CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c

Resolves: CVE-2021-46143
2022-02-09 15:04:03 +01:00 · 2022-02-09 15:04:03 +01:00 · d183ecbb95
commit d183ecbb95
parent 4ccf989c09
2 changed files with 50 additions and 1 deletions
--- a/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
+++ b/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
@ -0,0 +1,43 @@
 From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
 From: Sebastian Pipping <sebastian@pipping.org>
 Date: Sat, 25 Dec 2021 20:52:08 +0100
 Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
 doProlog (CVE-2021-46143)
 ---
 expat/lib/xmlparse.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
 index b47c31b0..8f243126 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
       if (parser->m_prologState.level >= parser->m_groupSize) {
         if (parser->m_groupSize) {
           {
 +            /* Detect and prevent integer overflow */
 +            if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
 +              return XML_ERROR_NO_MEMORY;
 +            }
 +
             char *const new_connector = (char *)REALLOC(
                 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
             if (new_connector == NULL) {
@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
           }
           if (dtd->scaffIndex) {
 +            /* Detect and prevent integer overflow.
 +             * The preprocessor guard addresses the "always false" warning
 +             * from -Wtype-limits on platforms where
 +             * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
 +#if UINT_MAX >= SIZE_MAX
 +            if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
 +              return XML_ERROR_NO_MEMORY;
 +            }
 +#endif
 +
             int *const new_scaff_index = (int *)REALLOC(
                 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
             if (new_scaff_index == NULL)
--- a/expat.spec
+++ b/expat.spec
@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 6%{?dist}
+Release: 7%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@ -11,6 +11,7 @@ BuildRequires: autoconf, libtool, xmlto, gcc-c++
 BuildRequires: make
 Patch0:	expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
 Patch1:	expat-2.2.10-Prevent-more-integer-overflows.patch
 Patch2:	expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@ -40,6 +41,7 @@ Install it if you need to link statically with expat.
 %setup -q -n libexpat-R_%{unversion}/expat
 %patch0 -p1 -b .CVE-2022-23990
 %patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
 %patch2 -p1 -b .CVE-2021-46143
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh
@ -76,6 +78,10 @@ make check
 %{_libdir}/lib*.a
 %changelog
 * Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-7
 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
 - Resolves: CVE-2021-46143
 * Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-6
 - CVE-2022-22827 Integer overflow in storeAtts in xmlparse.c
 - CVE-2022-22826 Integer overflow in nextScaffoldPart in xmlparse.c