gnu: libxml2: Add fixes for CVE-2015-{1819,7941,7942,8035} and other bugs.

* gnu/packages/patches/libxml2-CVE-2015-1819.patch,
  gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch,
  gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch,
  gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch,
  gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch,
  gnu/packages/patches/libxml2-CVE-2015-8035.patch,
  gnu/packages/patches/libxml2-bug-737840.patch,
  gnu/packages/patches/libxml2-bug-738805.patch,
  gnu/packages/patches/libxml2-bug-746048.patch,
  gnu/packages/patches/libxml2-bug-747437.patch,
  gnu/packages/patches/libxml2-bug-751603.patch,
  gnu/packages/patches/libxml2-bug-751631.patch,
  gnu/packages/patches/libxml2-bug-754946.patch,
  gnu/packages/patches/libxml2-bug-754947.patch,
  gnu/packages/patches/libxml2-bug-755857.patch,
  gnu/packages/patches/libxml2-fix-catalog-corruption.patch,
  gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch,
  gnu/packages/patches/libxml2-node-sort-order-pt1.patch,
  gnu/packages/patches/libxml2-node-sort-order-pt2.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[source]: Add patches.
This commit is contained in:
Mark H Weaver 2015-11-15 14:16:57 -05:00
parent 328a14e869
commit ee6bb0cc76
21 changed files with 1105 additions and 1 deletions

View File

@ -571,6 +571,25 @@ dist_patch_DATA = \
gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
gnu/packages/patches/libwmf-CVE-2015-4695.patch \ gnu/packages/patches/libwmf-CVE-2015-4695.patch \
gnu/packages/patches/libwmf-CVE-2015-4696.patch \ gnu/packages/patches/libwmf-CVE-2015-4696.patch \
gnu/packages/patches/libxml2-CVE-2015-1819.patch \
gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch \
gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch \
gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch \
gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch \
gnu/packages/patches/libxml2-CVE-2015-8035.patch \
gnu/packages/patches/libxml2-bug-737840.patch \
gnu/packages/patches/libxml2-bug-738805.patch \
gnu/packages/patches/libxml2-bug-746048.patch \
gnu/packages/patches/libxml2-bug-747437.patch \
gnu/packages/patches/libxml2-bug-751603.patch \
gnu/packages/patches/libxml2-bug-751631.patch \
gnu/packages/patches/libxml2-bug-754946.patch \
gnu/packages/patches/libxml2-bug-754947.patch \
gnu/packages/patches/libxml2-bug-755857.patch \
gnu/packages/patches/libxml2-fix-catalog-corruption.patch \
gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch \
gnu/packages/patches/libxml2-node-sort-order-pt1.patch \
gnu/packages/patches/libxml2-node-sort-order-pt2.patch \
gnu/packages/patches/lirc-localstatedir.patch \ gnu/packages/patches/lirc-localstatedir.patch \
gnu/packages/patches/libpthread-glibc-preparation.patch \ gnu/packages/patches/libpthread-glibc-preparation.patch \
gnu/packages/patches/lm-sensors-hwmon-attrs.patch \ gnu/packages/patches/lm-sensors-hwmon-attrs.patch \

