import expat-2.4.7-1.el9
This commit is contained in:
		
							parent
							
								
									13e18f5216
								
							
						
					
					
						commit
						8706028b7e
					
				| @ -1 +1 @@ | |||||||
| a2a0f172dd3346b520918331b7480d4d30557439 SOURCES/expat-2.2.10.tar.gz | d167305ef621c3633a7e2c207fd45bad5653487d SOURCES/expat-2.4.7.tar.gz | ||||||
|  | |||||||
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | |||||||
| SOURCES/expat-2.2.10.tar.gz | SOURCES/expat-2.4.7.tar.gz | ||||||
|  | |||||||
| @ -1,281 +0,0 @@ | |||||||
| From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Tue, 8 Feb 2022 17:37:14 +0100 |  | ||||||
| Subject: [PATCH 1/5] lib: Drop unused macro UTF8_GET_NAMING |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmltok.c | 5 ----- |  | ||||||
|  1 file changed, 5 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmltok.c b/lib/xmltok.c
 |  | ||||||
| index a72200e8..3bddf125 100644
 |  | ||||||
| --- a/lib/xmltok.c
 |  | ||||||
| +++ b/lib/xmltok.c
 |  | ||||||
| @@ -98,11 +98,6 @@
 |  | ||||||
|          + ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)]                 \ |  | ||||||
|     & (1u << (((byte)[2]) & 0x1F))) |  | ||||||
|   |  | ||||||
| -#define UTF8_GET_NAMING(pages, p, n)                                           \
 |  | ||||||
| -  ((n) == 2                                                                    \
 |  | ||||||
| -       ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p))                   \
 |  | ||||||
| -       : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
 |  | ||||||
| -
 |  | ||||||
|  /* Detection of invalid UTF-8 sequences is based on Table 3.1B |  | ||||||
|     of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/ |  | ||||||
|     with the additional restriction of not allowing the Unicode |  | ||||||
| 
 |  | ||||||
| From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Tue, 8 Feb 2022 04:32:20 +0100 |  | ||||||
| Subject: [PATCH 2/5] lib: Add missing validation of encoding (CVE-2022-25235) |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmltok_impl.c | 8 ++++++-- |  | ||||||
|  1 file changed, 6 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
 |  | ||||||
| index 0430591b..64a3b2c1 100644
 |  | ||||||
| --- a/lib/xmltok_impl.c
 |  | ||||||
| +++ b/lib/xmltok_impl.c
 |  | ||||||
| @@ -69,7 +69,7 @@
 |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
|      if (end - ptr < n)                                                         \ |  | ||||||
|        return XML_TOK_PARTIAL_CHAR;                                             \ |  | ||||||
| -    if (! IS_NAME_CHAR(enc, ptr, n)) {                                         \
 |  | ||||||
| +    if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) {         \
 |  | ||||||
|        *nextTokPtr = ptr;                                                       \ |  | ||||||
|        return XML_TOK_INVALID;                                                  \ |  | ||||||
|      }                                                                          \ |  | ||||||
| @@ -98,7 +98,7 @@
 |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
|      if (end - ptr < n)                                                         \ |  | ||||||
|        return XML_TOK_PARTIAL_CHAR;                                             \ |  | ||||||
| -    if (! IS_NMSTRT_CHAR(enc, ptr, n)) {                                       \
 |  | ||||||
| +    if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) {       \
 |  | ||||||
|        *nextTokPtr = ptr;                                                       \ |  | ||||||
|        return XML_TOK_INVALID;                                                  \ |  | ||||||
|      }                                                                          \ |  | ||||||
| @@ -1142,6 +1142,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
 |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
|      if (end - ptr < n)                                                         \ |  | ||||||
|        return XML_TOK_PARTIAL_CHAR;                                             \ |  | ||||||
| +    if (IS_INVALID_CHAR(enc, ptr, n)) {                                        \
 |  | ||||||
| +      *nextTokPtr = ptr;                                                       \
 |  | ||||||
| +      return XML_TOK_INVALID;                                                  \
 |  | ||||||
| +    }                                                                          \
 |  | ||||||
|      if (IS_NMSTRT_CHAR(enc, ptr, n)) {                                         \ |  | ||||||
|        ptr += n;                                                                \ |  | ||||||
|        tok = XML_TOK_NAME;                                                      \ |  | ||||||
| 
 |  | ||||||
| From c85a3025e7a1be086dc34e7559fbc543914d047f Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Wed, 9 Feb 2022 01:00:38 +0100 |  | ||||||
| Subject: [PATCH 3/5] lib: Add comments to BT_LEAD* cases where encoding has |  | ||||||
|  already been validated |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmltok_impl.c | 10 +++++----- |  | ||||||
|  1 file changed, 5 insertions(+), 5 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
 |  | ||||||
| index 64a3b2c1..84ff35f9 100644
 |  | ||||||
| --- a/lib/xmltok_impl.c
 |  | ||||||
| +++ b/lib/xmltok_impl.c
 |  | ||||||
| @@ -1274,7 +1274,7 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *end,
 |  | ||||||
|      switch (BYTE_TYPE(enc, ptr)) { |  | ||||||
|  #  define LEAD_CASE(n)                                                         \ |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
| -    ptr += n;                                                                  \
 |  | ||||||
| +    ptr += n; /* NOTE: The encoding has already been validated. */             \
 |  | ||||||
|      break; |  | ||||||
|        LEAD_CASE(2) |  | ||||||
|        LEAD_CASE(3) |  | ||||||
| @@ -1343,7 +1343,7 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *end,
 |  | ||||||
|      switch (BYTE_TYPE(enc, ptr)) { |  | ||||||
|  #  define LEAD_CASE(n)                                                         \ |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
| -    ptr += n;                                                                  \
 |  | ||||||
| +    ptr += n; /* NOTE: The encoding has already been validated. */             \
 |  | ||||||
|      break; |  | ||||||
|        LEAD_CASE(2) |  | ||||||
|        LEAD_CASE(3) |  | ||||||
| @@ -1522,7 +1522,7 @@ PREFIX(getAtts)(const ENCODING *enc, const char *ptr, int attsMax,
 |  | ||||||
|        state = inName;                                                          \ |  | ||||||
|      } |  | ||||||
|  #  define LEAD_CASE(n)                                                         \ |  | ||||||
| -  case BT_LEAD##n:                                                             \
 |  | ||||||
| +  case BT_LEAD##n: /* NOTE: The encoding has already been validated. */        \
 |  | ||||||
|      START_NAME ptr += (n - MINBPC(enc));                                       \ |  | ||||||
|      break; |  | ||||||
|        LEAD_CASE(2) |  | ||||||
| @@ -1734,7 +1734,7 @@ PREFIX(nameLength)(const ENCODING *enc, const char *ptr) {
 |  | ||||||
|      switch (BYTE_TYPE(enc, ptr)) { |  | ||||||
|  #  define LEAD_CASE(n)                                                         \ |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
| -    ptr += n;                                                                  \
 |  | ||||||
| +    ptr += n; /* NOTE: The encoding has already been validated. */             \
 |  | ||||||
|      break; |  | ||||||
|        LEAD_CASE(2) |  | ||||||
|        LEAD_CASE(3) |  | ||||||
| @@ -1779,7 +1779,7 @@ PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end,
 |  | ||||||
|      switch (BYTE_TYPE(enc, ptr)) { |  | ||||||
|  #  define LEAD_CASE(n)                                                         \ |  | ||||||
|    case BT_LEAD##n:                                                             \ |  | ||||||
| -    ptr += n;                                                                  \
 |  | ||||||
| +    ptr += n; /* NOTE: The encoding has already been validated. */             \
 |  | ||||||
|      pos->columnNumber++;                                                       \ |  | ||||||
|      break; |  | ||||||
|        LEAD_CASE(2) |  | ||||||
| 
 |  | ||||||
| From 6a5510bc6b7efe743356296724e0b38300f05379 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Tue, 8 Feb 2022 04:06:21 +0100 |  | ||||||
| Subject: [PATCH 4/5] tests: Cover missing validation of encoding |  | ||||||
|  (CVE-2022-25235) |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  expat/tests/runtests.c | 109 +++++++++++++++++++++++++++++++++++++++++ |  | ||||||
|  1 file changed, 109 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/tests/runtests.c b/tests/runtests.c
 |  | ||||||
| index bc5344b1..9b155b82 100644
 |  | ||||||
| --- a/tests/runtests.c
 |  | ||||||
| +++ b/tests/runtests.c
 |  | ||||||
| @@ -5998,6 +5998,105 @@ START_TEST(test_utf8_in_cdata_section_2) {
 |  | ||||||
|  } |  | ||||||
|  END_TEST |  | ||||||
|   |  | ||||||
| +START_TEST(test_utf8_in_start_tags) {
 |  | ||||||
| +  struct test_case {
 |  | ||||||
| +    bool goodName;
 |  | ||||||
| +    bool goodNameStart;
 |  | ||||||
| +    const char *tagName;
 |  | ||||||
| +  };
 |  | ||||||
| +
 |  | ||||||
| +  // The idea with the tests below is this:
 |  | ||||||
| +  // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences
 |  | ||||||
| +  // go to isNever and are hence not a concern.
