197 lines
6.0 KiB
Diff
197 lines
6.0 KiB
Diff
|
From 7f70302bfa9faeac9c9f7be8adf96d32c16acb72 Mon Sep 17 00:00:00 2001
|
||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||
|
Date: Tue, 8 Feb 2022 03:29:24 +0100
|
||
|
Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
|
||
|
|
||
|
If a document is parsed with XML_PARSE_DTDVALID and without
|
||
|
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
|
||
|
potentially expanding entities in xmlRemoveID. Otherwise, later calls
|
||
|
to xmlGetID can return a pointer to previously freed memory.
|
||
|
|
||
|
ID attributes which are empty or contain only whitespace after
|
||
|
entity expansion are affected in a similar way. This is fixed by
|
||
|
not storing such attributes in the ID table.
|
||
|
|
||
|
The test to detect streaming mode when validating against a DTD was
|
||
|
broken. In connection with the defects above, this could result in a
|
||
|
use-after-free when using the xmlReader interface with validation.
|
||
|
Fix detection of streaming mode to avoid similar issues. (This changes
|
||
|
the expected result of a test case. But as far as I can tell, using the
|
||
|
XML reader with XIncludes referencing the root document never worked
|
||
|
properly, anyway.)
|
||
|
|
||
|
All of these issues can result in denial of service. Using xmlReader
|
||
|
with validation could result in disclosure of memory via the error
|
||
|
channel, typically stderr. The security impact of xmlGetID returning
|
||
|
a pointer to freed memory depends on the application. The typical use
|
||
|
case of calling xmlGetID on an unmodified document is not affected.
|
||
|
---
|
||
|
valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
|
||
|
1 file changed, 55 insertions(+), 33 deletions(-)
|
||
|
|
||
|
diff --git a/valid.c b/valid.c
|
||
|
index a64b96be..5b81059f 100644
|
||
|
--- a/valid.c
|
||
|
+++ b/valid.c
|
||
|
@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
|
||
|
return (ret);
|
||
|
}
|
||
|
|
||
|
+/**
|
||
|
+ * xmlValidNormalizeString:
|
||
|
+ * @str: a string
|
||
|
+ *
|
||
|
+ * Normalize a string in-place.
|
||
|
+ */
|
||
|
+static void
|
||
|
+xmlValidNormalizeString(xmlChar *str) {
|
||
|
+ xmlChar *dst;
|
||
|
+ const xmlChar *src;
|
||
|
+
|
||
|
+ if (str == NULL)
|
||
|
+ return;
|
||
|
+ src = str;
|
||
|
+ dst = str;
|
||
|
+
|
||
|
+ while (*src == 0x20) src++;
|
||
|
+ while (*src != 0) {
|
||
|
+ if (*src == 0x20) {
|
||
|
+ while (*src == 0x20) src++;
|
||
|
+ if (*src != 0)
|
||
|
+ *dst++ = 0x20;
|
||
|
+ } else {
|
||
|
+ *dst++ = *src++;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ *dst = 0;
|
||
|
+}
|
||
|
+
|
||
|
#ifdef DEBUG_VALID_ALGO
|
||
|
static void
|
||
|
xmlValidPrintNode(xmlNodePtr cur) {
|
||
|
@@ -2546,6 +2575,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
|
||
|
(xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \
|
||
|
xmlFree((char *)(str));
|
||
|
|
||
|
+static int
|
||
|
+xmlIsStreaming(xmlValidCtxtPtr ctxt) {
|
||
|
+ xmlParserCtxtPtr pctxt;
|
||
|
+
|
||
|
+ if (ctxt == NULL)
|
||
|
+ return(0);
|
||
|
+ /*
|
||
|
+ * These magic values are also abused to detect whether we're validating
|
||
|
+ * while parsing a document. In this case, userData points to the parser
|
||
|
+ * context.
