * Fri Nov 12 2021 panxiaohe <panxiaohe@huawei.com> - 2.9.12-3
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA

104
xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch Normal file
View File

@ -0,0 +1,104 @@
From 8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325 Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Wed, 7 Jul 2021 19:24:36 -0700
Subject: [PATCH] xmlAddChild() and xmlAddNextSibling() may not attach their
second argument
Use the return value of xmlAddChild() and xmlAddNextSibling()
instead of the second argument directly.
Found by OSS-Fuzz.
Fixes #316
---
xinclude.c | 14 ++++++--------
xpointer.c | 13 ++++++-------
2 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/xinclude.c b/xinclude.c
index b2e6ea1..2a0614d 100644
--- a/xinclude.c
+++ b/xinclude.c
@@ -1014,15 +1014,15 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
if (list == NULL) {
list = tmp;
listParent = cur->parent;
+ last = tmp;
} else {
if (level == lastLevel)
- xmlAddNextSibling(last, tmp);
+ last = xmlAddNextSibling(last, tmp);
else {
- xmlAddChild(last, tmp);
+ last = xmlAddChild(last, tmp);
lastLevel = level;
}
}
- last = tmp;
if (index2 > 1) {
end = xmlXIncludeGetNthChild(cur, index2 - 1);
@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
}
if (tmp != NULL) {
if (level == lastLevel)
- xmlAddNextSibling(last, tmp);
+ last = xmlAddNextSibling(last, tmp);
else {
- xmlAddChild(last, tmp);
+ last = xmlAddChild(last, tmp);
lastLevel = level;
}
- last = tmp;
}
}
/*
@@ -1186,8 +1185,7 @@ xmlXIncludeCopyXPointer(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target,
if (last == NULL) {
list = last = tmp;
} else {
- xmlAddNextSibling(last, tmp);
- last = tmp;
+ last = xmlAddNextSibling(last, tmp);
}
cur = cur->next;
continue;
diff --git a/xpointer.c b/xpointer.c
index 27a6a8c..fe2fca5 100644
--- a/xpointer.c
+++ b/xpointer.c
@@ -1483,16 +1483,16 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) {
return(list);
} else {
tmp = xmlCopyNode(cur, 0);
- if (list == NULL)
+ if (list == NULL) {
list = tmp;
- else {
+ parent = tmp;
+ } else {
if (last != NULL)
- xmlAddNextSibling(last, tmp);
+ parent = xmlAddNextSibling(last, tmp);
else
- xmlAddChild(parent, tmp);
+ parent = xmlAddChild(parent, tmp);
}
last = NULL;
- parent = tmp;
if (index2 > 1) {
end = xmlXPtrGetNthChild(cur, index2 - 1);
@@ -1574,8 +1574,7 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) {
if (last != NULL)
xmlAddNextSibling(last, tmp);
else {
- xmlAddChild(parent, tmp);
- last = tmp;
+ last = xmlAddChild(parent, tmp);
}
}
}
--
1.8.3.1