View File

@ -0,0 +1,176 @@
From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 14 Apr 2015 17:41:48 +0800
Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
One of the operation on the reader could resolve entities
leading to the classic expansion issue. Make sure the
buffer used for xmlreader operation is bounded.
Introduce a new allocation type for the buffers for this effect.
---
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
include/libxml/tree.h | 3 ++-
xmlreader.c | 20 +++++++++++++++++++-
3 files changed, 63 insertions(+), 3 deletions(-)
diff --git a/buf.c b/buf.c
index 6efc7b6..07922ff 100644
--- a/buf.c
+++ b/buf.c
@@ -27,6 +27,7 @@
#include <libxml/tree.h>
#include <libxml/globals.h>
#include <libxml/tree.h>
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
#include "buf.h"
#define WITH_BUFFER_COMPAT
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
(scheme == XML_BUFFER_ALLOC_EXACT) ||
(scheme == XML_BUFFER_ALLOC_HYBRID) ||
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
buf->alloc = scheme;
if (buf->buffer)
buf->buffer->alloc = scheme;
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
size = buf->use + len + 100;
#endif
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(0);
+ }
+ if (size >= XML_MAX_TEXT_LENGTH)
+ size = XML_MAX_TEXT_LENGTH;
+ }
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
size_t start_buf = buf->content - buf->contentIO;
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
CHECK_COMPAT(buf)
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (size >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(0);
+ }
+ }
/* Don't resize if we don't have to */
if (size < buf->size)
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
needSize = buf->use + len + 2;
if (needSize > buf->size){
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(-1);
+ }
+ }
if (!xmlBufResize(buf, needSize)){
xmlBufMemoryError(buf, "growing buffer");
return XML_ERR_NO_MEMORY;
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
}
needSize = buf->use + len + 2;
if (needSize > buf->size){
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+ */
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
+ return(-1);
+ }
+ }
if (!xmlBufResize(buf, needSize)){
xmlBufMemoryError(buf, "growing buffer");
return XML_ERR_NO_MEMORY;
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
index 2f90717..4a9b3bc 100644
--- a/include/libxml/tree.h
+++ b/include/libxml/tree.h
@@ -76,7 +76,8 @@ typedef enum {
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
} xmlBufferAllocationScheme;
/**
diff --git a/xmlreader.c b/xmlreader.c
index f19e123..471e7e2 100644
--- a/xmlreader.c
+++ b/xmlreader.c
@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
"xmlNewTextReader : malloc failed\n");
return(NULL);
}
+ /* no operation on a reader should require a huge buffer */
+ xmlBufSetAllocationScheme(ret->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
if (ret->sax == NULL) {
xmlBufFree(ret->buffer);
@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
return(((xmlNsPtr) node)->href);
case XML_ATTRIBUTE_NODE:{
xmlAttrPtr attr = (xmlAttrPtr) node;
+ const xmlChar *ret;
if ((attr->children != NULL) &&
(attr->children->type == XML_TEXT_NODE) &&
@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
"xmlTextReaderSetup : malloc failed\n");
return (NULL);
}
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
} else
xmlBufEmpty(reader->buffer);
xmlBufGetNodeContent(reader->buffer, node);
- return(xmlBufContent(reader->buffer));
+ ret = xmlBufContent(reader->buffer);
+ if (ret == NULL) {
+ /* error on the buffer best to reallocate */
+ xmlBufFree(reader->buffer);
+ reader->buffer = xmlBufCreateSize(100);
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
+ ret = BAD_CAST "";
+ }
+ return(ret);
}
break;
}
@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
"xmlTextReaderSetup : malloc failed\n");
return (-1);
}
+ /* no operation on a reader should require a huge buffer */
+ xmlBufSetAllocationScheme(reader->buffer,
+ XML_BUFFER_ALLOC_BOUNDED);
if (reader->sax == NULL)
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
if (reader->sax == NULL) {
--
2.6.3

View File

@ -0,0 +1,32 @@
From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:17:35 +0800
Subject: [PATCH] Stop parsing on entities boundaries errors
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
There are times, like on unterminated entities that it's preferable to
stop parsing, even if that means less error reporting. Entities are
feeding the parser on further processing, and if they are ill defined
then it's possible to get the parser to bug. Also do the same on
Conditional Sections if the input is broken, as the structure of
the document can't be guessed.
---
parser.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/parser.c b/parser.c
index a8d1b67..bbe97eb 100644
--- a/parser.c
+++ b/parser.c
@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
if (RAW != '>') {
xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
"xmlParseEntityDecl: entity %s not terminated\n", name);
+ xmlStopParser(ctxt);
} else {
if (input != ctxt->input) {
xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
--
2.6.3

View File

@ -0,0 +1,49 @@
From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 23 Feb 2015 11:29:20 +0800
Subject: [PATCH] Cleanup conditional section error handling
For https://bugzilla.gnome.org/show_bug.cgi?id=744980
The error handling of Conditional Section also need to be
straightened as the structure of the document can't be
guessed on a failure there and it's better to stop parsing
as further errors are likely to be irrelevant.
---
parser.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/parser.c b/parser.c
index bbe97eb..fe603ac 100644
--- a/parser.c
+++ b/parser.c
@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
+ return;
} else {
if (ctxt->input->id != id) {
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
SKIP_BLANKS;
if (RAW != '[') {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ xmlStopParser(ctxt);
+ return;
} else {
if (ctxt->input->id != id) {
xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
} else {
xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+ xmlStopParser(ctxt);
+ return;
}
if (RAW == 0)
--
2.6.3

