Fix more quadratic runtime issues in HTML push parse

Fix reset HTML parser input before reporting error
2020-08-28 18:21:45 +08:00 · 2020-08-28 18:21:45 +08:00 · e81785b5f3
commit e81785b5f3
parent 30f2c048aa
3 changed files with 113 additions and 1 deletions
--- a/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch
+++ b/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch
@ -0,0 +1,57 @@
+From 3da8d947df1f84e54b12145ca2cfa1ff6456f532 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 9 Jul 2020 16:08:38 +0200
+Subject: [PATCH] Fix more quadratic runtime issues in HTML push parser
+
+Make sure that checkIndex is set when returning without match from
+inside a comment. Also track parser state in htmlParseLookupChars.
+
+Found by OSS-Fuzz.
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 366c19b..9b12dd1 100644
+--- a/HTMLparser.c
+++ b/HTMLparser.c
+@@ -5205,7 +5205,7 @@ htmlParseLookupSequence(htmlParserCtxtPtr ctxt, xmlChar first,
+         }
+         if (incomment) {
+             if (base + 3 > len)
+-                return (-1);
+                break;
+             if ((buf[base] == '-') && (buf[base + 1] == '-') &&
+                 (buf[base + 2] == '>')) {
+                 incomment = 0;
+@@ -5294,8 +5294,11 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
+     if (base < 0)
+         return (-1);
+ 
+-    if (ctxt->checkIndex > base)
+    if (ctxt->checkIndex > base) {
+         base = ctxt->checkIndex;
+        /* Abuse hasPErefs member to restore current state. */
+        incomment = ctxt->hasPErefs & 1 ? 1 : 0;
+    }
+ 
+     if (in->buf == NULL) {
+         buf = in->base;
+@@ -5316,7 +5319,7 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
+         }
+         if (incomment) {
+             if (base + 3 > len)
+-                return (-1);
+                break;
+             if ((buf[base] == '-') && (buf[base + 1] == '-') &&
+                 (buf[base + 2] == '>')) {
+                 incomment = 0;
+@@ -5332,6 +5335,8 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop,
+         }
+     }
+     ctxt->checkIndex = base;
+    /* Abuse hasPErefs member to track current state. */
+    ctxt->hasPErefs = incomment;
+     return (-1);
+ }
+ 
+-- 
+1.8.3.1
+
--- a/Reset-HTML-parser-input-before-reporting-error.patch
+++ b/Reset-HTML-parser-input-before-reporting-error.patch
@ -0,0 +1,49 @@
+From 3f18e7486d5feb8ae41911ce3c122e05641a4c3d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 11 Jul 2020 14:34:57 +0200
+Subject: [PATCH] Reset HTML parser input before reporting error
+
+Avoid use-after-free, similar to 13ba5b61. Also make sure that
+xmlBufSetInputBaseCur sets valid pointers in case of buffer errors.
+
+Found by OSS-Fuzz.
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 9b12dd1..1dea794 100644
+--- a/HTMLparser.c
+++ b/HTMLparser.c
+@@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
+ 	int res;
+ 
+ 	res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
+ 	if (res < 0) {
+ 	    ctxt->errNo = XML_PARSER_EOF;
+ 	    ctxt->disableSAX = 1;
+ 	    return (XML_PARSER_EOF);
+ 	}
+-        xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
+ #ifdef DEBUG_PUSH
+ 	xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size);
+ #endif
+diff --git a/buf.c b/buf.c
+index 8ad18a1..24368d3 100644
+--- a/buf.c
+++ b/buf.c
+@@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) {
+ int
+ xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input,
+                       size_t base, size_t cur) {
+-    if ((input == NULL) || (buf == NULL) || (buf->error))
+    if (input == NULL)
+        return(-1);
+    if ((buf == NULL) || (buf->error)) {
+        input->base = input->cur = input->end = BAD_CAST "";
+         return(-1);
+    }
+     CHECK_COMPAT(buf)
+     input->base = &buf->content[base];
+     input->cur = input->base + cur;
+-- 
+1.8.3.1
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 5
+Release: 6
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -31,6 +31,8 @@ Patch21:  Report-error-for-invalid-regexp-quantifiers.patch
 Patch22:  Add-regexp-regression-tests.patch
 Patch23:  Limit-regexp-nesting-depth.patch
 Patch24:  Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch
+Patch25:  Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch
+Patch26:  Reset-HTML-parser-input-before-reporting-error.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
@ -222,6 +224,10 @@ rm -fr %{buildroot}


 %changelog
+* Fri Aug 28 2020 zoulin <zoulin13@huawei.com> - 2.9.10-6
+- Fix more quadratic runtime issues in HTML push parse
+- Fix reset HTML parser input before reporting error
+
 * Wed Aug 12 2020 Liquor <lirui130@huawei.com> - 2.9.10-5
 - Limit regexp nesting depth
 - Fix exponential runtime in xmlFARecurseDeterminism