 |  | ||||||
| +  //
 |  | ||||||
| +  // We start with a character that is a valid name character
 |  | ||||||
| +  // (or even name-start character, see XML 1.0r4 spec) and then we flip
 |  | ||||||
| +  // single bits at places where (1) the result leaves the UTF-8 encoding space
 |  | ||||||
| +  // and (2) we stay in the same n-byte sequence family.
 |  | ||||||
| +  //
 |  | ||||||
| +  // The flipped bits are highlighted in angle brackets in comments,
 |  | ||||||
| +  // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped
 |  | ||||||
| +  // the most significant bit to 1 to leave UTF-8 encoding space.
 |  | ||||||
| +  struct test_case cases[] = {
 |  | ||||||
| +      // 1-byte UTF-8: [0xxx xxxx]
 |  | ||||||
| +      {true, true, "\x3A"},   // [0011 1010] = ASCII colon ':'
 |  | ||||||
| +      {false, false, "\xBA"}, // [<1>011 1010]
 |  | ||||||
| +      {true, false, "\x39"},  // [0011 1001] = ASCII nine '9'
 |  | ||||||
| +      {false, false, "\xB9"}, // [<1>011 1001]
 |  | ||||||
| +
 |  | ||||||
| +      // 2-byte UTF-8: [110x xxxx] [10xx xxxx]
 |  | ||||||
| +      {true, true, "\xDB\xA5"},   // [1101 1011] [1010 0101] =
 |  | ||||||
| +                                  // Arabic small waw U+06E5
 |  | ||||||
| +      {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101]
 |  | ||||||
| +      {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101]
 |  | ||||||
| +      {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101]
 |  | ||||||
| +      {true, false, "\xCC\x81"},  // [1100 1100] [1000 0001] =
 |  | ||||||
| +                                  // combining char U+0301
 |  | ||||||
| +      {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001]
 |  | ||||||
| +      {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001]
 |  | ||||||
| +      {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001]
 |  | ||||||
| +
 |  | ||||||
| +      // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx]
 |  | ||||||
| +      {true, true, "\xE0\xA4\x85"},   // [1110 0000] [1010 0100] [1000 0101] =
 |  | ||||||
| +                                      // Devanagari Letter A U+0905
 |  | ||||||
| +      {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101]
 |  | ||||||
| +      {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101]
 |  | ||||||
| +      {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101]
 |  | ||||||
| +      {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101]
 |  | ||||||
| +      {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101]
 |  | ||||||
| +      {true, false, "\xE0\xA4\x81"},  // [1110 0000] [1010 0100] [1000 0001] =
 |  | ||||||
| +                                      // combining char U+0901
 |  | ||||||
| +      {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001]
 |  | ||||||
| +      {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001]
 |  | ||||||
| +      {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001]
 |  | ||||||
| +      {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001]
 |  | ||||||
| +      {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001]
 |  | ||||||
| +  };
 |  | ||||||
| +  const bool atNameStart[] = {true, false};
 |  | ||||||
| +
 |  | ||||||
| +  size_t i = 0;
 |  | ||||||
| +  char doc[1024];
 |  | ||||||
| +  size_t failCount = 0;
 |  | ||||||
| +
 |  | ||||||
| +  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
 |  | ||||||
| +    size_t j = 0;
 |  | ||||||
| +    for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) {
 |  | ||||||
| +      const bool expectedSuccess
 |  | ||||||
| +          = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName;
 |  | ||||||
| +      sprintf(doc, "<%s%s><!--", atNameStart[j] ? "" : "a", cases[i].tagName);
 |  | ||||||
| +      XML_Parser parser = XML_ParserCreate(NULL);
 |  | ||||||
| +
 |  | ||||||
| +      const enum XML_Status status
 |  | ||||||
| +          = XML_Parse(parser, doc, (int)strlen(doc), /*isFinal=*/XML_FALSE);
 |  | ||||||
| +
 |  | ||||||
| +      bool success = true;
 |  | ||||||
| +      if ((status == XML_STATUS_OK) != expectedSuccess) {
 |  | ||||||
| +        success = false;
 |  | ||||||
| +      }
 |  | ||||||
| +      if ((status == XML_STATUS_ERROR)
 |  | ||||||
| +          && (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)) {
 |  | ||||||
| +        success = false;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
| +      if (! success) {
 |  | ||||||
| +        fprintf(
 |  | ||||||
| +            stderr,
 |  | ||||||
| +            "FAIL case %2u (%sat name start, %u-byte sequence, error code %d)\n",
 |  | ||||||
| +            (unsigned)i + 1u, atNameStart[j] ? "    " : "not ",
 |  | ||||||
| +            (unsigned)strlen(cases[i].tagName), XML_GetErrorCode(parser));
 |  | ||||||
| +        failCount++;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
| +      XML_ParserFree(parser);
 |  | ||||||
| +    }
 |  | ||||||
| +  }
 |  | ||||||
| +
 |  | ||||||
| +  if (failCount > 0) {
 |  | ||||||
| +    fail("UTF-8 regression detected");
 |  | ||||||
| +  }
 |  | ||||||
| +}
 |  | ||||||
| +END_TEST
 |  | ||||||
| +
 |  | ||||||
|  /* Test trailing spaces in elements are accepted */ |  | ||||||
|  static void XMLCALL |  | ||||||
|  record_element_end_handler(void *userData, const XML_Char *name) { |  | ||||||
| @@ -6175,6 +6274,14 @@ START_TEST(test_bad_doctype) {
 |  | ||||||
|  } |  | ||||||
|  END_TEST |  | ||||||
|   |  | ||||||
| +START_TEST(test_bad_doctype_utf8) {
 |  | ||||||
| +  const char *text = "<!DOCTYPE \xDB\x25"
 |  | ||||||
| +                     "doc><doc/>"; // [1101 1011] [<0>010 0101]
 |  | ||||||
| +  expect_failure(text, XML_ERROR_INVALID_TOKEN,
 |  | ||||||
| +                 "Invalid UTF-8 in DOCTYPE not faulted");
 |  | ||||||
| +}
 |  | ||||||
| +END_TEST
 |  | ||||||
| +
 |  | ||||||
|  START_TEST(test_bad_doctype_utf16) { |  | ||||||