View File

@ -0,0 +1,32 @@
From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 23 Oct 2015 19:02:28 +0800
Subject: [PATCH] Another variation of overflow in Conditional sections
Which happen after the previous fix to
https://bugzilla.gnome.org/show_bug.cgi?id=756456
But stopping the parser and exiting we didn't pop the intermediary entities
and doing the SKIP there applies on an input which may be too small
---
parser.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index a65e4cc..b9217ff 100644
--- a/parser.c
+++ b/parser.c
@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
"All markup of the conditional section is not in the same entity\n",
NULL, NULL);
}
- SKIP(3);
+ if ((ctxt-> instate != XML_PARSER_EOF) &&
+ ((ctxt->input->cur + 3) < ctxt->input->end))
+ SKIP(3);
}
}
--
2.6.3

View File

@ -0,0 +1,28 @@
From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 27 Oct 2015 10:53:44 +0800
Subject: [PATCH] Fix an error in previous Conditional section patch
an off by one mistake in the change, led to error on correct
document where the end of the included entity was exactly
the end of the conditional section, leading to regtest failure
---
parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index b9217ff..d67b300 100644
--- a/parser.c
+++ b/parser.c
@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
NULL, NULL);
}
if ((ctxt-> instate != XML_PARSER_EOF) &&
- ((ctxt->input->cur + 3) < ctxt->input->end))
+ ((ctxt->input->cur + 3) <= ctxt->input->end))
SKIP(3);
}
}
--
2.6.3

View File

@ -0,0 +1,31 @@
From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 3 Nov 2015 15:31:25 +0800
Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
For https://bugzilla.gnome.org/show_bug.cgi?id=757466
DoS when parsing specially crafted XML document if XZ support
is compiled in (which wasn't the case for 2.9.2 and master since
Nov 2013, fixed in next commit !)
---
xzlib.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xzlib.c b/xzlib.c
index 0dcb9f4..1fab546 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
xz_error(state, LZMA_DATA_ERROR, "compressed data error");
return -1;
}
+ if (ret == LZMA_PROG_ERROR) {
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
+ return -1;
+ }
} while (strm->avail_out && ret != LZMA_STREAM_END);
/* update available output and crc check value */
--
2.6.3

View File

@ -0,0 +1,88 @@
From ef709ce2f7b792d5fb69ed142796d743fb1eb388 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 10 Sep 2015 19:41:41 +0800
Subject: [PATCH] Fix the spurious ID already defined error
For https://bugzilla.gnome.org/show_bug.cgi?id=737840
the fix for 724903 introduced a regression on external entities carrying
IDs, revert that patch in part and add a specific test to avoid readding it
---
result/valid/737840.xml | 10 ++++++++++
result/valid/737840.xml.err | 0
result/valid/737840.xml.err.rdr | 0
test/valid/737840.xml | 10 ++++++++++
test/valid/dtds/737840.ent | 1 +
valid.c | 6 ++++--
6 files changed, 25 insertions(+), 2 deletions(-)
create mode 100644 result/valid/737840.xml
create mode 100644 result/valid/737840.xml.err
create mode 100644 result/valid/737840.xml.err.rdr
create mode 100644 test/valid/737840.xml
create mode 100644 test/valid/dtds/737840.ent
diff --git a/result/valid/737840.xml b/result/valid/737840.xml
new file mode 100644
index 0000000..433c6d6
--- /dev/null
+++ b/result/valid/737840.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<!DOCTYPE root [
+<!ELEMENT root (elem)>
+<!ELEMENT elem (#PCDATA)>
+<!ATTLIST elem id ID #IMPLIED>
+<!ENTITY target SYSTEM "dtds/737840.ent">
+]>
+<root>
+ &target;
+</root>
diff --git a/result/valid/737840.xml.err b/result/valid/737840.xml.err
new file mode 100644
index 0000000..e69de29
diff --git a/result/valid/737840.xml.err.rdr b/result/valid/737840.xml.err.rdr
new file mode 100644
index 0000000..e69de29
diff --git a/test/valid/737840.xml b/test/valid/737840.xml
new file mode 100644
index 0000000..2d27b73
--- /dev/null
+++ b/test/valid/737840.xml
@@ -0,0 +1,10 @@
+<!DOCTYPE root [
+<!ELEMENT root (elem)>
+<!ELEMENT elem (#PCDATA)>
+<!ATTLIST elem id ID #IMPLIED>
+<!ENTITY target SYSTEM "dtds/737840.ent">
+]>
+
+<root>
+ &target;
+</root>
diff --git a/test/valid/dtds/737840.ent b/test/valid/dtds/737840.ent
new file mode 100644
index 0000000..e972132
--- /dev/null
+++ b/test/valid/dtds/737840.ent
@@ -0,0 +1 @@
+<elem id="id0"/>
\ No newline at end of file
diff --git a/valid.c b/valid.c
index 409aa81..45a3f70 100644
--- a/valid.c
+++ b/valid.c
@@ -2634,8 +2634,10 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
/*
* The id is already defined in this DTD.
*/
- xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED,
- "ID %s already defined\n", value, NULL, NULL);
+ if (ctxt != NULL) {
+ xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED,
+ "ID %s already defined\n", value, NULL, NULL);
+ }
#endif /* LIBXML_VALID_ENABLED */
xmlFreeID(ret);
return(NULL);
--
2.6.3