|
||
|
+ */
|
||
|
+ if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
|
||
|
+ (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
|
||
|
+ return(0);
|
||
|
+ pctxt = ctxt->userData;
|
||
|
+ return(pctxt->parseMode == XML_PARSE_READER);
|
||
|
+}
|
||
|
+
|
||
|
/**
|
||
|
* xmlFreeID:
|
||
|
* @not: A id
|
||
|
@@ -2589,7 +2636,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||
|
if (doc == NULL) {
|
||
|
return(NULL);
|
||
|
}
|
||
|
- if (value == NULL) {
|
||
|
+ if ((value == NULL) || (value[0] == 0)) {
|
||
|
return(NULL);
|
||
|
}
|
||
|
if (attr == NULL) {
|
||
|
@@ -2620,7 +2667,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||
|
*/
|
||
|
ret->value = xmlStrdup(value);
|
||
|
ret->doc = doc;
|
||
|
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
|
||
|
+ if (xmlIsStreaming(ctxt)) {
|
||
|
/*
|
||
|
* Operating in streaming mode, attr is gonna disapear
|
||
|
*/
|
||
|
@@ -2754,6 +2801,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
|
||
|
ID = xmlNodeListGetString(doc, attr->children, 1);
|
||
|
if (ID == NULL)
|
||
|
return(-1);
|
||
|
+ xmlValidNormalizeString(ID);
|
||
|
|
||
|
id = xmlHashLookup(table, ID);
|
||
|
if (id == NULL || id->attr != attr) {
|
||
|
@@ -2942,7 +2990,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
|
||
|
* fill the structure.
|
||
|
*/
|
||
|
ret->value = xmlStrdup(value);
|
||
|
- if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
|
||
|
+ if (xmlIsStreaming(ctxt)) {
|
||
|
/*
|
||
|
* Operating in streaming mode, attr is gonna disapear
|
||
|
*/
|
||
|
@@ -3962,8 +4010,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||
|
xmlChar *
|
||
|
xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||
|
xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
|
||
|
- xmlChar *ret, *dst;
|
||
|
- const xmlChar *src;
|
||
|
+ xmlChar *ret;
|
||
|
xmlAttributePtr attrDecl = NULL;
|
||
|
int extsubset = 0;
|
||
|
|
||
|
@@ -4004,19 +4051,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||
|
ret = xmlStrdup(value);
|
||
|
if (ret == NULL)
|
||
|
return(NULL);
|
||
|
- src = value;
|
||
|
- dst = ret;
|
||
|
- while (*src == 0x20) src++;
|
||
|
- while (*src != 0) {
|
||
|
- if (*src == 0x20) {
|
||
|
- while (*src == 0x20) src++;
|
||
|
- if (*src != 0)
|
||
|
- *dst++ = 0x20;
|
||
|
- } else {
|
||
|
- *dst++ = *src++;
|
||
|
- }
|
||
|
- }
|
||
|
- *dst = 0;
|
||
|
+ xmlValidNormalizeString(ret);
|
||
|
if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
|
||
|
xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
|
||
|
"standalone: %s on %s value had to be normalized based on external subset declaration\n",
|
||
|
@@ -4048,8 +4083,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
|
||
|
xmlChar *
|
||
|
xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
|
||
|
const xmlChar *name, const xmlChar *value) {
|
||
|
- xmlChar *ret, *dst;
|
||
|
- const xmlChar *src;
|
||
|
+ xmlChar *ret;
|
||
|
xmlAttributePtr attrDecl = NULL;
|
||
|
|
||
|
if (doc == NULL) return(NULL);
|
||
|
@@ -4079,19 +4113,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
|
||
|
ret = xmlStrdup(value);
|
||
|
if (ret == NULL)
|
||
|
return(NULL);
|
||
|
- src = value;
|
||
|
- dst = ret;
|
||
|
- while (*src == 0x20) src++;
|
||
|
- while (*src != 0) {
|
||
|
- if (*src == 0x20) {
|
||
|
- while (*src == 0x20) src++;
|
||
|
- if (*src != 0)
|
||
|
- *dst++ = 0x20;
|
||
|
- } else {
|
||
|
- *dst++ = *src++;
|
||
|
- }
|
||
|
- }
|
||
|
- *dst = 0;
|
||
|
+ xmlValidNormalizeString(ret);
|
||
|
return(ret);
|
||
|
}
|
||
|
|
||
|
--
|
||
|
2.35.1
|
||
|
|