|    const char text[] = |  | ||||||
|        /* <!DOCTYPE doc [ \x06f2 ]><doc/> |  | ||||||
| @@ -11870,6 +11977,7 @@ make_suite(void) {
 |  | ||||||
|    tcase_add_test(tc_basic, test_ext_entity_utf8_non_bom); |  | ||||||
|    tcase_add_test(tc_basic, test_utf8_in_cdata_section); |  | ||||||
|    tcase_add_test(tc_basic, test_utf8_in_cdata_section_2); |  | ||||||
| +  tcase_add_test(tc_basic, test_utf8_in_start_tags);
 |  | ||||||
|    tcase_add_test(tc_basic, test_trailing_spaces_in_elements); |  | ||||||
|    tcase_add_test(tc_basic, test_utf16_attribute); |  | ||||||
|    tcase_add_test(tc_basic, test_utf16_second_attr); |  | ||||||
| @@ -11878,6 +11986,7 @@ make_suite(void) {
 |  | ||||||
|    tcase_add_test(tc_basic, test_bad_attr_desc_keyword); |  | ||||||
|    tcase_add_test(tc_basic, test_bad_attr_desc_keyword_utf16); |  | ||||||
|    tcase_add_test(tc_basic, test_bad_doctype); |  | ||||||
| +  tcase_add_test(tc_basic, test_bad_doctype_utf8);
 |  | ||||||
|    tcase_add_test(tc_basic, test_bad_doctype_utf16); |  | ||||||
|    tcase_add_test(tc_basic, test_bad_doctype_plus); |  | ||||||
|    tcase_add_test(tc_basic, test_bad_doctype_star); |  | ||||||
| 
 |  | ||||||
| @ -1,62 +0,0 @@ | |||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index d54af683..5ce31402 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
 |  | ||||||
|      keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); |  | ||||||
|      if (keep > XML_CONTEXT_BYTES) |  | ||||||
|        keep = XML_CONTEXT_BYTES; |  | ||||||
| +    /* Detect and prevent integer overflow */
 |  | ||||||
| +    if (keep > INT_MAX - neededSize) {
 |  | ||||||
| +      parser->m_errorCode = XML_ERROR_NO_MEMORY;
 |  | ||||||
| +      return NULL;
 |  | ||||||
| +    }
 |  | ||||||
|      neededSize += keep; |  | ||||||
|  #endif /* defined XML_CONTEXT_BYTES */ |  | ||||||
|      if (neededSize |  | ||||||
| diff --git a/tests/runtests.c b/tests/runtests.c
 |  | ||||||
| index e89e8220..579dad1a 100644
 |  | ||||||
| --- a/tests/runtests.c
 |  | ||||||
| +++ b/tests/runtests.c
 |  | ||||||
| @@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
 |  | ||||||
|  } |  | ||||||
|  END_TEST |  | ||||||
|   |  | ||||||
| +/* Test for signed integer overflow CVE-2022-23852 */
 |  | ||||||
| +#if defined(XML_CONTEXT_BYTES)
 |  | ||||||
| +START_TEST(test_get_buffer_3_overflow) {
 |  | ||||||
| +  XML_Parser parser = XML_ParserCreate(NULL);
 |  | ||||||
| +  assert(parser != NULL);
 |  | ||||||
| +
 |  | ||||||
| +  const char *const text = "\n";
 |  | ||||||
| +  const int expectedKeepValue = (int)strlen(text);
 |  | ||||||
| +
 |  | ||||||
| +  // After this call, variable "keep" in XML_GetBuffer will
 |  | ||||||
| +  // have value expectedKeepValue
 |  | ||||||
| +  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
 |  | ||||||
| +      == XML_STATUS_ERROR)
 |  | ||||||
| +    xml_failure(parser);
 |  | ||||||
| +
 |  | ||||||
| +  assert(expectedKeepValue > 0);
 |  | ||||||
| +  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
 |  | ||||||
| +    fail("enlarging buffer not failed");
 |  | ||||||
| +
 |  | ||||||
| +  XML_ParserFree(parser);
 |  | ||||||
| +}
 |  | ||||||
| +END_TEST
 |  | ||||||
| +#endif // defined(XML_CONTEXT_BYTES)
 |  | ||||||
| +
 |  | ||||||
|  /* Test position information macros */ |  | ||||||
|  START_TEST(test_byte_info_at_end) { |  | ||||||
|    const char *text = "<doc></doc>"; |  | ||||||
| @@ -11731,6 +11755,9 @@ make_suite(void) {
 |  | ||||||
|    tcase_add_test(tc_basic, test_empty_parse); |  | ||||||
|    tcase_add_test(tc_basic, test_get_buffer_1); |  | ||||||
|    tcase_add_test(tc_basic, test_get_buffer_2); |  | ||||||
| +#if defined(XML_CONTEXT_BYTES)
 |  | ||||||
| +  tcase_add_test(tc_basic, test_get_buffer_3_overflow);
 |  | ||||||
| +#endif
 |  | ||||||
|    tcase_add_test(tc_basic, test_byte_info_at_end); |  | ||||||
|    tcase_add_test(tc_basic, test_byte_info_at_error); |  | ||||||
|    tcase_add_test(tc_basic, test_byte_info_at_cdata); |  | ||||||
| 
 |  | ||||||
| @ -1,59 +0,0 @@ | |||||||
| From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Mon, 27 Dec 2021 20:15:02 +0100 |  | ||||||
| Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function |  | ||||||
|  storeAtts (CVE-2021-45960) |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++-- |  | ||||||
|  1 file changed, 29 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index d730f41c3..b47c31b05 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
 |  | ||||||
|    if (nPrefixes) { |  | ||||||
|      int j; /* hash table index */ |  | ||||||
|      unsigned long version = parser->m_nsAttsVersion; |  | ||||||
| -    int nsAttsSize = (int)1 << parser->m_nsAttsPower;
 |  | ||||||
| +
 |  | ||||||
| +    /* Detect and prevent invalid shift */
 |  | ||||||
| +    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
| +    unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
 |  | ||||||
|      unsigned char oldNsAttsPower = parser->m_nsAttsPower; |  | ||||||
|      /* size of hash table must be at least 2 * (# of prefixed attributes) */ |  | ||||||
|      if ((nPrefixes << 1) |  | ||||||
| @@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
 |  | ||||||
|          ; |  | ||||||
|        if (parser->m_nsAttsPower < 3) |  | ||||||
|          parser->m_nsAttsPower = 3; |  | ||||||
| -      nsAttsSize = (int)1 << parser->m_nsAttsPower;
 |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent invalid shift */
 |  | ||||||
| +      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
 |  | ||||||
| +        /* Restore actual size of memory in m_nsAtts */
 |  | ||||||
| +        parser->m_nsAttsPower = oldNsAttsPower;
 |  | ||||||
| +        return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
| +      nsAttsSize = 1u << parser->m_nsAttsPower;
 |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent integer overflow.