View File

@ -0,0 +1,31 @@
From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 23 Oct 2014 11:35:36 +0800
Subject: [PATCH] Fix missing entities after CVE-2014-3660 fix
For https://bugzilla.gnome.org/show_bug.cgi?id=738805
The fix for CVE-2014-3660 introduced a regression in some case
where entity substitution is required and the entity is used
first in anotther entity referenced from an attribute value
---
parser.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index 67c9dfd..a8d1b67 100644
--- a/parser.c
+++ b/parser.c
@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
* far more secure as the parser will only process data coming from
* the document entity by default.
*/
- if ((ent->checked == 0) &&
+ if (((ent->checked == 0) ||
+ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) &&
((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
(ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
unsigned long oldnbent = ctxt->nbentities;
--
2.6.3

View File

@ -0,0 +1,65 @@
From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 30 Oct 2015 21:14:55 +0800
Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
For https://bugzilla.gnome.org/show_bug.cgi?id=746048
The HTML parser was too optimistic when processing comments and
didn't check for the end of the stream on the first 2 characters
---
HTMLparser.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/HTMLparser.c b/HTMLparser.c
index 19c10c3..bdf7807 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -3264,12 +3264,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
ctxt->instate = state;
return;
}
+ len = 0;
+ buf[len] = 0;
q = CUR_CHAR(ql);
+ if (!IS_CHAR(q))
+ goto unfinished;
NEXTL(ql);
r = CUR_CHAR(rl);
+ if (!IS_CHAR(r))
+ goto unfinished;
NEXTL(rl);
cur = CUR_CHAR(l);
- len = 0;
while (IS_CHAR(cur) &&
((cur != '>') ||
(r != '-') || (q != '-'))) {
@@ -3300,18 +3305,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) {
}
}
buf[len] = 0;
- if (!IS_CHAR(cur)) {
- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
- "Comment not terminated \n<!--%.50s\n", buf, NULL);
- xmlFree(buf);
- } else {
+ if (IS_CHAR(cur)) {
NEXT;
if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
(!ctxt->disableSAX))
ctxt->sax->comment(ctxt->userData, buf);
xmlFree(buf);
+ ctxt->instate = state;
+ return;
}
- ctxt->instate = state;
+
+unfinished:
+ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+ "Comment not terminated \n<!--%.50s\n", buf, NULL);
+ xmlFree(buf);
}
/**
--
2.6.3

View File

@ -0,0 +1,46 @@
From 8985cde70901c62d3f0f04da225e73b7344a52d7 Mon Sep 17 00:00:00 2001
From: Martin von Gagern <Martin.vGagern@gmx.net>
Date: Mon, 13 Apr 2015 16:32:14 +0800
Subject: [PATCH] xmlMemUsed is not thread-safe
For https://bugzilla.gnome.org/show_bug.cgi?id=747437
just use the mutex to protect access to those variables
---
xmlmemory.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/xmlmemory.c b/xmlmemory.c
index a3dc737..f24fd6d 100644
--- a/xmlmemory.c
+++ b/xmlmemory.c
@@ -554,7 +554,12 @@ xmlMemoryStrdup(const char *str) {
int
xmlMemUsed(void) {
- return(debugMemSize);
+ int res;
+
+ xmlMutexLock(xmlMemMutex);
+ res = debugMemSize;
+ xmlMutexUnlock(xmlMemMutex);
+ return(res);
}
/**
@@ -567,7 +572,12 @@ xmlMemUsed(void) {
int
xmlMemBlocks(void) {
- return(debugMemBlocks);
+ int res;
+
+ xmlMutexLock(xmlMemMutex);
+ res = debugMemBlocks;
+ xmlMutexUnlock(xmlMemMutex);
+ return(res);
}
#ifdef MEM_LIST
--
2.6.3

