- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 Daniel
This commit is contained in:
parent
cb67b360f3
commit
9e00af6553
159
libxml2-2.7.3-ficora-parse.patch
Normal file
159
libxml2-2.7.3-ficora-parse.patch
Normal file
@ -0,0 +1,159 @@
|
||||
diff --git a/parser.c b/parser.c
|
||||
index a476060..b404722 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -5323,7 +5323,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
|
||||
if (name == NULL) {
|
||||
xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
|
||||
"Name expected in NOTATION declaration\n");
|
||||
- return(ret);
|
||||
+ xmlFreeEnumeration(ret);
|
||||
+ return(NULL);
|
||||
}
|
||||
tmp = ret;
|
||||
while (tmp != NULL) {
|
||||
@@ -5339,7 +5340,10 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
|
||||
}
|
||||
if (tmp == NULL) {
|
||||
cur = xmlCreateEnumeration(name);
|
||||
- if (cur == NULL) return(ret);
|
||||
+ if (cur == NULL) {
|
||||
+ xmlFreeEnumeration(ret);
|
||||
+ return(NULL);
|
||||
+ }
|
||||
if (last == NULL) ret = last = cur;
|
||||
else {
|
||||
last->next = cur;
|
||||
@@ -5350,9 +5354,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) {
|
||||
} while (RAW == '|');
|
||||
if (RAW != ')') {
|
||||
xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
|
||||
- if ((last != NULL) && (last != ret))
|
||||
- xmlFreeEnumeration(last);
|
||||
- return(ret);
|
||||
+ xmlFreeEnumeration(ret);
|
||||
+ return(NULL);
|
||||
}
|
||||
NEXT;
|
||||
return(ret);
|
||||
@@ -5407,7 +5410,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) {
|
||||
cur = xmlCreateEnumeration(name);
|
||||
if (!xmlDictOwns(ctxt->dict, name))
|
||||
xmlFree(name);
|
||||
- if (cur == NULL) return(ret);
|
||||
+ if (cur == NULL) {
|
||||
+ xmlFreeEnumeration(ret);
|
||||
+ return(NULL);
|
||||
+ }
|
||||
if (last == NULL) ret = last = cur;
|
||||
else {
|
||||
last->next = cur;
|
||||
@@ -5775,9 +5781,10 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
}
|
||||
|
||||
/**
|
||||
- * xmlParseElementChildrenContentDecl:
|
||||
+ * xmlParseElementChildrenContentDeclPriv:
|
||||
* @ctxt: an XML parser context
|
||||
* @inputchk: the input used for the current entity, needed for boundary checks
|
||||
+ * @depth: the level of recursion
|
||||
*
|
||||
* parse the declaration for a Mixed Element content
|
||||
* The leading '(' and spaces have been skipped in xmlParseElementContentDecl
|
||||
@@ -5805,12 +5812,20 @@ xmlParseElementMixedContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
* Returns the tree of xmlElementContentPtr describing the element
|
||||
* hierarchy.
|
||||
*/
|
||||
-xmlElementContentPtr
|
||||
-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
+static xmlElementContentPtr
|
||||
+xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
|
||||
+ int depth) {
|
||||
xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;
|
||||
const xmlChar *elem;
|
||||
xmlChar type = 0;
|
||||
|
||||
+ if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
|
||||
+ (depth > 2048)) {
|
||||
+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
|
||||
+"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n",
|
||||
+ depth);
|
||||
+ return(NULL);
|
||||
+ }
|
||||
SKIP_BLANKS;
|
||||
GROW;
|
||||
if (RAW == '(') {
|
||||
@@ -5819,7 +5834,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
/* Recurse on first child */
|
||||
NEXT;
|
||||
SKIP_BLANKS;
|
||||
- cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
|
||||
+ cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
|
||||
+ depth + 1);
|
||||
SKIP_BLANKS;
|
||||
GROW;
|
||||
} else {
|
||||
@@ -5951,7 +5967,8 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
/* Recurse on second child */
|
||||
NEXT;
|
||||
SKIP_BLANKS;
|
||||
- last = xmlParseElementChildrenContentDecl(ctxt, inputid);
|
||||
+ last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
|
||||
+ depth + 1);
|
||||
SKIP_BLANKS;
|
||||
} else {
|
||||
elem = xmlParseName(ctxt);
|
||||
@@ -6062,6 +6079,44 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
}
|
||||
|
||||
/**
|
||||
+ *
|
||||
+ * xmlParseElementChildrenContentDecl:
|
||||
+ * @ctxt: an XML parser context
|
||||
+ * @inputchk: the input used for the current entity, needed for boundary checks
|
||||
+ * @depth: the level of recursion
|
||||
+ *
|
||||
+ * parse the declaration for a Mixed Element content
|
||||
+ * The leading '(' and spaces have been skipped in xmlParseElementContentDecl
|
||||
+ *
|
||||
+ * [47] children ::= (choice | seq) ('?' | '*' | '+')?
