[packages/libxml2] - fixes for some integer overflows (CVE-2012-2807)
draenog
draenog at pld-linux.org
Mon Aug 6 22:21:12 CEST 2012
commit a893934de4fe4c4f16f5963818b8fb22f9bf33da
Author: Kacper Kornet <draenog at pld-linux.org>
Date: Mon Aug 6 21:02:28 2012 +0100
- fixes for some integer overflows (CVE-2012-2807)
libxml2-CVE-2012-2807.patch | 365 ++++++++++++++++++++++++++++++++++++++++++++
libxml2.spec | 4 +-
2 files changed, 368 insertions(+), 1 deletion(-)
---
diff --git a/libxml2-CVE-2012-2807.patch b/libxml2-CVE-2012-2807.patch
new file mode 100644
index 0000000..b31a080
--- /dev/null
+++ b/libxml2-CVE-2012-2807.patch
@@ -0,0 +1,365 @@
+From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Tue, 17 Jul 2012 16:19:17 +0800
+Subject: [PATCH 1/3] Fix parser local buffers size problems
+
+---
+ parser.c | 74 +++++++++++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 43 insertions(+), 31 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 2c38fae..9863275 100644
+--- a/parser.c
++++ b/parser.c
+@@ -40,6 +40,7 @@
+ #endif
+
+ #include <stdlib.h>
++#include <limits.h>
+ #include <string.h>
+ #include <stdarg.h>
+ #include <libxml/xmlmemory.h>
+@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+ * parser option.
+ */
+ static int
+-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
++xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ xmlEntityPtr ent)
+ {
+- unsigned long consumed = 0;
++ size_t consumed = 0;
+
+ if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+ return (0);
+@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+
+ /*
+ * Macro used to grow the current buffer.
++ * buffer##_size is expected to be a size_t
++ * mem_error: is expected to handle memory allocation failures
+ */
+ #define growBuffer(buffer, n) { \
+ xmlChar *tmp; \
+- buffer##_size *= 2; \
+- buffer##_size += n; \
+- tmp = (xmlChar *) \
+- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
++ size_t new_size = buffer##_size * 2 + n; \
++ if (new_size < buffer##_size) goto mem_error; \
++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
+ if (tmp == NULL) goto mem_error; \
+ buffer = tmp; \
++ buffer##_size = new_size; \
+ }
+
+ /**
+@@ -2623,14 +2626,14 @@ xmlChar *
+ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ int what, xmlChar end, xmlChar end2, xmlChar end3) {
+ xmlChar *buffer = NULL;
+- int buffer_size = 0;
++ size_t buffer_size = 0;
++ size_t nbchars = 0;
+
+ xmlChar *current = NULL;
+ xmlChar *rep = NULL;
+ const xmlChar *last;
+ xmlEntityPtr ent;
+ int c,l;
+- int nbchars = 0;
+
+ if ((ctxt == NULL) || (str == NULL) || (len < 0))
+ return(NULL);
+@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ * allocate a translation buffer.
+ */
+ buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
+- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
++ buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
+ if (buffer == NULL) goto mem_error;
+
+ /*
+@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ if (val != 0) {
+ COPY_BUF(0,buffer,nbchars,val);
+ }
+- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ }
+ } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
+@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+ if (ent->content != NULL) {
+ COPY_BUF(0,buffer,nbchars,ent->content[0]);
+- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ }
+ } else {
+@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ current = rep;
+ while (*current != 0) { /* non input consuming loop */
+ buffer[nbchars++] = *current++;
+- if (nbchars >
+- buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ goto int_error;
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ const xmlChar *cur = ent->name;
+
+ buffer[nbchars++] = '&';
+- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ }
+ for (;i > 0;i--)
+@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ current = rep;
+ while (*current != 0) { /* non input consuming loop */
+ buffer[nbchars++] = *current++;
+- if (nbchars >
+- buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ goto int_error;
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ } else {
+ COPY_BUF(l,buffer,nbchars,c);
+ str += l;
+- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
++ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ }
+ }
+ if (str < last)
+@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ xmlChar limit = 0;
+ xmlChar *buf = NULL;
+ xmlChar *rep = NULL;
+- int len = 0;
+- int buf_size = 0;
++ size_t len = 0;
++ size_t buf_size = 0;
+ int c, l, in_space = 0;
+ xmlChar *current = NULL;
+ xmlEntityPtr ent;
+@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ * allocate a translation buffer.
