-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #13360 from ja-pa/libxml2-security-fix
libxml2: patch security issues
- Loading branch information
Showing
4 changed files
with
102 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001 | ||
| From: Zhipeng Xie <[email protected]> | ||
| Date: Tue, 20 Aug 2019 16:33:06 +0800 | ||
| Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream | ||
|
|
||
| When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun | ||
| alloc a new schema for ctxt->schema and set vctxt->xsiAssemble | ||
| to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize | ||
| vctxt->xsiAssemble to 0 again which cause the alloced schema | ||
| can not be freed anymore. | ||
|
|
||
| Found with libFuzzer. | ||
|
|
||
| Signed-off-by: Zhipeng Xie <[email protected]> | ||
| --- | ||
| xmlschemas.c | 1 - | ||
| 1 file changed, 1 deletion(-) | ||
|
|
||
| diff --git a/xmlschemas.c b/xmlschemas.c | ||
| index 301c84499..39d92182f 100644 | ||
| --- a/xmlschemas.c | ||
| +++ b/xmlschemas.c | ||
| @@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { | ||
| vctxt->nberrors = 0; | ||
| vctxt->depth = -1; | ||
| vctxt->skipDepth = -1; | ||
| - vctxt->xsiAssemble = 0; | ||
| vctxt->hasKeyrefs = 0; | ||
| #ifdef ENABLE_IDC_NODE_TABLES_TEST | ||
| vctxt->createIDCNodeTables = 1; | ||
| -- | ||
| GitLab | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 | ||
| From: Nick Wellnhofer <[email protected]> | ||
| Date: Fri, 7 Aug 2020 21:54:27 +0200 | ||
| Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' | ||
|
|
||
| Make sure that truncated UTF-8 sequences don't cause an out-of-bounds | ||
| array access. | ||
|
|
||
| Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for | ||
| the report. | ||
|
|
||
| Fixes #178. | ||
| --- | ||
| xmllint.c | 6 ++++++ | ||
| 1 file changed, 6 insertions(+) | ||
|
|
||
| diff --git a/xmllint.c b/xmllint.c | ||
| index f6a8e4636..c647486f3 100644 | ||
| --- a/xmllint.c | ||
| +++ b/xmllint.c | ||
| @@ -528,6 +528,12 @@ static void | ||
| xmlHTMLEncodeSend(void) { | ||
| char *result; | ||
|
|
||
| + /* | ||
| + * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might | ||
| + * end with a truncated UTF-8 sequence. This is a hack to at least avoid | ||
| + * an out-of-bounds read. | ||
| + */ | ||
| + memset(&buffer[sizeof(buffer)-4], 0, 4); | ||
| result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); | ||
| if (result) { | ||
| xmlGenericError(xmlGenericErrorContext, "%s", result); | ||
| -- | ||
| GitLab | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 | ||
| From: Zhipeng Xie <[email protected]> | ||
| Date: Thu, 12 Dec 2019 17:30:55 +0800 | ||
| Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities | ||
|
|
||
| When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef | ||
| return NULL which cause a infinite loop in xmlStringLenDecodeEntities | ||
|
|
||
| Found with libFuzzer. | ||
|
|
||
| Signed-off-by: Zhipeng Xie <[email protected]> | ||
| --- | ||
| parser.c | 3 ++- | ||
| 1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/parser.c b/parser.c | ||
| index d1c319631..a34bb6cdd 100644 | ||
| --- a/parser.c | ||
| +++ b/parser.c | ||
| @@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, | ||
| else | ||
| c = 0; | ||
| while ((c != 0) && (c != end) && /* non input consuming loop */ | ||
| - (c != end2) && (c != end3)) { | ||
| + (c != end2) && (c != end3) && | ||
| + (ctxt->instate != XML_PARSER_EOF)) { | ||
|
|
||
| if (c == 0) break; | ||
| if ((c == '&') && (str[1] == '#')) { | ||
| -- | ||
| GitLab | ||
|
|