main/libxml2: security fix (CVE-2012-2807)

This should fix the issue for real.

fixes #1302

1 files changed, 97 insertions, 0 deletions

diff --git a/main/libxml2/libxml2-entities-local-buffers-size.patch b/main/libxml2/libxml2-entities-local-buffers-size.patch
new file mode 100644
index 0000000000..89817d8168
--- /dev/null
+++ b/main/libxml2/libxml2-entities-local-buffers-size.patch
@@ -0,0 +1,97 @@
+From 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Wed, 18 Jul 2012 03:38:17 +0000
+Subject: Fix entities local buffers size problems
+
+---
+diff --git a/entities.c b/entities.c
+index 6aef49f..859ec3b 100644
+--- a/entities.c
++++ b/entities.c
+@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) {
+  * Macro used to grow the current buffer.
+  */
+ #define growBufferReentrant() {						\
+-    buffer_size *= 2;							\
+-    buffer = (xmlChar *)						\
+-    		xmlRealloc(buffer, buffer_size * sizeof(xmlChar));	\
+-    if (buffer == NULL) {						\
+-        xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
+-	return(NULL);							\
+-    }									\
++    xmlChar *tmp;                                                       \
++    size_t new_size = buffer_size *= 2;                                 \
++    if (new_size < buffer_size) goto mem_error;                         \
++    tmp = (xmlChar *) xmlRealloc(buffer, new_size);	                \
++    if (tmp == NULL) goto mem_error;                                    \
++    buffer = tmp;							\
++    buffer_size = new_size;						\
+ }
+ 
+ 
+@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+     const xmlChar *cur = input;
+     xmlChar *buffer = NULL;
+     xmlChar *out = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
+     int html = 0;
+ 
+     if (input == NULL) return(NULL);
+@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+     out = buffer;
+ 
+     while (*cur != '\0') {
+-        if (out - buffer > buffer_size - 100) {
+-	    int indx = out - buffer;
++        size_t indx = out - buffer;
++        if (indx + 100 > buffer_size) {
+ 
+ 	    growBufferReentrant();
+ 	    out = &buffer[indx];
+@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+     }
+     *out = 0;
+     return(buffer);
++
++mem_error:
++    xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
++    xmlFree(buffer);
++    return(NULL);
+ }
+ 
+ /**
+@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+     const xmlChar *cur = input;
+     xmlChar *buffer = NULL;
+     xmlChar *out = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
+     if (input == NULL) return(NULL);
+ 
+     /*
+@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+     out = buffer;
+ 
+     while (*cur != '\0') {
+-        if (out - buffer > buffer_size - 10) {
+-	    int indx = out - buffer;
++        size_t indx = out - buffer;
++        if (indx + 10 > buffer_size) {
+ 
+ 	    growBufferReentrant();
+ 	    out = &buffer[indx];
+@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+     }
+     *out = 0;
+     return(buffer);
++
++mem_error:
++    xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
++    xmlFree(buffer);
++    return(NULL);
+ }
+ 
+ /**
+--
+cgit v0.9.0.2