+ */
+ buf_size = XML_PARSER_BUFFER_SIZE;
+- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
++ buf = (xmlChar *) xmlMallocAtomic(buf_size);
+ if (buf == NULL) goto mem_error;
+
+ /*
+@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+
+ if (val == '&') {
+ if (ctxt->replaceEntities) {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ buf[len++] = '&';
+@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ * The reparsing will be done in xmlStringGetNodeList()
+ * called by the attribute() function in SAX.c
+ */
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ buf[len++] = '&';
+@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ buf[len++] = ';';
+ }
+ } else if (val != 0) {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ len += xmlCopyChar(0, &buf[len], val);
+@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ ctxt->nbentities += ent->owner;
+ if ((ent != NULL) &&
+ (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ if ((ctxt->replaceEntities == 0) &&
+@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ current++;
+ } else
+ buf[len++] = *current++;
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ }
+@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ rep = NULL;
+ }
+ } else {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ if (ent->content != NULL)
+@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ * Just output the reference
+ */
+ buf[len++] = '&';
+- while (len > buf_size - i - 10) {
++ while (len + i + 10 > buf_size) {
+ growBuffer(buf, i + 10);
+ }
+ for (;i > 0;i--)
+@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ if ((len != 0) || (!normalize)) {
+ if ((!normalize) || (!in_space)) {
+ COPY_BUF(l,buf,len,0x20);
+- while (len > buf_size - 10) {
++ while (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ }
+@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ } else {
+ in_space = 0;
+ COPY_BUF(l,buf,len,c);
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ }
+@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ }
+ } else
+ NEXT;
+- if (attlen != NULL) *attlen = len;
++
++ /*
++ * There we potentially risk an overflow, don't allow attribute value of
++ * lenght more than INT_MAX it is a very reasonnable assumption !
++ */
++ if (len >= INT_MAX) {
++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
++ "AttValue lenght too long\n");
++ goto mem_error;
++ }
++
++ if (attlen != NULL) *attlen = (int) len;
+ return(buf);
+
+ mem_error:
+--
+1.7.11.4
+
+From 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard at redhat.com>
+Date: Wed, 18 Jul 2012 11:38:17 +0800
+Subject: [PATCH 2/3] Fix entities local buffers size problems
+
+---
+ entities.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/entities.c b/entities.c
+index 6aef49f..859ec3b 100644
+--- a/entities.c
++++ b/entities.c
+@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) {
+ * Macro used to grow the current buffer.
+ */
+ #define growBufferReentrant() { \
+- buffer_size *= 2; \
+- buffer = (xmlChar *) \
+- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \
+- if (buffer == NULL) { \
+- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
+- return(NULL); \
+- } \
++ xmlChar *tmp; \
++ size_t new_size = buffer_size * 2; \
++ if (new_size < buffer_size) goto mem_error; \
++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
++ if (tmp == NULL) goto mem_error; \
++ buffer = tmp; \
++ buffer_size = new_size; \
+ }
+
+
+@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+ const xmlChar *cur = input;
+ xmlChar *buffer = NULL;
+ xmlChar *out = NULL;
+- int buffer_size = 0;
++ size_t buffer_size = 0;
+ int html = 0;
+
+ if (input == NULL) return(NULL);
+@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+ out = buffer;
+
+ while (*cur != '\0') {
+- if (out - buffer > buffer_size - 100) {
+- int indx = out - buffer;
++ size_t indx = out - buffer;
++ if (indx + 100 > buffer_size) {
+
+ growBufferReentrant();
+ out = &buffer[indx];
+@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+ }
+ *out = 0;
+ return(buffer);
++
++mem_error:
++ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
++ xmlFree(buffer);
++ return(NULL);
+ }
+
+ /**
+@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+ const xmlChar *cur = input;
+ xmlChar *buffer = NULL;
+ xmlChar *out = NULL;
+- int buffer_size = 0;
++ size_t buffer_size = 0;
+ if (input == NULL) return(NULL);
+
+ /*
+@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+ out = buffer;
+
+ while (*cur != '\0') {
+- if (out - buffer > buffer_size - 10) {
+- int indx = out - buffer;
++ size_t indx = out - buffer;
++ if (indx + 10 > buffer_size) {
+
+ growBufferReentrant();
+ out = &buffer[indx];
+@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+ }
+ *out = 0;
+ return(buffer);
++
++mem_error:
++ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
++ xmlFree(buffer);
++ return(NULL);
+ }
+
+ /**
+--
+1.7.11.4
+
diff --git a/libxml2.spec b/libxml2.spec
index ea62ed7..1f4e331 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -14,7 +14,7 @@ Summary(pl.UTF-8): Biblioteka libXML wersja 2
Summary(pt_BR.UTF-8): Biblioteca libXML versão 2
Name: libxml2
Version: 2.8.0
-Release: 1
+Release: 2
Epoch: 1
License: MIT
Group: Libraries
@@ -24,6 +24,7 @@ Source0: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz
Patch0: %{name}-man_fixes.patch
Patch1: %{name}-open.gz.patch
Patch2: %{name}-largefile.patch
+Patch3: %{name}-CVE-2012-2807.patch
URL: http://xmlsoft.org/
BuildRequires: autoconf >= 2.59
BuildRequires: automake >= 1.4
@@ -142,6 +143,7 @@ Moduły języka Python dla biblioteki libxml2.
%patch1 -p1
%endif
%patch2 -p1
+%patch3 -p1
%build
%{__libtoolize}
More information about the pld-cvs-commit
mailing list