View File

@ -0,0 +1,38 @@
From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 29 Jun 2015 09:08:25 +0800
Subject: [PATCH] Do not process encoding values if the declaration if broken
For https://bugzilla.gnome.org/show_bug.cgi?id=751603
If the string is not properly terminated do not try to convert
to the given encoding.
---
parser.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/parser.c b/parser.c
index fe603ac..a3a9568 100644
--- a/parser.c
+++ b/parser.c
@@ -10404,6 +10404,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
encoding = xmlParseEncName(ctxt);
if (RAW != '"') {
xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
+ xmlFree((xmlChar *) encoding);
+ return(NULL);
} else
NEXT;
} else if (RAW == '\''){
@@ -10411,6 +10413,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
encoding = xmlParseEncName(ctxt);
if (RAW != '\'') {
xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
+ xmlFree((xmlChar *) encoding);
+ return(NULL);
} else
NEXT;
} else {
--
2.6.3

View File

@ -0,0 +1,35 @@
From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 29 Jun 2015 16:10:26 +0800
Subject: [PATCH] Fail parsing early on if encoding conversion failed
For https://bugzilla.gnome.org/show_bug.cgi?id=751631
If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
---
parser.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/parser.c b/parser.c
index a3a9568..0edd53b 100644
--- a/parser.c
+++ b/parser.c
@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) {
handler = xmlFindCharEncodingHandler((const char *) encoding);
if (handler != NULL) {
- xmlSwitchToEncoding(ctxt, handler);
+ if (xmlSwitchToEncoding(ctxt, handler) < 0) {
+ /* failed to convert */
+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
+ return(NULL);
+ }
} else {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
"Unsupported encoding %s\n", encoding);
--
2.6.3

View File

@ -0,0 +1,132 @@
From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 15 Sep 2015 16:50:32 +0800
Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer
For https://bugzilla.gnome.org/show_bug.cgi?id=754946
When hitting the end of the current input buffer while parsing
a name we could end up loosing the beginning of the name, which
led to various issues.
---
parser.c | 29 ++++++++++++++++++++---------
result/errors/754946.xml | 0
result/errors/754946.xml.err | 16 ++++++++++++++++
result/errors/754946.xml.str | 4 ++++
test/errors/754946.xml | 1 +
5 files changed, 41 insertions(+), 9 deletions(-)
create mode 100644 result/errors/754946.xml
create mode 100644 result/errors/754946.xml.err
create mode 100644 result/errors/754946.xml.str
create mode 100644 test/errors/754946.xml
diff --git a/parser.c b/parser.c
index 0edd53b..fd29a39 100644
--- a/parser.c
+++ b/parser.c
@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
c = CUR_CHAR(l);
if (c == 0) {
count = 0;
+ /*
+ * when shrinking to extend the buffer we really need to preserve
+ * the part of the name we already parsed. Hence rolling back
+ * by current lenght.
+ */
+ ctxt->input->cur -= l;
GROW;
+ ctxt->input->cur += l;
if (ctxt->instate == XML_PARSER_EOF)
return(NULL);
end = ctxt->input->cur;
@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
static const xmlChar *
xmlParseNCName(xmlParserCtxtPtr ctxt) {
- const xmlChar *in;
+ const xmlChar *in, *e;
const xmlChar *ret;
int count = 0;
@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
* Accelerator for simple ASCII names
*/
in = ctxt->input->cur;
- if (((*in >= 0x61) && (*in <= 0x7A)) ||
- ((*in >= 0x41) && (*in <= 0x5A)) ||
- (*in == '_')) {
+ e = ctxt->input->end;
+ if ((((*in >= 0x61) && (*in <= 0x7A)) ||
+ ((*in >= 0x41) && (*in <= 0x5A)) ||
+ (*in == '_')) && (in < e)) {
in++;
- while (((*in >= 0x61) && (*in <= 0x7A)) ||
- ((*in >= 0x41) && (*in <= 0x5A)) ||
- ((*in >= 0x30) && (*in <= 0x39)) ||
- (*in == '_') || (*in == '-') ||
- (*in == '.'))
+ while ((((*in >= 0x61) && (*in <= 0x7A)) ||
+ ((*in >= 0x41) && (*in <= 0x5A)) ||
+ ((*in >= 0x30) && (*in <= 0x39)) ||
+ (*in == '_') || (*in == '-') ||
+ (*in == '.')) && (in < e))
in++;
+ if (in >= e)
+ goto complex;
if ((*in > 0) && (*in < 0x80)) {
count = in - ctxt->input->cur;
if ((count > XML_MAX_NAME_LENGTH) &&
@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
return(ret);
}
}
+complex:
return(xmlParseNCNameComplex(ctxt));
}
diff --git a/result/errors/754946.xml b/result/errors/754946.xml
new file mode 100644
index 0000000..e69de29
diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err
new file mode 100644
index 0000000..423dff5
--- /dev/null
+++ b/result/errors/754946.xml.err
@@ -0,0 +1,16 @@
+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
+
+ %SYSTEM;
+ ^
+Entity: line 1:
+A<lbbbbbbbbbbbbbbbbbbb_
+^
+Entity: line 1: parser error : DOCTYPE improperly terminated
+ %SYSTEM;
+ ^
+Entity: line 1:
+A<lbbbbbbbbbbbbbbbbbbb_
+^
+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+<!DOCTYPEA[<!ENTITY %
+ ^
diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str
new file mode 100644
index 0000000..3b748cc
--- /dev/null
+++ b/result/errors/754946.xml.str
@@ -0,0 +1,4 @@
+./test/errors/754946.xml:1: parser error : Extra content at the end of the document
+<!DOCTYPEA[<!ENTITY %
+ ^
+./test/errors/754946.xml : failed to parse
diff --git a/test/errors/754946.xml b/test/errors/754946.xml
new file mode 100644
index 0000000..6b5f9b0
--- /dev/null
+++ b/test/errors/754946.xml
@@ -0,0 +1 @@
+<!DOCTYPEA[<!ENTITY % SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_" >%SYSTEM;<![
\ No newline at end of file
--
2.6.3

View File

@ -0,0 +1,103 @@
From 4a5d80aded1da94cd55294e7207109712201b75b Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 18 Sep 2015 15:06:46 +0800
Subject: [PATCH] Fix a bug in CData error handling in the push parser
For https://bugzilla.gnome.org/show_bug.cgi?id=754947
The checking function was returning incorrect args in some cases
Adds the test to teh reg suite and fix one of the existing test output
---
parser.c | 6 +++---
result/errors/754947.xml | 0
result/errors/754947.xml.err | 7 +++++++
result/errors/754947.xml.str | 5 +++++
result/errors/cdata.xml.str | 4 ++--
test/errors/754947.xml | 1 +
6 files changed, 18 insertions(+), 5 deletions(-)
create mode 100644 result/errors/754947.xml
create mode 100644 result/errors/754947.xml.err
create mode 100644 result/errors/754947.xml.str
create mode 100644 test/errors/754947.xml
diff --git a/parser.c b/parser.c
index fd29a39..f1724a9 100644
--- a/parser.c
+++ b/parser.c
@@ -11192,7 +11192,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
else
return(-ix);
} else if ((c & 0xe0) == 0xc0) {/* 2-byte code, starts with 110 */
- if (ix + 2 > len) return(ix);
+ if (ix + 2 > len) return(-ix);
if ((utf[ix+1] & 0xc0 ) != 0x80)
return(-ix);
codepoint = (utf[ix] & 0x1f) << 6;
@@ -11201,7 +11201,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
return(-ix);
ix += 2;
} else if ((c & 0xf0) == 0xe0) {/* 3-byte code, starts with 1110 */
- if (ix + 3 > len) return(ix);
+ if (ix + 3 > len) return(-ix);
if (((utf[ix+1] & 0xc0) != 0x80) ||
((utf[ix+2] & 0xc0) != 0x80))
return(-ix);
@@ -11212,7 +11212,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) {
return(-ix);
ix += 3;
} else if ((c & 0xf8) == 0xf0) {/* 4-byte code, starts with 11110 */
- if (ix + 4 > len) return(ix);
+ if (ix + 4 > len) return(-ix);
if (((utf[ix+1] & 0xc0) != 0x80) ||
((utf[ix+2] & 0xc0) != 0x80) ||
((utf[ix+3] & 0xc0) != 0x80))
diff --git a/result/errors/754947.xml b/result/errors/754947.xml
new file mode 100644
index 0000000..e69de29
diff --git a/result/errors/754947.xml.err b/result/errors/754947.xml.err
new file mode 100644
index 0000000..f45cb5a
--- /dev/null
+++ b/result/errors/754947.xml.err
@@ -0,0 +1,7 @@
+./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, indicate encoding !
+Bytes: 0xEE 0x5D 0x5D 0x3E
+<d><![CDATA[0000000000000î]]>
+ ^
+./test/errors/754947.xml:1: parser error : Premature end of data in tag d line 1
+<d><![CDATA[0000000000000î]]>
+ ^
diff --git a/result/errors/754947.xml.str b/result/errors/754947.xml.str
new file mode 100644
index 0000000..4d2f52e
--- /dev/null
+++ b/result/errors/754947.xml.str
@@ -0,0 +1,5 @@
+./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, indicate encoding !
+Bytes: 0xEE 0x5D 0x5D 0x3E
+<d><![CDATA[0000000000000î]]>
+ ^
+./test/errors/754947.xml : failed to parse
diff --git a/result/errors/cdata.xml.str b/result/errors/cdata.xml.str
index e043441..cf83d2b 100644
--- a/result/errors/cdata.xml.str
+++ b/result/errors/cdata.xml.str
@@ -1,5 +1,5 @@
./test/errors/cdata.xml:2: parser error : Input is not proper UTF-8, indicate encoding !
-Bytes: 0x5B 0x43 0xE1 0x72
+Bytes: 0xE1 0x72 0x5D 0x5D
<A><![CDATA[Cár]]></A>
- ^
+ ^
./test/errors/cdata.xml : failed to parse
diff --git a/test/errors/754947.xml b/test/errors/754947.xml
new file mode 100644
index 0000000..bd9997e
--- /dev/null
+++ b/test/errors/754947.xml
@@ -0,0 +1 @@
+<d><![CDATA[0000000000000î]]>
\ No newline at end of file
--
2.6.3

