- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 Daniel

2009-08-10 14:21:33 +00:00 · 2009-08-10 14:21:33 +00:00 · 9e00af6553
commit 9e00af6553
parent cb67b360f3
2 changed files with 164 additions and 0 deletions
--- a/libxml2-2.7.3-ficora-parse.patch
+++ b/libxml2-2.7.3-ficora-parse.patch
@ -0,0 +1,159 @@
 diff --git a/parser.c b/parser.c
 index a476060..b404722 100644
 --- a/parser.c
 +++ b/parser.c
@@ -5323,7 +5323,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
 	if (name == NULL) {
 	    xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
 			   "Name expected in NOTATION declaration\n");
 -	    return(ret);
 +            xmlFreeEnumeration(ret);
 +	    return(NULL);
 	}
 	tmp = ret;
 	while (tmp != NULL) {
@@ -5339,7 +5340,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
 	}
 	if (tmp == NULL) {
 	    cur = xmlCreateEnumeration(name);
 -	    if (cur == NULL) return(ret);
 +	    if (cur == NULL) {
 +                xmlFreeEnumeration(ret);
 +                return(NULL);
 +            }
 	    if (last == NULL) ret = last = cur;
 	    else {
 		last->next = cur;
@@ -5350,9 +5354,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
     } while (RAW == '|');
     if (RAW != ')') {
 	xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
 -	if ((last != NULL) && (last != ret))
 -	    xmlFreeEnumeration(last);
 -	return(ret);
 +        xmlFreeEnumeration(ret);
 +	return(NULL);
     }
     NEXT;
     return(ret);
@@ -5407,7 +5410,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) {
 	    cur = xmlCreateEnumeration(name);
 	    if (!xmlDictOwns(ctxt->dict, name))
 		xmlFree(name);
 -	    if (cur == NULL) return(ret);
 +	    if (cur == NULL) {
 +                xmlFreeEnumeration(ret);
 +                return(NULL);
 +            }
 	    if (last == NULL) ret = last = cur;
 	    else {
 		last->next = cur;
@@ -5775,9 +5781,10 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
 }
 /**
 - * xmlParseElementChildrenContentDecl:
 + * xmlParseElementChildrenContentDeclPriv:
  * @ctxt:  an XML parser context
  * @inputchk:  the input used for the current entity, needed for boundary checks
 + * @depth: the level of recursion
  *
  * parse the declaration for a Mixed Element content
  * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
@@ -5805,12 +5812,20 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
  * Returns the tree of xmlElementContentPtr describing the element 
  *          hierarchy.
  */
 -xmlElementContentPtr
 -xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
 +static xmlElementContentPtr
 +xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
 +                                       int depth) {
     xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;
     const xmlChar *elem;
     xmlChar type = 0;
 +    if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
 +        (depth >  2048)) {
 +        xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
 +"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n",
 +                          depth);
 +	return(NULL);
 +    }
     SKIP_BLANKS;
     GROW;
     if (RAW == '(') {
@@ -5819,7 +5834,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
         /* Recurse on first child */
 	NEXT;
 	SKIP_BLANKS;
 -        cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
 +        cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
 +                                                           depth + 1);
 	SKIP_BLANKS;
 	GROW;
     } else {
@@ -5951,7 +5967,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
 	    /* Recurse on second child */
 	    NEXT;
 	    SKIP_BLANKS;
 -	    last = xmlParseElementChildrenContentDecl(ctxt, inputid);
 +	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
 +                                                          depth + 1);
 	    SKIP_BLANKS;
 	} else {
 	    elem = xmlParseName(ctxt);
@@ -6062,6 +6079,44 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
 }
 /**
 + *
 + * xmlParseElementChildrenContentDecl:
 + * @ctxt:  an XML parser context
 + * @inputchk:  the input used for the current entity, needed for boundary checks
 + * @depth: the level of recursion
 + *
 + * parse the declaration for a Mixed Element content
 + * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
 + *
 + * [47] children ::= (choice | seq) ('?' | '*' | '+')?
 + *
 + * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')?
 + *
 + * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')'
 + *
 + * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')'
 + *
 + * [ VC: Proper Group/PE Nesting ] applies to [49] and [50]
 + * TODO Parameter-entity replacement text must be properly nested
 + *	with parenthesized groups. That is to say, if either of the
 + *	opening or closing parentheses in a choice, seq, or Mixed
 + *	construct is contained in the replacement text for a parameter
 + *	entity, both must be contained in the same replacement text. For
 + *	interoperability, if a parameter-entity reference appears in a
 + *	choice, seq, or Mixed construct, its replacement text should not
 + *	be empty, and neither the first nor last non-blank character of
 + *	the replacement text should be a connector (| or ,).
 + *
 + * Returns the tree of xmlElementContentPtr describing the element 
 + *          hierarchy.
 + */
 +xmlElementContentPtr
 +xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
 +    /* stub left for API/ABI compat */
 +    return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1));
 +}
 +
 +/**
  * xmlParseElementContentDecl:
  * @ctxt:  an XML parser context
  * @name:  the name of the element being defined.
@@ -6097,7 +6152,7 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name,
         tree = xmlParseElementMixedContentDecl(ctxt, inputid);
 	res = XML_ELEMENT_TYPE_MIXED;
     } else {
 -        tree = xmlParseElementChildrenContentDecl(ctxt, inputid);
 +        tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1);
 	res = XML_ELEMENT_TYPE_ELEMENT;
     }
     SKIP_BLANKS;
--- a/libxml2.spec
+++ b/libxml2.spec
@ -9,6 +9,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python python-devel zlib-devel pkgconfig
 URL: http://xmlsoft.org/
 Patch0: libxml2-multilib.patch
 Patch1: libxml2-2.7.3-ficora-parse.patch
 %description
 This library allows to manipulate XML files. It includes support 
@ -67,6 +68,7 @@ at parse time or later once the document has been modified.
 %prep
 %setup -q
 %patch0 -p1
 %patch1 -p1
 %build
 %configure
@ -141,6 +143,9 @@ rm -fr %{buildroot}
 %doc doc/python.html
 %changelog
 * Mon Aug 10 2009 Daniel Veillard <veillard@redhat.com> - 2.7.3-4.fc11
 - two patches for parsing problems CVE-2009-2414 and CVE-2009-2416
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild