diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-08-16 11:33:04 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-08-16 11:33:04 +0000 |
| commit | 9ea0026f1b97a1d6d0220cb4254220c733a579e6 (patch) | |
| tree | 8fa83a703ee9015a289da92bdaacb92e5a2399a5 /main/libxml2 | |
| parent | cf1eed4d24827742d760b5a21d108be4c7e8d58b (diff) | |
| download | aports-9ea0026f1b97a1d6d0220cb4254220c733a579e6.tar.bz2 aports-9ea0026f1b97a1d6d0220cb4254220c733a579e6.tar.xz | |
main/libxml2: security fix (CVE-2012-2807)
This should fix the issue for real.
fixes #1302
Diffstat (limited to 'main/libxml2')
| -rw-r--r-- | main/libxml2/APKBUILD | 13 | ||||
| -rw-r--r-- | main/libxml2/libxml2-entities-local-buffers-size.patch | 97 | ||||
| -rw-r--r-- | main/libxml2/libxml2-entities-local-buffers-size2.patch | 21 | ||||
| -rw-r--r-- | main/libxml2/libxml2-parser-local-buffers-size.patch | 260 |
4 files changed, 388 insertions, 3 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index df42cfb7a..7c31766c1 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Carlo Landmeter <clandmeter@gmail.com> pkgname=libxml2 pkgver=2.8.0 -pkgrel=0 +pkgrel=1 pkgdesc="XML parsing library, version 2" url="http://www.xmlsoft.org/" arch="all" @@ -11,7 +11,11 @@ depends= depends_dev="zlib-dev python-dev" makedepends="zlib-dev python-dev" subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils" -source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz" +source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz + libxml2-entities-local-buffers-size.patch + libxml2-entities-local-buffers-size2.patch + libxml2-parser-local-buffers-size.patch + " options="!strip" @@ -58,4 +62,7 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="c62106f02ee00b6437f0fb9d370c1093 libxml2-2.8.0.tar.gz" +md5sums="c62106f02ee00b6437f0fb9d370c1093 libxml2-2.8.0.tar.gz +c8c789a4fbdae599a47ecbfa32b889d7 libxml2-entities-local-buffers-size.patch +cba1201e77dc0f3e337d9ff146a2666e libxml2-entities-local-buffers-size2.patch +6c5c7a125dddb616feb1b2f4254bf467 libxml2-parser-local-buffers-size.patch" diff --git a/main/libxml2/libxml2-entities-local-buffers-size.patch b/main/libxml2/libxml2-entities-local-buffers-size.patch new file mode 100644 index 000000000..89817d816 --- /dev/null +++ b/main/libxml2/libxml2-entities-local-buffers-size.patch @@ -0,0 +1,97 @@ +From 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Wed, 18 Jul 2012 03:38:17 +0000 +Subject: Fix entities local buffers size problems + +--- +diff --git a/entities.c b/entities.c +index 6aef49f..859ec3b 100644 +--- a/entities.c ++++ b/entities.c +@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) { + * Macro used to grow the current buffer. + */ + #define growBufferReentrant() { \ +- buffer_size *= 2; \ +- buffer = (xmlChar *) \ +- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \ +- if (buffer == NULL) { \ +- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\ +- return(NULL); \ +- } \ ++ xmlChar *tmp; \ ++ size_t new_size = buffer_size *= 2; \ ++ if (new_size < buffer_size) goto mem_error; \ ++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ ++ if (tmp == NULL) goto mem_error; \ ++ buffer = tmp; \ ++ buffer_size = new_size; \ + } + + +@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) { + const xmlChar *cur = input; + xmlChar *buffer = NULL; + xmlChar *out = NULL; +- int buffer_size = 0; ++ size_t buffer_size = 0; + int html = 0; + + if (input == NULL) return(NULL); +@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) { + out = buffer; + + while (*cur != '\0') { +- if (out - buffer > buffer_size - 100) { +- int indx = out - buffer; ++ size_t indx = out - buffer; ++ if (indx + 100 > buffer_size) { + + growBufferReentrant(); + out = &buffer[indx]; +@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) { + } + *out = 0; + return(buffer); ++ ++mem_error: ++ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed"); ++ xmlFree(buffer); ++ return(NULL); + } + + /** +@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) { + const xmlChar *cur = input; + xmlChar *buffer = NULL; + xmlChar *out = NULL; +- int buffer_size = 0; ++ size_t buffer_size = 0; + if (input == NULL) return(NULL); + + /* +@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) { + out = buffer; + + while (*cur != '\0') { +- if (out - buffer > buffer_size - 10) { +- int indx = out - buffer; ++ size_t indx = out - buffer; ++ if (indx + 10 > buffer_size) { + + growBufferReentrant(); + out = &buffer[indx]; +@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) { + } + *out = 0; + return(buffer); ++ ++mem_error: ++ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed"); ++ xmlFree(buffer); ++ return(NULL); + } + + /** +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-entities-local-buffers-size2.patch b/main/libxml2/libxml2-entities-local-buffers-size2.patch new file mode 100644 index 000000000..f3cc8b65e --- /dev/null +++ b/main/libxml2/libxml2-entities-local-buffers-size2.patch @@ -0,0 +1,21 @@ +From baaf03f80f817bb34c421421e6cb4d68c353ac9a Mon Sep 17 00:00:00 2001 +From: Aron Xu <happyaron.xu@gmail.com> +Date: Fri, 20 Jul 2012 07:41:34 +0000 +Subject: Fix an error in previous commit + +--- +diff --git a/entities.c b/entities.c +index 859ec3b..7d06820 100644 +--- a/entities.c ++++ b/entities.c +@@ -529,7 +529,7 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) { + */ + #define growBufferReentrant() { \ + xmlChar *tmp; \ +- size_t new_size = buffer_size *= 2; \ ++ size_t new_size = buffer_size * 2; \ + if (new_size < buffer_size) goto mem_error; \ + tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ +-- +cgit v0.9.0.2 diff --git a/main/libxml2/libxml2-parser-local-buffers-size.patch b/main/libxml2/libxml2-parser-local-buffers-size.patch new file mode 100644 index 000000000..5b9adabac --- /dev/null +++ b/main/libxml2/libxml2-parser-local-buffers-size.patch @@ -0,0 +1,260 @@ +From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 17 Jul 2012 08:19:17 +0000 +Subject: Fix parser local buffers size problems + +--- +diff --git a/parser.c b/parser.c +index 2c38fae..9863275 100644 +--- a/parser.c ++++ b/parser.c +@@ -40,6 +40,7 @@ + #endif + + #include <stdlib.h> ++#include <limits.h> + #include <string.h> + #include <stdarg.h> + #include <libxml/xmlmemory.h> +@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + * parser option. + */ + static int +-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size, ++xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, + xmlEntityPtr ent) + { +- unsigned long consumed = 0; ++ size_t consumed = 0; + + if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE)) + return (0); +@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) { + + /* + * Macro used to grow the current buffer. ++ * buffer##_size is expected to be a size_t ++ * mem_error: is expected to handle memory allocation failures + */ + #define growBuffer(buffer, n) { \ + xmlChar *tmp; \ +- buffer##_size *= 2; \ +- buffer##_size += n; \ +- tmp = (xmlChar *) \ +- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \ ++ size_t new_size = buffer##_size * 2 + n; \ ++ if (new_size < buffer##_size) goto mem_error; \ ++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \ + if (tmp == NULL) goto mem_error; \ + buffer = tmp; \ ++ buffer##_size = new_size; \ + } + + /** +@@ -2623,14 +2626,14 @@ xmlChar * + xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + int what, xmlChar end, xmlChar end2, xmlChar end3) { + xmlChar *buffer = NULL; +- int buffer_size = 0; ++ size_t buffer_size = 0; ++ size_t nbchars = 0; + + xmlChar *current = NULL; + xmlChar *rep = NULL; + const xmlChar *last; + xmlEntityPtr ent; + int c,l; +- int nbchars = 0; + + if ((ctxt == NULL) || (str == NULL) || (len < 0)) + return(NULL); +@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + * allocate a translation buffer. + */ + buffer_size = XML_PARSER_BIG_BUFFER_SIZE; +- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar)); ++ buffer = (xmlChar *) xmlMallocAtomic(buffer_size); + if (buffer == NULL) goto mem_error; + + /* +@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + if (val != 0) { + COPY_BUF(0,buffer,nbchars,val); + } +- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } + } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) { +@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { + if (ent->content != NULL) { + COPY_BUF(0,buffer,nbchars,ent->content[0]); +- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } + } else { +@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + current = rep; + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; +- if (nbchars > +- buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + if (xmlParserEntityCheck(ctxt, nbchars, ent)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); +@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + const xmlChar *cur = ent->name; + + buffer[nbchars++] = '&'; +- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) { + growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); + } + for (;i > 0;i--) +@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + current = rep; + while (*current != 0) { /* non input consuming loop */ + buffer[nbchars++] = *current++; +- if (nbchars > +- buffer_size - XML_PARSER_BUFFER_SIZE) { ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { + if (xmlParserEntityCheck(ctxt, nbchars, ent)) + goto int_error; + growBuffer(buffer, XML_PARSER_BUFFER_SIZE); +@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + } else { + COPY_BUF(l,buffer,nbchars,c); + str += l; +- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) { +- growBuffer(buffer, XML_PARSER_BUFFER_SIZE); ++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { ++ growBuffer(buffer, XML_PARSER_BUFFER_SIZE); + } + } + if (str < last) +@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar limit = 0; + xmlChar *buf = NULL; + xmlChar *rep = NULL; +- int len = 0; +- int buf_size = 0; ++ size_t len = 0; ++ size_t buf_size = 0; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + * allocate a translation buffer. + */ + buf_size = XML_PARSER_BUFFER_SIZE; +- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar)); ++ buf = (xmlChar *) xmlMallocAtomic(buf_size); + if (buf == NULL) goto mem_error; + + /* +@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + + if (val == '&') { + if (ctxt->replaceEntities) { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + buf[len++] = '&'; +@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + * The reparsing will be done in xmlStringGetNodeList() + * called by the attribute() function in SAX.c + */ +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + buf[len++] = '&'; +@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + buf[len++] = ';'; + } + } else if (val != 0) { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + len += xmlCopyChar(0, &buf[len], val); +@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + ctxt->nbentities += ent->owner; + if ((ent != NULL) && + (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + if ((ctxt->replaceEntities == 0) && +@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + current++; + } else + buf[len++] = *current++; +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + } +@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + rep = NULL; + } + } else { +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + if (ent->content != NULL) +@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + * Just output the reference + */ + buf[len++] = '&'; +- while (len > buf_size - i - 10) { ++ while (len + i + 10 > buf_size) { + growBuffer(buf, i + 10); + } + for (;i > 0;i--) +@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + if ((len != 0) || (!normalize)) { + if ((!normalize) || (!in_space)) { + COPY_BUF(l,buf,len,0x20); +- while (len > buf_size - 10) { ++ while (len + 10 > buf_size) { + growBuffer(buf, 10); + } + } +@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else { + in_space = 0; + COPY_BUF(l,buf,len,c); +- if (len > buf_size - 10) { ++ if (len + 10 > buf_size) { + growBuffer(buf, 10); + } + } +@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + } else + NEXT; +- if (attlen != NULL) *attlen = len; ++ ++ /* ++ * There we potentially risk an overflow, don't allow attribute value of ++ * lenght more than INT_MAX it is a very reasonnable assumption ! ++ */ ++ if (len >= INT_MAX) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue lenght too long\n"); ++ goto mem_error; ++ } ++ ++ if (attlen != NULL) *attlen = (int) len; + return(buf); + + mem_error: +-- +cgit v0.9.0.2 |