 |  | ||||||
| +       * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +       * from -Wtype-limits on platforms where
 |  | ||||||
| +       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
 |  | ||||||
| +        /* Restore actual size of memory in m_nsAtts */
 |  | ||||||
| +        parser->m_nsAttsPower = oldNsAttsPower;
 |  | ||||||
| +        return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +      }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|        temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts, |  | ||||||
|                                 nsAttsSize * sizeof(NS_ATT)); |  | ||||||
|        if (! temp) { |  | ||||||
| @ -1,139 +0,0 @@ | |||||||
| From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Samanta Navarro <ferivoz@riseup.net> |  | ||||||
| Date: Tue, 15 Feb 2022 11:55:46 +0000 |  | ||||||
| Subject: [PATCH] Prevent integer overflow in storeRawNames |  | ||||||
| 
 |  | ||||||
| It is possible to use an integer overflow in storeRawNames for out of |  | ||||||
| boundary heap writes. Default configuration is affected. If compiled |  | ||||||
| with XML_UNICODE then the attack does not work. Compiling with |  | ||||||
| -fsanitize=address confirms the following proof of concept.
 |  | ||||||
| 
 |  | ||||||
| The problem can be exploited by abusing the m_buffer expansion logic. |  | ||||||
| Even though the initial size of m_buffer is a power of two, eventually |  | ||||||
| it can end up a little bit lower, thus allowing allocations very close |  | ||||||
| to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag |  | ||||||
| names can be parsed which are almost INT_MAX in size. |  | ||||||
| 
 |  | ||||||
| Unfortunately (from an attacker point of view) INT_MAX/2 is also a |  | ||||||
| limitation in string pools. Having a tag name of INT_MAX/2 characters |  | ||||||
| or more is not possible. |  | ||||||
| 
 |  | ||||||
| Expat can convert between different encodings. UTF-16 documents which |  | ||||||
| contain only ASCII representable characters are twice as large as their |  | ||||||
| ASCII encoded counter-parts. |  | ||||||
| 
 |  | ||||||
| The proof of concept works by taking these three considerations into |  | ||||||
| account: |  | ||||||
| 
 |  | ||||||
| 1. Move the m_buffer size slightly below a power of two by having a |  | ||||||
|    short root node <a>. This allows the m_buffer to grow very close |  | ||||||
|    to INT_MAX. |  | ||||||
| 2. The string pooling forbids tag names longer than or equal to |  | ||||||
|    INT_MAX/2, so keep the attack tag name smaller than that. |  | ||||||
| 3. To be able to still overflow INT_MAX even though the name is |  | ||||||
|    limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag |  | ||||||
|    which only contains ASCII characters. UTF-16 always stores two |  | ||||||
|    bytes per character while the tag name is converted to using only |  | ||||||
|    one. Our attack node byte count must be a bit higher than |  | ||||||
|    2/3 INT_MAX so the converted tag name is around INT_MAX/3 which |  | ||||||
|    in sum can overflow INT_MAX. |  | ||||||
| 
 |  | ||||||
| Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes |  | ||||||
| without running into INT_MAX boundary check. The string pooling is |  | ||||||
| able to store INT_MAX/3 as tag name because the amount is below |  | ||||||
| INT_MAX/2 limitation. And creating the sum of both eventually overflows |  | ||||||
| in storeRawNames. |  | ||||||
| 
 |  | ||||||
| Proof of Concept: |  | ||||||
| 
 |  | ||||||
| 1. Compile expat with -fsanitize=address. |  | ||||||
| 
 |  | ||||||
| 2. Create Proof of Concept binary which iterates through input |  | ||||||
|    file 16 MB at once for better performance and easier integer |  | ||||||
|    calculations: |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| cat > poc.c << EOF |  | ||||||
|  #include <err.h> |  | ||||||
|  #include <expat.h> |  | ||||||
|  #include <stdlib.h> |  | ||||||
|  #include <stdio.h> |  | ||||||
| 
 |  | ||||||
|  #define CHUNK (16 * 1024 * 1024) |  | ||||||
|  int main(int argc, char *argv[]) { |  | ||||||
|    XML_Parser parser; |  | ||||||
|    FILE *fp; |  | ||||||
|    char *buf; |  | ||||||
|    int i; |  | ||||||
| 
 |  | ||||||
|    if (argc != 2) |  | ||||||
|      errx(1, "usage: poc file.xml"); |  | ||||||
|    if ((parser = XML_ParserCreate(NULL)) == NULL) |  | ||||||
|      errx(1, "failed to create expat parser"); |  | ||||||
|    if ((fp = fopen(argv[1], "r")) == NULL) { |  | ||||||
|      XML_ParserFree(parser); |  | ||||||
|      err(1, "failed to open file"); |  | ||||||
|    } |  | ||||||
|    if ((buf = malloc(CHUNK)) == NULL) { |  | ||||||
|      fclose(fp); |  | ||||||
|      XML_ParserFree(parser); |  | ||||||
|      err(1, "failed to allocate buffer"); |  | ||||||
|    } |  | ||||||
|    i = 0; |  | ||||||
|    while (fread(buf, CHUNK, 1, fp) == 1) { |  | ||||||
|      printf("iteration %d: XML_Parse returns %d\n", ++i, |  | ||||||
|        XML_Parse(parser, buf, CHUNK, XML_FALSE)); |  | ||||||
|    } |  | ||||||
|    free(buf); |  | ||||||
|    fclose(fp); |  | ||||||
|    XML_ParserFree(parser); |  | ||||||
|    return 0; |  | ||||||
|  } |  | ||||||
| EOF |  | ||||||
| gcc -fsanitize=address -lexpat -o poc poc.c |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| 3. Construct specially prepared UTF-16 XML file: |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml |  | ||||||
| echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml |  | ||||||
| echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368 |  | ||||||
| iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| 4. Run proof of concept: |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| ./poc poc-utf16.xml |  | ||||||
| ``` |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmlparse.c | 7 ++++++- |  | ||||||
|  1 file changed, 6 insertions(+), 1 deletion(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index 4b43e613..f34d6ab5 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) {
 |  | ||||||
|    while (tag) { |  | ||||||
|      int bufSize; |  | ||||||
|      int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); |  | ||||||
| +    size_t rawNameLen;
 |  | ||||||
|      char *rawNameBuf = tag->buf + nameLen; |  | ||||||
|      /* Stop if already stored.  Since m_tagStack is a stack, we can stop |  | ||||||
|         at the first entry that has already been copied; everything |  | ||||||
| @@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) {
 |  | ||||||
|      /* For re-use purposes we need to ensure that the |  | ||||||
|         size of tag->buf is a multiple of sizeof(XML_Char). |  | ||||||
|      */ |  | ||||||
| -    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
 |  | ||||||
| +    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
 |  | ||||||
| +    /* Detect and prevent integer overflow. */
 |  | ||||||
| +    if (rawNameLen > (size_t)INT_MAX - nameLen)
 |  | ||||||
| +      return XML_FALSE;
 |  | ||||||
| +    bufSize = nameLen + (int)rawNameLen;
 |  | ||||||
|      if (bufSize > tag->bufEnd - tag->buf) { |  | ||||||
|        char *temp = (char *)REALLOC(parser, tag->buf, bufSize); |  | ||||||
|        if (temp == NULL) |  | ||||||
| 
 |  | ||||||
| @ -1,43 +0,0 @@ | |||||||
| From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Sat, 25 Dec 2021 20:52:08 +0100 |  | ||||||
| Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function |  | ||||||
|  doProlog (CVE-2021-46143) |  | ||||||
| 
 |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmlparse.c | 15 +++++++++++++++ |  | ||||||
|  1 file changed, 15 insertions(+) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index b47c31b0..8f243126 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
 |  | ||||||
|        if (parser->m_prologState.level >= parser->m_groupSize) { |  | ||||||
|          if (parser->m_groupSize) { |  | ||||||
|            { |  | ||||||
| +            /* Detect and prevent integer overflow */
 |  | ||||||
| +            if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
 |  | ||||||
| +              return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +            }
 |  | ||||||
| +
 |  | ||||||
|              char *const new_connector = (char *)REALLOC( |  | ||||||
|                  parser, parser->m_groupConnector, parser->m_groupSize *= 2); |  | ||||||
|              if (new_connector == NULL) { |  | ||||||
| @@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
 |  | ||||||
|            } |  | ||||||
|   |  | ||||||
|            if (dtd->scaffIndex) { |  | ||||||
| +            /* Detect and prevent integer overflow.