|
||||
+ *
|
||||
+ * [48] cp ::= (Name | choice | seq) ('?' | '*' | '+')?
|
||||
+ *
|
||||
+ * [49] choice ::= '(' S? cp ( S? '|' S? cp )* S? ')'
|
||||
+ *
|
||||
+ * [50] seq ::= '(' S? cp ( S? ',' S? cp )* S? ')'
|
||||
+ *
|
||||
+ * [ VC: Proper Group/PE Nesting ] applies to [49] and [50]
|
||||
+ * TODO Parameter-entity replacement text must be properly nested
|
||||
+ * with parenthesized groups. That is to say, if either of the
|
||||
+ * opening or closing parentheses in a choice, seq, or Mixed
|
||||
+ * construct is contained in the replacement text for a parameter
|
||||
+ * entity, both must be contained in the same replacement text. For
|
||||
+ * interoperability, if a parameter-entity reference appears in a
|
||||
+ * choice, seq, or Mixed construct, its replacement text should not
|
||||
+ * be empty, and neither the first nor last non-blank character of
|
||||
+ * the replacement text should be a connector (| or ,).
|
||||
+ *
|
||||
+ * Returns the tree of xmlElementContentPtr describing the element
|
||||
+ * hierarchy.
|
||||
+ */
|
||||
+xmlElementContentPtr
|
||||
+xmlParseElementChildrenContentDecl(xmlParserCtxtPtr ctxt, int inputchk) {
|
||||
+ /* stub left for API/ABI compat */
|
||||
+ return(xmlParseElementChildrenContentDeclPriv(ctxt, inputchk, 1));
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* xmlParseElementContentDecl:
|
||||
* @ctxt: an XML parser context
|
||||
* @name: the name of the element being defined.
|
||||
@@ -6097,7 +6152,7 @@ xmlParseElementContentDecl(xmlParserCtxtPtr ctxt, const xmlChar *name,
|
||||
tree = xmlParseElementMixedContentDecl(ctxt, inputid);
|
||||
res = XML_ELEMENT_TYPE_MIXED;
|
||||
} else {
|
||||
- tree = xmlParseElementChildrenContentDecl(ctxt, inputid);
|
||||
+ tree = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, 1);
|
||||
res = XML_ELEMENT_TYPE_ELEMENT;
|
||||
}
|
||||
SKIP_BLANKS;
|
@ -9,6 +9,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||
BuildRequires: python python-devel zlib-devel pkgconfig
|
||||
URL: http://xmlsoft.org/
|
||||
Patch0: libxml2-multilib.patch
|
||||
Patch1: libxml2-2.7.3-ficora-parse.patch
|
||||
|
||||
%description
|
||||
This library allows to manipulate XML files. It includes support
|
||||
@ -67,6 +68,7 @@ at parse time or later once the document has been modified.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
%configure
|
||||
@ -141,6 +143,9 @@ rm -fr %{buildroot}
|
||||
%doc doc/python.html
|
||||
|
||||
%changelog
|
||||
* Mon Aug 10 2009 Daniel Veillard <veillard@redhat.com> - 2.7.3-4.fc11
|
||||
- two patches for parsing problems CVE-2009-2414 and CVE-2009-2416
|
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.3-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user