View File

@ -0,0 +1,43 @@
From cf77e60515045bdd66f2c59c69a06e603b470eae Mon Sep 17 00:00:00 2001
From: Gaurav Gupta <g.gupta@samsung.com>
Date: Wed, 30 Sep 2015 14:46:29 +0200
Subject: [PATCH] Add missing Null check in xmlParseExternalEntityPrivate
For https://bugzilla.gnome.org/show_bug.cgi?id=755857
a case where we check for NULL but not everywhere
---
parser.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/parser.c b/parser.c
index f1724a9..a65e4cc 100644
--- a/parser.c
+++ b/parser.c
@@ -13367,7 +13367,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, xmlParserCtxtPtr oldctxt,
/*
* Also record the size of the entity parsed
*/
- if (ctxt->input != NULL) {
+ if (ctxt->input != NULL && oldctxt != NULL) {
oldctxt->sizeentities += ctxt->input->consumed;
oldctxt->sizeentities += (ctxt->input->cur - ctxt->input->base);
}
@@ -13379,9 +13379,11 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, xmlParserCtxtPtr oldctxt,
if (sax != NULL)
ctxt->sax = oldsax;
- oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
- oldctxt->node_seq.length = ctxt->node_seq.length;
- oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
+ if (oldctxt != NULL) {
+ oldctxt->node_seq.maximum = ctxt->node_seq.maximum;
+ oldctxt->node_seq.length = ctxt->node_seq.length;
+ oldctxt->node_seq.buffer = ctxt->node_seq.buffer;
+ }
ctxt->node_seq.maximum = 0;
ctxt->node_seq.length = 0;
ctxt->node_seq.buffer = NULL;
--
2.6.3

View File

@ -0,0 +1,29 @@
From f65128f38289d77ff322d63aef2858cc0a819c34 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 17 Oct 2014 17:13:41 +0800
Subject: [PATCH] Revert "Missing initialization for the catalog module"
This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7.
As this break xmlcatalog command
https://bugzilla.redhat.com/show_bug.cgi?id=1153753
---
parser.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/parser.c b/parser.c
index 1d93967..67c9dfd 100644
--- a/parser.c
+++ b/parser.c
@@ -14830,9 +14830,6 @@ xmlInitParser(void) {
#ifdef LIBXML_XPATH_ENABLED
xmlXPathInit();
#endif
-#ifdef LIBXML_CATALOG_ENABLED
- xmlInitializeCatalog();
-#endif
xmlParserInitialized = 1;
#ifdef LIBXML_THREAD_ENABLED
}
--
2.6.3

