CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat

Resolves: CVE-2021-45960

expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch

@@ -0,0 +1,59 @@
+From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 27 Dec 2021 20:15:02 +0100
+Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
+ storeAtts (CVE-2021-45960)
+
+---
+ expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d730f41c3..b47c31b05 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   if (nPrefixes) {
+     int j; /* hash table index */
+     unsigned long version = parser->m_nsAttsVersion;
+-    int nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++    /* Detect and prevent invalid shift */
++    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
++      return XML_ERROR_NO_MEMORY;
++    }
++
++    unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
+     unsigned char oldNsAttsPower = parser->m_nsAttsPower;
+     /* size of hash table must be at least 2 * (# of prefixed attributes) */
+     if ((nPrefixes << 1)
+@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+         ;
+       if (parser->m_nsAttsPower < 3)
+         parser->m_nsAttsPower = 3;
+-      nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++      /* Detect and prevent invalid shift */
++      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
++        /* Restore actual size of memory in m_nsAtts */
++        parser->m_nsAttsPower = oldNsAttsPower;
++        return XML_ERROR_NO_MEMORY;
++      }
++
++      nsAttsSize = 1u << parser->m_nsAttsPower;
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
++        /* Restore actual size of memory in m_nsAtts */
++        parser->m_nsAttsPower = oldNsAttsPower;
++        return XML_ERROR_NO_MEMORY;
++      }
++#endif
++
+       temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
+                                nsAttsSize * sizeof(NS_ATT));
+       if (! temp) {

expat.spec

@@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 7%{?dist}
+Release: 8%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@@ -12,6 +12,7 @@ BuildRequires: make
 Patch0:	expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
 Patch1:	expat-2.2.10-Prevent-more-integer-overflows.patch
 Patch2:	expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
+Patch3:	expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -42,6 +43,8 @@ Install it if you need to link statically with expat.
 %patch0 -p1 -b .CVE-2022-23990
 %patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
 %patch2 -p1 -b .CVE-2021-46143
+%patch3 -p1 -b .CVE-2021-45960
+
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh
 
@@ -78,6 +81,10 @@ make check
 %{_libdir}/lib*.a
 
 %changelog
+* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-8
+- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
+- Resolves: CVE-2021-45960
+
 * Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-7
 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
 - Resolves: CVE-2021-46143

tests/fuzz/runtest.sh

@@ -44,7 +44,7 @@ rlJournalStart
         for i in `seq -w $COUNT`; do
             rlRun "dd if=/dev/urandom of=file$i.xml bs=1024 count=100" \
                     0 "Creating file$i.xml with random content"
-            if ! rlRun "xmlwf file$i.xml"; then 
+            if ! rlRun "xmlwf file$i.xml" 0,2; then 
                 rlFileSubmit "file$i.xml"
             fi
         done