CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c

Resolves: CVE-2021-46143
2022-02-09 15:04:03 +01:00 · 2022-02-09 15:04:03 +01:00 · d183ecbb95
commit d183ecbb95
parent 4ccf989c09
2 changed files with 50 additions and 1 deletions
--- a/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
+++ b/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
@ -0,0 +1,43 @@
+From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 25 Dec 2021 20:52:08 +0100
+Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
+ doProlog (CVE-2021-46143)
+
+---
+ expat/lib/xmlparse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index b47c31b0..8f243126 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (parser->m_prologState.level >= parser->m_groupSize) {
+         if (parser->m_groupSize) {
+           {
+            /* Detect and prevent integer overflow */
+            if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
+              return XML_ERROR_NO_MEMORY;
+            }
+
+             char *const new_connector = (char *)REALLOC(
+                 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
+             if (new_connector == NULL) {
+@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+           }
+ 
+           if (dtd->scaffIndex) {
+            /* Detect and prevent integer overflow.
+             * The preprocessor guard addresses the "always false" warning
+             * from -Wtype-limits on platforms where
+             * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+            if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
+              return XML_ERROR_NO_MEMORY;
+            }
+#endif
+
+             int *const new_scaff_index = (int *)REALLOC(
+                 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
+             if (new_scaff_index == NULL)
--- a/expat.spec
+++ b/expat.spec
@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 6%{?dist}
+Release: 7%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@ -11,6 +11,7 @@ BuildRequires: autoconf, libtool, xmlto, gcc-c++
 BuildRequires: make
 Patch0:	expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
 Patch1:	expat-2.2.10-Prevent-more-integer-overflows.patch
+Patch2:	expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch

 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@ -40,6 +41,7 @@ Install it if you need to link statically with expat.
 %setup -q -n libexpat-R_%{unversion}/expat
 %patch0 -p1 -b .CVE-2022-23990
 %patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
+%patch2 -p1 -b .CVE-2021-46143
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh

@ -76,6 +78,10 @@ make check
 %{_libdir}/lib*.a

 %changelog
+* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-7
+- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
+- Resolves: CVE-2021-46143
+
 * Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-6
 - CVE-2022-22827 Integer overflow in storeAtts in xmlparse.c
 - CVE-2022-22826 Integer overflow in nextScaffoldPart in xmlparse.c