View File

@ -0,0 +1,36 @@
From f54d6a929af2a570396f0595a0e29064c908c12e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 19 Dec 2014 00:08:35 +0100
Subject: [PATCH] Account for ID attributes in xmlSetTreeDoc
---
tree.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tree.c b/tree.c
index 6ec9223..c6323b4 100644
--- a/tree.c
+++ b/tree.c
@@ -2799,8 +2799,19 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
if(tree->type == XML_ELEMENT_NODE) {
prop = tree->properties;
while (prop != NULL) {
+ if (prop->atype == XML_ATTRIBUTE_ID) {
+ xmlRemoveID(tree->doc, prop);
+ }
+
prop->doc = doc;
xmlSetListDoc(prop->children, doc);
+
+ if (xmlIsID(doc, tree, prop)) {
+ xmlChar *idVal = xmlNodeListGetString(doc, prop->children,
+ 1);
+ xmlAddID(NULL, doc, idVal, prop);
+ }
+
prop = prop->next;
}
}
--
2.6.3

View File

@ -0,0 +1,33 @@
From ba58f23c60862f2158b457f4d30031761bf4dde1 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 8 Mar 2015 16:44:11 +0100
Subject: [PATCH] Fix order of root nodes
Make sure root nodes are sorted before other nodes.
---
xpath.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xpath.c b/xpath.c
index ffd2a48..e9f5bf9 100644
--- a/xpath.c
+++ b/xpath.c
@@ -361,13 +361,13 @@ turtle_comparison:
/*
* compute depth to root
*/
- for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
+ for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) {
if (cur == node1)
return(1);
depth2++;
}
root = cur;
- for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
+ for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) {
if (cur == node2)
return(-1);
depth1++;
--
2.6.3

View File

@ -0,0 +1,37 @@
From 3eaedba1b64180668fdab7ad2eba549586017bf3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 11 Jul 2015 14:27:34 +0200
Subject: [PATCH] Fix previous change to node sort order
Commit ba58f23 broke comparison of nodes from different documents.
Thanks to Olli Pottonen for the report.
---
xpath.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/xpath.c b/xpath.c
index e9f5bf9..935fcff 100644
--- a/xpath.c
+++ b/xpath.c
@@ -361,14 +361,14 @@ turtle_comparison:
/*
* compute depth to root
*/
- for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) {
- if (cur == node1)
+ for (depth2 = 0, cur = node2; cur->parent != NULL; cur = cur->parent) {
+ if (cur->parent == node1)
return(1);
depth2++;
}
root = cur;
- for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) {
- if (cur == node2)
+ for (depth1 = 0, cur = node1; cur->parent != NULL; cur = cur->parent) {
+ if (cur->parent == node2)
return(-1);
depth1++;
}
--
2.6.3

View File

@ -70,7 +70,28 @@ things the parser might find in the XML document (like start tags).")
version ".tar.gz")) version ".tar.gz"))
(sha256 (sha256
(base32 (base32
"1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i")))) "1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i"))
(patches
(map search-patch
'("libxml2-fix-catalog-corruption.patch"
"libxml2-bug-738805.patch"
"libxml2-id-attrs-in-xmlSetTreeDoc.patch"
"libxml2-CVE-2015-7941-pt1.patch"
"libxml2-CVE-2015-7941-pt2.patch"
"libxml2-node-sort-order-pt1.patch"
"libxml2-bug-747437.patch"
"libxml2-CVE-2015-1819.patch"
"libxml2-bug-751603.patch"
"libxml2-bug-751631.patch"
"libxml2-node-sort-order-pt2.patch"
"libxml2-bug-737840.patch"
"libxml2-bug-754946.patch"
"libxml2-bug-754947.patch"
"libxml2-bug-755857.patch"
"libxml2-CVE-2015-7942-pt1.patch"
"libxml2-CVE-2015-7942-pt2.patch"
"libxml2-bug-746048.patch"
"libxml2-CVE-2015-8035.patch")))))
(build-system gnu-build-system) (build-system gnu-build-system)
(home-page "http://www.xmlsoft.org/") (home-page "http://www.xmlsoft.org/")
(synopsis "C parser for XML") (synopsis "C parser for XML")