 |  | ||||||
| +             * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +             * from -Wtype-limits on platforms where
 |  | ||||||
| +             * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +            if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
 |  | ||||||
| +              return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +            }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|              int *const new_scaff_index = (int *)REALLOC( |  | ||||||
|                  parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int)); |  | ||||||
|              if (new_scaff_index == NULL) |  | ||||||
| @ -1,250 +0,0 @@ | |||||||
| From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Thu, 30 Dec 2021 22:46:03 +0100 |  | ||||||
| Subject: [PATCH] lib: Prevent integer overflow at multiple places |  | ||||||
|  (CVE-2022-22822 to CVE-2022-22827) |  | ||||||
| 
 |  | ||||||
| The involved functions are: |  | ||||||
| - addBinding (CVE-2022-22822)
 |  | ||||||
| - build_model (CVE-2022-22823)
 |  | ||||||
| - defineAttribute (CVE-2022-22824)
 |  | ||||||
| - lookup (CVE-2022-22825)
 |  | ||||||
| - nextScaffoldPart (CVE-2022-22826)
 |  | ||||||
| - storeAtts (CVE-2022-22827)
 |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++- |  | ||||||
|  1 file changed, 151 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index 8f243126..575e73ee 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
 |  | ||||||
|   |  | ||||||
|    /* get the attributes from the tokenizer */ |  | ||||||
|    n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts); |  | ||||||
| +
 |  | ||||||
| +  /* Detect and prevent integer overflow */
 |  | ||||||
| +  if (n > INT_MAX - nDefaultAtts) {
 |  | ||||||
| +    return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +  }
 |  | ||||||
| +
 |  | ||||||
|    if (n + nDefaultAtts > parser->m_attsSize) { |  | ||||||
|      int oldAttsSize = parser->m_attsSize; |  | ||||||
|      ATTRIBUTE *temp; |  | ||||||
|  #ifdef XML_ATTR_INFO |  | ||||||
|      XML_AttrInfo *temp2; |  | ||||||
|  #endif |  | ||||||
| +
 |  | ||||||
| +    /* Detect and prevent integer overflow */
 |  | ||||||
| +    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
 |  | ||||||
| +        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +
 |  | ||||||
|      parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; |  | ||||||
| +
 |  | ||||||
| +    /* Detect and prevent integer overflow.
 |  | ||||||
| +     * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +     * from -Wtype-limits on platforms where
 |  | ||||||
| +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
 |  | ||||||
| +      parser->m_attsSize = oldAttsSize;
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|      temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, |  | ||||||
|                                  parser->m_attsSize * sizeof(ATTRIBUTE)); |  | ||||||
|      if (temp == NULL) { |  | ||||||
| @@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
 |  | ||||||
|      } |  | ||||||
|      parser->m_atts = temp; |  | ||||||
|  #ifdef XML_ATTR_INFO |  | ||||||
| +    /* Detect and prevent integer overflow.
 |  | ||||||
| +     * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +     * from -Wtype-limits on platforms where
 |  | ||||||
| +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#  if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
 |  | ||||||
| +      parser->m_attsSize = oldAttsSize;
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +#  endif
 |  | ||||||
| +
 |  | ||||||
|      temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, |  | ||||||
|                                      parser->m_attsSize * sizeof(XML_AttrInfo)); |  | ||||||
|      if (temp2 == NULL) { |  | ||||||
| @@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
 |  | ||||||
|    tagNamePtr->prefixLen = prefixLen; |  | ||||||
|    for (i = 0; localPart[i++];) |  | ||||||
|      ; /* i includes null terminator */ |  | ||||||
| +
 |  | ||||||
| +  /* Detect and prevent integer overflow */
 |  | ||||||
| +  if (binding->uriLen > INT_MAX - prefixLen
 |  | ||||||
| +      || i > INT_MAX - (binding->uriLen + prefixLen)) {
 |  | ||||||
| +    return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +  }
 |  | ||||||
| +
 |  | ||||||
|    n = i + binding->uriLen + prefixLen; |  | ||||||
|    if (n > binding->uriAlloc) { |  | ||||||
|      TAG *p; |  | ||||||
| +
 |  | ||||||
| +    /* Detect and prevent integer overflow */
 |  | ||||||
| +    if (n > INT_MAX - EXPAND_SPARE) {
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +    /* Detect and prevent integer overflow.
 |  | ||||||
| +     * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +     * from -Wtype-limits on platforms where
 |  | ||||||
| +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|      uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char)); |  | ||||||
|      if (! uri) |  | ||||||
|        return XML_ERROR_NO_MEMORY; |  | ||||||
| @@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
 |  | ||||||
|    if (parser->m_freeBindingList) { |  | ||||||
|      b = parser->m_freeBindingList; |  | ||||||
|      if (len > b->uriAlloc) { |  | ||||||
| +      /* Detect and prevent integer overflow */
 |  | ||||||
| +      if (len > INT_MAX - EXPAND_SPARE) {
 |  | ||||||
| +        return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent integer overflow.
 |  | ||||||
| +       * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +       * from -Wtype-limits on platforms where
 |  | ||||||
| +       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
 |  | ||||||
| +        return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +      }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|        XML_Char *temp = (XML_Char *)REALLOC( |  | ||||||
|            parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); |  | ||||||
|        if (temp == NULL) |  | ||||||
| @@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
 |  | ||||||
|      b = (BINDING *)MALLOC(parser, sizeof(BINDING)); |  | ||||||
|      if (! b) |  | ||||||
|        return XML_ERROR_NO_MEMORY; |  | ||||||
| +
 |  | ||||||
| +    /* Detect and prevent integer overflow */
 |  | ||||||
| +    if (len > INT_MAX - EXPAND_SPARE) {
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +    /* Detect and prevent integer overflow.
