Include alloc changes into previous patch
Resolves: RHEL-83514
This commit is contained in:
David King
parent
8acc3c3400
commit
dfaee045c4
@ -1,31 +1,19 @@
|
|||||||
From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
|
From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001
|
||||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
Date: Thu, 5 Dec 2024 12:43:19 +0100
|
Date: Tue, 21 Mar 2023 12:19:50 +0100
|
||||||
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
|
Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush
|
||||||
|
|
||||||
Definitions of excluded namespaces could be deleted in
|
Found by OSS-Fuzz, see #84.
|
||||||
xsltParseTemplateContent. Store excluded namespace URIs in the
|
|
||||||
stylesheet's dictionary instead of referencing the namespace definition.
|
|
||||||
|
|
||||||
Thanks to Ivan Fratric for the report!
|
|
||||||
|
|
||||||
Fixes #127.
|
|
||||||
---
|
---
|
||||||
libxslt/xslt.c | 22 +++++++++++-----------
|
libxslt/xslt.c | 24 ++++++++----------------
|
||||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
1 file changed, 8 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||||||
index 7a1ce011..4f975cd2 100644
|
index 7a1ce011..6d4126a1 100644
|
||||||
--- a/libxslt/xslt.c
|
--- a/libxslt/xslt.c
|
||||||
+++ b/libxslt/xslt.c
|
+++ b/libxslt/xslt.c
|
||||||
@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
|
@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
|
||||||
* in case of error
|
|
||||||
*/
|
|
||||||
static int
|
|
||||||
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
|
|
||||||
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
|
|
||||||
{
|
{
|
||||||
+ xmlChar *value;
|
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
- if (style->exclPrefixMax == 0) {
|
- if (style->exclPrefixMax == 0) {
|
||||||
@ -38,6 +26,66 @@ index 7a1ce011..4f975cd2 100644
|
|||||||
- return (-1);
|
- return (-1);
|
||||||
- }
|
- }
|
||||||
- }
|
- }
|
||||||
|
/* do not push duplicates */
|
||||||
|
for (i = 0;i < style->exclPrefixNr;i++) {
|
||||||
|
if (xmlStrEqual(style->exclPrefixTab[i], value))
|
||||||
|
return(-1);
|
||||||
|
}
|
||||||
|
if (style->exclPrefixNr >= style->exclPrefixMax) {
|
||||||
|
- style->exclPrefixMax *= 2;
|
||||||
|
- style->exclPrefixTab =
|
||||||
|
- (xmlChar * *)xmlRealloc(style->exclPrefixTab,
|
||||||
|
- style->exclPrefixMax *
|
||||||
|
- sizeof(style->exclPrefixTab[0]));
|
||||||
|
- if (style->exclPrefixTab == NULL) {
|
||||||
|
+ xmlChar **tmp;
|
||||||
|
+ size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4;
|
||||||
|
+
|
||||||
|
+ tmp = xmlRealloc(style->exclPrefixTab,
|
||||||
|
+ max * sizeof(style->exclPrefixTab[0]));
|
||||||
|
+ if (tmp == NULL) {
|
||||||
|
xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ style->exclPrefixTab = tmp;
|
||||||
|
+ style->exclPrefixMax = max;
|
||||||
|
}
|
||||||
|
style->exclPrefixTab[style->exclPrefixNr] = value;
|
||||||
|
style->exclPrefix = value;
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
||||||
|
|
||||||
|
From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Thu, 5 Dec 2024 12:43:19 +0100
|
||||||
|
Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces
|
||||||
|
|
||||||
|
Definitions of excluded namespaces could be deleted in
|
||||||
|
xsltParseTemplateContent. Store excluded namespace URIs in the
|
||||||
|
stylesheet's dictionary instead of referencing the namespace definition.
|
||||||
|
|
||||||
|
Thanks to Ivan Fratric for the report!
|
||||||
|
|
||||||
|
Fixes #127.
|
||||||
|
---
|
||||||
|
libxslt/xslt.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||||||
|
index 6d4126a1..11681a13 100644
|
||||||
|
--- a/libxslt/xslt.c
|
||||||
|
+++ b/libxslt/xslt.c
|
||||||
|
@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
|
||||||
|
* in case of error
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
|
||||||
|
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
|
||||||
|
{
|
||||||
|
+ xmlChar *value;
|
||||||
|
int i;
|
||||||
|
|
||||||
+ /*
|
+ /*
|
||||||
+ * orig can come from a namespace definition on a node which
|
+ * orig can come from a namespace definition on a node which
|
||||||
+ * could be deleted later, for example in xsltParseTemplateContent.
|
+ * could be deleted later, for example in xsltParseTemplateContent.
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
Name: libxslt
|
Name: libxslt
|
||||||
Summary: Library providing the Gnome XSLT engine
|
Summary: Library providing the Gnome XSLT engine
|
||||||
Version: 1.1.34
|
Version: 1.1.34
|
||||||
Release: 11%{?dist}
|
Release: 12%{?dist}
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://xmlsoft.org/XSLT
|
URL: http://xmlsoft.org/XSLT
|
||||||
@ -134,6 +134,9 @@ rm -vrf %{buildroot}%{_docdir}
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 03 2025 David King <dking@redhat.com> - 1.1.34-12
|
||||||
|
- Include alloc changes into previous patch (RHEL-83514)
|
||||||
|
|
||||||
* Wed Apr 02 2025 David King <dking@redhat.com> - 1.1.34-11
|
* Wed Apr 02 2025 David King <dking@redhat.com> - 1.1.34-11
|
||||||
- Fix CVE-2024-55549 (RHEL-83514)
|
- Fix CVE-2024-55549 (RHEL-83514)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user