CVE-2022-23852 expat: integer overflow in function XML_GetBuffer
Resolves: CVE-2022-23852
This commit is contained in:
parent
21e8e5c32d
commit
66503cfe5b
@ -0,0 +1,62 @@
|
|||||||
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
||||||
|
index d54af683..5ce31402 100644
|
||||||
|
--- a/lib/xmlparse.c
|
||||||
|
+++ b/lib/xmlparse.c
|
||||||
|
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
|
||||||
|
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
|
||||||
|
if (keep > XML_CONTEXT_BYTES)
|
||||||
|
keep = XML_CONTEXT_BYTES;
|
||||||
|
+ /* Detect and prevent integer overflow */
|
||||||
|
+ if (keep > INT_MAX - neededSize) {
|
||||||
|
+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
neededSize += keep;
|
||||||
|
#endif /* defined XML_CONTEXT_BYTES */
|
||||||
|
if (neededSize
|
||||||
|
diff --git a/tests/runtests.c b/tests/runtests.c
|
||||||
|
index e89e8220..579dad1a 100644
|
||||||
|
--- a/tests/runtests.c
|
||||||
|
+++ b/tests/runtests.c
|
||||||
|
@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
|
||||||
|
}
|
||||||
|
END_TEST
|
||||||
|
|
||||||
|
+/* Test for signed integer overflow CVE-2022-23852 */
|
||||||
|
+#if defined(XML_CONTEXT_BYTES)
|
||||||
|
+START_TEST(test_get_buffer_3_overflow) {
|
||||||
|
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||||
|
+ assert(parser != NULL);
|
||||||
|
+
|
||||||
|
+ const char *const text = "\n";
|
||||||
|
+ const int expectedKeepValue = (int)strlen(text);
|
||||||
|
+
|
||||||
|
+ // After this call, variable "keep" in XML_GetBuffer will
|
||||||
|
+ // have value expectedKeepValue
|
||||||
|
+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
|
||||||
|
+ == XML_STATUS_ERROR)
|
||||||
|
+ xml_failure(parser);
|
||||||
|
+
|
||||||
|
+ assert(expectedKeepValue > 0);
|
||||||
|
+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
|
||||||
|
+ fail("enlarging buffer not failed");
|
||||||
|
+
|
||||||
|
+ XML_ParserFree(parser);
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+#endif // defined(XML_CONTEXT_BYTES)
|
||||||
|
+
|
||||||
|
/* Test position information macros */
|
||||||
|
START_TEST(test_byte_info_at_end) {
|
||||||
|
const char *text = "<doc></doc>";
|
||||||
|
@@ -11731,6 +11755,9 @@ make_suite(void) {
|
||||||
|
tcase_add_test(tc_basic, test_empty_parse);
|
||||||
|
tcase_add_test(tc_basic, test_get_buffer_1);
|
||||||
|
tcase_add_test(tc_basic, test_get_buffer_2);
|
||||||
|
+#if defined(XML_CONTEXT_BYTES)
|
||||||
|
+ tcase_add_test(tc_basic, test_get_buffer_3_overflow);
|
||||||
|
+#endif
|
||||||
|
tcase_add_test(tc_basic, test_byte_info_at_end);
|
||||||
|
tcase_add_test(tc_basic, test_byte_info_at_error);
|
||||||
|
tcase_add_test(tc_basic, test_byte_info_at_cdata);
|
||||||
|
|
@ -3,7 +3,7 @@
|
|||||||
Summary: An XML parser library
|
Summary: An XML parser library
|
||||||
Name: expat
|
Name: expat
|
||||||
Version: %(echo %{unversion} | sed 's/_/./g')
|
Version: %(echo %{unversion} | sed 's/_/./g')
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
|
||||||
URL: https://libexpat.github.io/
|
URL: https://libexpat.github.io/
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -13,6 +13,7 @@ Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
|
|||||||
Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
|
Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
|
||||||
Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
|
Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
|
||||||
Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
|
Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
|
||||||
|
Patch4: expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is expat, the C library for parsing XML, written by James Clark. Expat
|
This is expat, the C library for parsing XML, written by James Clark. Expat
|
||||||
@ -44,6 +45,7 @@ Install it if you need to link statically with expat.
|
|||||||
%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
|
%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
|
||||||
%patch2 -p1 -b .CVE-2021-46143
|
%patch2 -p1 -b .CVE-2021-46143
|
||||||
%patch3 -p1 -b .CVE-2021-45960
|
%patch3 -p1 -b .CVE-2021-45960
|
||||||
|
%patch4 -p1 -b .CVE-2022-23852
|
||||||
|
|
||||||
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
|
||||||
./buildconf.sh
|
./buildconf.sh
|
||||||
@ -81,6 +83,10 @@ make check
|
|||||||
%{_libdir}/lib*.a
|
%{_libdir}/lib*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-9
|
||||||
|
- CVE-2022-23852 expat: integer overflow in function XML_GetBuffer
|
||||||
|
- Resolves: CVE-2022-23852
|
||||||
|
|
||||||
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-8
|
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-8
|
||||||
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
|
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
|
||||||
- Resolves: CVE-2021-45960
|
- Resolves: CVE-2021-45960
|
||||||
|
Loading…
Reference in New Issue
Block a user