 |  | ||||||
| +     * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +     * from -Wtype-limits on platforms where
 |  | ||||||
| +     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
 |  | ||||||
| +      return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +    }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|      b->uri |  | ||||||
|          = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE)); |  | ||||||
|      if (! b->uri) { |  | ||||||
| @@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
 |  | ||||||
|        } |  | ||||||
|      } else { |  | ||||||
|        DEFAULT_ATTRIBUTE *temp; |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent integer overflow */
 |  | ||||||
| +      if (type->allocDefaultAtts > INT_MAX / 2) {
 |  | ||||||
| +        return 0;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
|        int count = type->allocDefaultAtts * 2; |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent integer overflow.
 |  | ||||||
| +       * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +       * from -Wtype-limits on platforms where
 |  | ||||||
| +       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
 |  | ||||||
| +        return 0;
 |  | ||||||
| +      }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|        temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts, |  | ||||||
|                                            (count * sizeof(DEFAULT_ATTRIBUTE))); |  | ||||||
|        if (temp == NULL) |  | ||||||
| @@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
 |  | ||||||
|      /* check for overflow (table is half full) */ |  | ||||||
|      if (table->used >> (table->power - 1)) { |  | ||||||
|        unsigned char newPower = table->power + 1; |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent invalid shift */
 |  | ||||||
| +      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
 |  | ||||||
| +        return NULL;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
|        size_t newSize = (size_t)1 << newPower; |  | ||||||
|        unsigned long newMask = (unsigned long)newSize - 1; |  | ||||||
| +
 |  | ||||||
| +      /* Detect and prevent integer overflow */
 |  | ||||||
| +      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
 |  | ||||||
| +        return NULL;
 |  | ||||||
| +      }
 |  | ||||||
| +
 |  | ||||||
|        size_t tsize = newSize * sizeof(NAMED *); |  | ||||||
|        NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); |  | ||||||
|        if (! newV) |  | ||||||
| @@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
 |  | ||||||
|    if (dtd->scaffCount >= dtd->scaffSize) { |  | ||||||
|      CONTENT_SCAFFOLD *temp; |  | ||||||
|      if (dtd->scaffold) { |  | ||||||
| +      /* Detect and prevent integer overflow */
 |  | ||||||
| +      if (dtd->scaffSize > UINT_MAX / 2u) {
 |  | ||||||
| +        return -1;
 |  | ||||||
| +      }
 |  | ||||||
| +      /* Detect and prevent integer overflow.
 |  | ||||||
| +       * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +       * from -Wtype-limits on platforms where
 |  | ||||||
| +       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
 |  | ||||||
| +        return -1;
 |  | ||||||
| +      }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|        temp = (CONTENT_SCAFFOLD *)REALLOC( |  | ||||||
|            parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); |  | ||||||
|        if (temp == NULL) |  | ||||||
| @@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
 |  | ||||||
|    XML_Content *ret; |  | ||||||
|    XML_Content *cpos; |  | ||||||
|    XML_Char *str; |  | ||||||
| -  int allocsize = (dtd->scaffCount * sizeof(XML_Content)
 |  | ||||||
| -                   + (dtd->contentStringLen * sizeof(XML_Char)));
 |  | ||||||
| +
 |  | ||||||
| +  /* Detect and prevent integer overflow.
 |  | ||||||
| +   * The preprocessor guard addresses the "always false" warning
 |  | ||||||
| +   * from -Wtype-limits on platforms where
 |  | ||||||
| +   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 |  | ||||||
| +#if UINT_MAX >= SIZE_MAX
 |  | ||||||
| +  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
 |  | ||||||
| +    return NULL;
 |  | ||||||
| +  }
 |  | ||||||
| +  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
 |  | ||||||
| +    return NULL;
 |  | ||||||
| +  }
 |  | ||||||
| +#endif
 |  | ||||||
| +  if (dtd->scaffCount * sizeof(XML_Content)
 |  | ||||||
| +      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
 |  | ||||||
| +    return NULL;
 |  | ||||||
| +  }
 |  | ||||||
| +
 |  | ||||||
| +  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
 |  | ||||||
| +                            + (dtd->contentStringLen * sizeof(XML_Char)));
 |  | ||||||
|   |  | ||||||
|    ret = (XML_Content *)MALLOC(parser, allocsize); |  | ||||||
|    if (! ret) |  | ||||||
| @ -1,228 +0,0 @@ | |||||||
| commit 5c47ae80738d0985babf06a023b3845169682064 |  | ||||||
| Author: Tomas Korbar <tkorbar@redhat.com> |  | ||||||
| Date:   Mon Mar 14 10:22:37 2022 +0100 |  | ||||||
| 
 |  | ||||||
|     Protect against malicious namespace declarations |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index 5c3f573..901abbf 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -638,8 +638,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
 |  | ||||||
|   |  | ||||||
|  XML_Parser XMLCALL |  | ||||||
|  XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) { |  | ||||||
| -  XML_Char tmp[2];
 |  | ||||||
| -  *tmp = nsSep;
 |  | ||||||
| +  XML_Char tmp[2] = {nsSep, 0};
 |  | ||||||
|    return XML_ParserCreate_MM(encodingName, NULL, tmp); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -1253,8 +1252,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
 |  | ||||||
|       would be otherwise. |  | ||||||
|    */ |  | ||||||
|    if (parser->m_ns) { |  | ||||||
| -    XML_Char tmp[2];
 |  | ||||||
| -    *tmp = parser->m_namespaceSeparator;
 |  | ||||||
| +    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
 |  | ||||||
|      parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); |  | ||||||
|    } else { |  | ||||||
|      parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd); |  | ||||||
| @@ -3526,6 +3524,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
 |  | ||||||
|    return XML_ERROR_NONE; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +static XML_Bool
 |  | ||||||
| +is_rfc3986_uri_char(XML_Char candidate) {
 |  | ||||||
| +  // For the RFC 3986 ANBF grammar see
 |  | ||||||
| +  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
 |  | ||||||
| +
 |  | ||||||
| +  switch (candidate) {
 |  | ||||||
| +  // From rule "ALPHA" (uppercase half)
