Fix build of tests/fuzz (#2047653)

Resolves: #2047653
2022-01-28 10:04:47 +00:00 · 2022-01-28 10:04:47 +00:00 · a34956acdb
commit a34956acdb
parent eab8d56e10
2 changed files with 154 additions and 0 deletions
--- a/libxslt-1.1.34-test-fuzz-build.patch
+++ b/libxslt-1.1.34-test-fuzz-build.patch
@ -0,0 +1,151 @@
+From 9ae2f94df1721e002941b40665efb762aefcea1a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 17 Aug 2020 03:42:11 +0200
+Subject: [PATCH 1/3] Stop using maxParserDepth XPath limit
+
+This will be removed again from libxml2.
+---
+ tests/fuzz/fuzz.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
+index f502ca2c..75234ad6 100644
+--- a/tests/fuzz/fuzz.c
+++ b/tests/fuzz/fuzz.c
+@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+     xpctxt = tctxt->xpathCtxt;
+ 
+     /* Resource limits to avoid timeouts and call stack overflows */
+-    xpctxt->maxParserDepth = 15;
+-    xpctxt->maxDepth = 100;
+    xpctxt->maxDepth = 500;
+     xpctxt->opLimit = 500000;
+ 
+     /* Test namespaces used in xpath.xml */
+@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+ 
+ static void
+ xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
+-    ctxt->maxParserDepth = 15;
+-    ctxt->maxDepth = 100;
+    ctxt->maxDepth = 200;
+     ctxt->opLimit = 100000;
+ }
+ 
+-- 
+2.34.1
+
+
+From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 17 Aug 2020 04:27:13 +0200
+Subject: [PATCH 2/3] Transfer XPath limits to XPtr context
+
+Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
+XPath limits.
+---
+ libxslt/functions.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index b350545a..975ea790 100644
+--- a/libxslt/functions.c
+++ b/libxslt/functions.c
+@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ 	goto out_fragment;
+     }
+ 
+#if LIBXML_VERSION >= 20911 || \
+    defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+    xptrctxt->opLimit = ctxt->context->opLimit;
+    xptrctxt->opCount = ctxt->context->opCount;
+    xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
+
+    resObj = xmlXPtrEval(fragment, xptrctxt);
+
+    ctxt->context->opCount = xptrctxt->opCount;
+#else
+     resObj = xmlXPtrEval(fragment, xptrctxt);
+-    xmlXPathFreeContext(xptrctxt);
+ #endif
+ 
+    xmlXPathFreeContext(xptrctxt);
+#endif /* LIBXML_XPTR_ENABLED */
+
+     if (resObj == NULL)
+ 	goto out_fragment;
+ 
+-- 
+2.34.1
+
+
+From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 26 Aug 2020 00:34:38 +0200
+Subject: [PATCH 3/3] Don't set maxDepth in XPath contexts
+
+The maximum recursion depth is hardcoded in libxml2 now.
+---
+ libxslt/functions.c |  2 +-
+ tests/fuzz/fuzz.c   | 11 ++---------
+ 2 files changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 975ea790..7887dda7 100644
+--- a/libxslt/functions.c
+++ b/libxslt/functions.c
+@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+     defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+     xptrctxt->opLimit = ctxt->context->opLimit;
+     xptrctxt->opCount = ctxt->context->opCount;
+-    xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
+    xptrctxt->depth = ctxt->context->depth;
+ 
+     resObj = xmlXPtrEval(fragment, xptrctxt);
+ 
+diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
+index 75234ad6..780c2d41 100644
+--- a/tests/fuzz/fuzz.c
+++ b/tests/fuzz/fuzz.c
+@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+     xpctxt = tctxt->xpathCtxt;
+ 
+     /* Resource limits to avoid timeouts and call stack overflows */
+-    xpctxt->maxDepth = 500;
+     xpctxt->opLimit = 500000;
+ 
+     /* Test namespaces used in xpath.xml */
+@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+     return 0;
+ }
+ 
+-static void
+-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
+-    ctxt->maxDepth = 200;
+-    ctxt->opLimit = 100000;
+-}
+-
+ xmlChar *
+ xsltFuzzXslt(const char *data, size_t size) {
+     xmlDocPtr xsltDoc;
+@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) {
+         xmlFreeDoc(xsltDoc);
+         return NULL;
+     }
+-    xsltSetXPathResourceLimits(sheet->xpathCtxt);
+    sheet->xpathCtxt->opLimit = 100000;
+     sheet->xpathCtxt->opCount = 0;
+     if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) {
+         xsltFreeStylesheet(sheet);
+@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) {
+     xsltSetCtxtSecurityPrefs(sec, ctxt);
+     ctxt->maxTemplateDepth = 100;
+     ctxt->opLimit = 20000;
+-    xsltSetXPathResourceLimits(ctxt->xpathCtxt);
+    ctxt->xpathCtxt->opLimit = 100000;
+     ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount;
+ 
+     result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt);
+-- 
+2.34.1
+
--- a/libxslt.spec
+++ b/libxslt.spec
@ -22,6 +22,8 @@ Patch2:         multilib2.patch
 Patch3:         f165525fe744e6fe3b377b480d6cc5f9c546d360.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2047326
 Patch4:         libxslt-1.1.34-tutorial2-dtd.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2047653
+Patch5:         libxslt-1.1.34-test-fuzz-build.patch

 %description
 This C library allows to transform XML files into other XML files
@ -130,6 +132,7 @@ rm -vrf %{buildroot}%{_docdir}
 %changelog
 * Fri Jan 28 2022 David King <amigadave@amigadave.com> - 1.1.34-9
 - Fix validity of tutorial XML (#2047326)
+- Fix build of tests/fuzz (#2047653)

 * Thu Jan 27 2022 David King <amigadave@amigadave.com> - 1.1.34-8
 - Fix DTD in tutorial XML (#2047326)