 |  | ||||||
| +  case 'A':
 |  | ||||||
| +  case 'B':
 |  | ||||||
| +  case 'C':
 |  | ||||||
| +  case 'D':
 |  | ||||||
| +  case 'E':
 |  | ||||||
| +  case 'F':
 |  | ||||||
| +  case 'G':
 |  | ||||||
| +  case 'H':
 |  | ||||||
| +  case 'I':
 |  | ||||||
| +  case 'J':
 |  | ||||||
| +  case 'K':
 |  | ||||||
| +  case 'L':
 |  | ||||||
| +  case 'M':
 |  | ||||||
| +  case 'N':
 |  | ||||||
| +  case 'O':
 |  | ||||||
| +  case 'P':
 |  | ||||||
| +  case 'Q':
 |  | ||||||
| +  case 'R':
 |  | ||||||
| +  case 'S':
 |  | ||||||
| +  case 'T':
 |  | ||||||
| +  case 'U':
 |  | ||||||
| +  case 'V':
 |  | ||||||
| +  case 'W':
 |  | ||||||
| +  case 'X':
 |  | ||||||
| +  case 'Y':
 |  | ||||||
| +  case 'Z':
 |  | ||||||
| +
 |  | ||||||
| +  // From rule "ALPHA" (lowercase half)
 |  | ||||||
| +  case 'a':
 |  | ||||||
| +  case 'b':
 |  | ||||||
| +  case 'c':
 |  | ||||||
| +  case 'd':
 |  | ||||||
| +  case 'e':
 |  | ||||||
| +  case 'f':
 |  | ||||||
| +  case 'g':
 |  | ||||||
| +  case 'h':
 |  | ||||||
| +  case 'i':
 |  | ||||||
| +  case 'j':
 |  | ||||||
| +  case 'k':
 |  | ||||||
| +  case 'l':
 |  | ||||||
| +  case 'm':
 |  | ||||||
| +  case 'n':
 |  | ||||||
| +  case 'o':
 |  | ||||||
| +  case 'p':
 |  | ||||||
| +  case 'q':
 |  | ||||||
| +  case 'r':
 |  | ||||||
| +  case 's':
 |  | ||||||
| +  case 't':
 |  | ||||||
| +  case 'u':
 |  | ||||||
| +  case 'v':
 |  | ||||||
| +  case 'w':
 |  | ||||||
| +  case 'x':
 |  | ||||||
| +  case 'y':
 |  | ||||||
| +  case 'z':
 |  | ||||||
| +
 |  | ||||||
| +  // From rule "DIGIT"
 |  | ||||||
| +  case '0':
 |  | ||||||
| +  case '1':
 |  | ||||||
| +  case '2':
 |  | ||||||
| +  case '3':
 |  | ||||||
| +  case '4':
 |  | ||||||
| +  case '5':
 |  | ||||||
| +  case '6':
 |  | ||||||
| +  case '7':
 |  | ||||||
| +  case '8':
 |  | ||||||
| +  case '9':
 |  | ||||||
| +
 |  | ||||||
| +  // From rule "pct-encoded"
 |  | ||||||
| +  case '%':
 |  | ||||||
| +
 |  | ||||||
| +  // From rule "unreserved"
 |  | ||||||
| +  case '-':
 |  | ||||||
| +  case '.':
 |  | ||||||
| +  case '_':
 |  | ||||||
| +  case '~':
 |  | ||||||
| +
 |  | ||||||
| +  // From rule "gen-delims"
 |  | ||||||
| +  case ':':
 |  | ||||||
| +  case '/':
 |  | ||||||
| +  case '?':
 |  | ||||||
| +  case '#':
 |  | ||||||
| +  case '[':
 |  | ||||||
| +  case ']':
 |  | ||||||
| +  case '@':
 |  | ||||||
| +
 |  | ||||||
| +  // From rule "sub-delims"
 |  | ||||||
| +  case '!':
 |  | ||||||
| +  case '$':
 |  | ||||||
| +  case '&':
 |  | ||||||
| +  case '\'':
 |  | ||||||
| +  case '(':
 |  | ||||||
| +  case ')':
 |  | ||||||
| +  case '*':
 |  | ||||||
| +  case '+':
 |  | ||||||
| +  case ',':
 |  | ||||||
| +  case ';':
 |  | ||||||
| +  case '=':
 |  | ||||||
| +    return XML_TRUE;
 |  | ||||||
| +
 |  | ||||||
| +  default:
 |  | ||||||
| +    return XML_FALSE;
 |  | ||||||
| +  }
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  /* addBinding() overwrites the value of prefix->binding without checking. |  | ||||||
|     Therefore one must keep track of the old value outside of addBinding(). |  | ||||||
|  */ |  | ||||||
| @@ -3581,6 +3690,29 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
 |  | ||||||
|      if (! mustBeXML && isXMLNS |  | ||||||
|          && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) |  | ||||||
|        isXMLNS = XML_FALSE; |  | ||||||
| +
 |  | ||||||
| +    // NOTE: While Expat does not validate namespace URIs against RFC 3986
 |  | ||||||
| +    //       today (and is not REQUIRED to do so with regard to the XML 1.0
 |  | ||||||
| +    //       namespaces specification) we have to at least make sure, that
 |  | ||||||
| +    //       the application on top of Expat (that is likely splitting expanded
 |  | ||||||
| +    //       element names ("qualified names") of form
 |  | ||||||
| +    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
 |  | ||||||
| +    //       in its element handler code) cannot be confused by an attacker
 |  | ||||||
| +    //       putting additional namespace separator characters into namespace
 |  | ||||||
| +    //       declarations.  That would be ambiguous and not to be expected.
 |  | ||||||
| +    //
 |  | ||||||
| +    //       While the HTML API docs of function XML_ParserCreateNS have been
 |  | ||||||
| +    //       advising against use of a namespace separator character that can
 |  | ||||||
| +    //       appear in a URI for >20 years now, some widespread applications
 |  | ||||||
| +    //       are using URI characters (':' (colon) in particular) for a
 |  | ||||||
| +    //       namespace separator, in practice.  To keep these applications
 |  | ||||||
| +    //       functional, we only reject namespaces URIs containing the
 |  | ||||||
| +    //       application-chosen namespace separator if the chosen separator
 |  | ||||||
| +    //       is a non-URI character with regard to RFC 3986.
 |  | ||||||
| +    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
 |  | ||||||
| +        && ! is_rfc3986_uri_char(uri[len])) {
 |  | ||||||
| +      return XML_ERROR_SYNTAX;
 |  | ||||||
| +    }
 |  | ||||||
|    } |  | ||||||
|    isXML = isXML && len == xmlLen; |  | ||||||
|    isXMLNS = isXMLNS && len == xmlnsLen; |  | ||||||
| diff --git a/tests/runtests.c b/tests/runtests.c
 |  | ||||||
| index f03e008..40172d2 100644
 |  | ||||||
| --- a/tests/runtests.c
 |  | ||||||
| +++ b/tests/runtests.c
 |  | ||||||
| @@ -7233,6 +7233,37 @@ START_TEST(test_ns_double_colon_doctype) {
 |  | ||||||
|  } |  | ||||||
|  END_TEST |  | ||||||
|   |  | ||||||
| +START_TEST(test_ns_separator_in_uri) {
 |  | ||||||
| +  struct test_case {
 |  | ||||||
| +    enum XML_Status expectedStatus;
 |  | ||||||
| +    const char *doc;
 |  | ||||||
| +    XML_Char namesep;
 |  | ||||||
| +  };
 |  | ||||||
| +  struct test_case cases[] = {
 |  | ||||||
| +      {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
 |  | ||||||
| +      {XML_STATUS_ERROR, "<doc xmlns='one
two' />", XCS('\n')},
 |  | ||||||
| +      {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
 |  | ||||||
| +  };
 |  | ||||||
| +
 |  | ||||||
| +  size_t i = 0;
 |  | ||||||
| +  size_t failCount = 0;
 |  | ||||||
| +  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
 |  | ||||||
| +    XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
 |  | ||||||
| +    XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
 |  | ||||||
| +    if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
 |  | ||||||
| +                  /*isFinal*/ XML_TRUE)
 |  | ||||||
| +        != cases[i].expectedStatus) {
 |  | ||||||
| +      failCount++;
 |  | ||||||
| +    }
 |  | ||||||
| +    XML_ParserFree(parser);
 |  | ||||||
| +  }
 |  | ||||||
| +
 |  | ||||||
| +  if (failCount) {
 |  | ||||||
| +    fail("Namespace separator handling is broken");
 |  | ||||||
| +  }
 |  | ||||||
| +}
 |  | ||||||
| +END_TEST
 |  | ||||||
| +
 |  | ||||||
|  /* Control variable; the number of times duff_allocator() will successfully |  | ||||||
|   * allocate */ |  | ||||||
|  #define ALLOC_ALWAYS_SUCCEED (-1) |  | ||||||
| @@ -11527,6 +11558,7 @@ make_suite(void) {
 |  | ||||||
|    tcase_add_test(tc_namespace, test_ns_utf16_doctype); |  | ||||||
|    tcase_add_test(tc_namespace, test_ns_invalid_doctype); |  | ||||||
|    tcase_add_test(tc_namespace, test_ns_double_colon_doctype); |  | ||||||
| +  tcase_add_test(tc_namespace, test_ns_separator_in_uri);
 |  | ||||||
|   |  | ||||||
|    suite_add_tcase(s, tc_misc); |  | ||||||
|    tcase_add_checked_fixture(tc_misc, NULL, basic_teardown); |  | ||||||
| @ -1,42 +0,0 @@ | |||||||
| From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001 |  | ||||||
| From: Sebastian Pipping <sebastian@pipping.org> |  | ||||||
| Date: Wed, 26 Jan 2022 02:36:43 +0100 |  | ||||||
| Subject: [PATCH 1/2] lib: Prevent integer overflow in doProlog |  | ||||||
|  (CVE-2022-23990) |  | ||||||
| 
 |  | ||||||
| The change from "int nameLen" to "size_t nameLen" |  | ||||||
| addresses the overflow on "nameLen++" in code |  | ||||||
| "for (; name[nameLen++];)" right above the second |  | ||||||
| change in the patch. |  | ||||||
| ---
 |  | ||||||
|  expat/lib/xmlparse.c | 10 ++++++++-- |  | ||||||
|  1 file changed, 8 insertions(+), 2 deletions(-) |  | ||||||
| 
 |  | ||||||
| diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 |  | ||||||
| index 5ce31402..d1d17005 100644
 |  | ||||||
| --- a/lib/xmlparse.c
 |  | ||||||
| +++ b/lib/xmlparse.c
 |  | ||||||
| @@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
 |  | ||||||
|        if (dtd->in_eldecl) { |  | ||||||
|          ELEMENT_TYPE *el; |  | ||||||
|          const XML_Char *name; |  | ||||||
| -        int nameLen;
 |  | ||||||
| +        size_t nameLen;
 |  | ||||||
|          const char *nxt |  | ||||||
|              = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); |  | ||||||
|          int myindex = nextScaffoldPart(parser); |  | ||||||
| @@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
 |  | ||||||
|          nameLen = 0; |  | ||||||
|          for (; name[nameLen++];) |  | ||||||
|            ; |  | ||||||
| -        dtd->contentStringLen += nameLen;
 |  | ||||||
| +
 |  | ||||||
| +        /* Detect and prevent integer overflow */
 |  | ||||||
| +        if (nameLen > UINT_MAX - dtd->contentStringLen) {
 |  | ||||||
| +          return XML_ERROR_NO_MEMORY;
 |  | ||||||
| +        }
 |  | ||||||
| +
 |  | ||||||
| +        dtd->contentStringLen += (unsigned)nameLen;
 |  | ||||||
|          if (parser->m_elementDeclHandler) |  | ||||||
|            handleDefault = XML_FALSE; |  | ||||||
|        } |  | ||||||
| @ -1,22 +1,14 @@ | |||||||
| %global unversion 2_2_10 | %global unversion 2_4_7 | ||||||
| 
 | 
 | ||||||
| Summary: An XML parser library | Summary: An XML parser library | ||||||
| Name: expat | Name: expat | ||||||
| Version: %(echo %{unversion} | sed 's/_/./g') | Version: %(echo %{unversion} | sed 's/_/./g') | ||||||
| Release: 12%{?dist} | Release: 1%{?dist} | ||||||
| Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz | Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz | ||||||
| URL: https://libexpat.github.io/ | URL: https://libexpat.github.io/ | ||||||
| License: MIT | License: MIT | ||||||
| BuildRequires: autoconf, libtool, xmlto, gcc-c++ | BuildRequires: autoconf, libtool, xmlto, gcc-c++ | ||||||
| BuildRequires: make | BuildRequires: make | ||||||
| Patch0:	expat-2.2.10-prevent-integer-overflow-in-doProlog.patch |  | ||||||
| Patch1:	expat-2.2.10-Prevent-more-integer-overflows.patch |  | ||||||
| Patch2:	expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch |  | ||||||
| Patch3:	expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch |  | ||||||
| Patch4:	expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch |  | ||||||
| Patch5: expat-2.2.10-Protect-against-malicious-namespace-declarations.patch |  | ||||||
| Patch6: expat-2.2.10-Add-missing-validation-of-encoding.patch |  | ||||||
| Patch7: expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch |  | ||||||
| 
 | 
 | ||||||
| %description | %description | ||||||
| This is expat, the C library for parsing XML, written by James Clark. Expat | This is expat, the C library for parsing XML, written by James Clark. Expat | ||||||
| @ -44,14 +36,6 @@ Install it if you need to link statically with expat. | |||||||
| 
 | 
 | ||||||
| %prep | %prep | ||||||
| %setup -q -n libexpat-R_%{unversion}/expat | %setup -q -n libexpat-R_%{unversion}/expat | ||||||
| %patch0 -p1 -b .CVE-2022-23990 |  | ||||||
| %patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827 |  | ||||||
| %patch2 -p1 -b .CVE-2021-46143 |  | ||||||
| %patch3 -p1 -b .CVE-2021-45960 |  | ||||||
| %patch4 -p1 -b .CVE-2022-23852 |  | ||||||
| %patch5 -p1 -b .CVE-2022-25236 |  | ||||||
| %patch6 -p1 -b .CVE-2022-25235 |  | ||||||
| %patch7 -p1 -b .CVE-2022-25315 |  | ||||||
| 
 | 
 | ||||||
| sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am | sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am | ||||||
| ./buildconf.sh | ./buildconf.sh | ||||||
| @ -80,18 +64,22 @@ make check | |||||||
| %{_mandir}/*/* | %{_mandir}/*/* | ||||||
| 
 | 
 | ||||||
| %files devel | %files devel | ||||||
| %doc doc/reference.html doc/*.png doc/*.css examples/*.c | %doc doc/reference.html doc/*.css examples/*.c | ||||||
| %{_libdir}/lib*.so | %{_libdir}/lib*.so | ||||||
| %{_libdir}/pkgconfig/*.pc | %{_libdir}/pkgconfig/*.pc | ||||||
| %{_includedir}/*.h | %{_includedir}/*.h | ||||||
|  | %{_libdir}/cmake/expat-%{version} | ||||||
| 
 | 
 | ||||||
| %files static | %files static | ||||||
| %{_libdir}/lib*.a | %{_libdir}/lib*.a | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
| * Wed Mar 16 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-12 | * Tue Apr 26 2022 Tomas Korbar <tkorbar@redhat.com> -  2.4.7-1 | ||||||
| - Build fix for CVE-2022-25236 in rhel-9.0.0 | - Rebase to version 2.4.7 | ||||||
| - Related: CVE-2022-25236 | - Resolves: rhbz#2067201 | ||||||
|  | - Resolves: CVE-2022-25313 | ||||||
|  | - Resolves: CVE-2022-25314 | ||||||
|  | - Resolves: CVE-2022-25236 | ||||||
| 
 | 
 | ||||||
| * Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-11 | * Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-11 | ||||||
| - Improve fix for CVE-2022-25236 | - Improve fix for CVE-2022-25236 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user