From 529186bfdf180ee590b60507d25d89f4deb6e528 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 13 Dec 2018 14:27:07 +0100 Subject: [PATCH] Fix a buffer overwrite in parse_stream() with wide characters on the standard input --- ...x-a-buffer-overwrite-in-parse_stream.patch | 64 +++++++++++++++++++ perl-XML-Parser.spec | 10 ++- 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch diff --git a/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch b/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch new file mode 100644 index 0000000..4e2e0bc --- /dev/null +++ b/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch @@ -0,0 +1,64 @@ +From 53e71571fc0b1f8dbad5f7ff6e9eeeb233496c13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 13 Dec 2018 13:05:07 +0100 +Subject: [PATCH] Fix a buffer overwrite in parse_stream() + +The parse_stream() function allocates BUFSIZE-byte long output buffer. Then it +reads a string using PerlIO's read() with a maximal string length tsiz=BUFSIZE +characters into a temporary buffer. And then it retrieves a length of the string +in the temporary buffer in bytes and copies the strings from the temporary +buffer to the output buffer. + +While it works for byte-stream file handles, when using UTF-8 handles, length +in bytes can be greater than length in characters, thus the temporary buffer +can contain more bytes than the size of the output buffer and we have a buffer +overwrite. This corrupts memory, especially metadata for libc memory +management and subsequent free() aborts with "free(): invalid next size +(normal)". + +Minimal reproducer: Execute this code with an UTF-8 encoded file with non-ASCII +charcters on the standard input: + +use XML::XPath; +use open ':std', ':encoding(UTF-8)'; +my $xpath = XML::XPath->new(ioref => \*STDIN); +$xpath->find('/'); + +https://bugzilla.redhat.com/show_bug.cgi?id=1473368 +https://bugzilla.redhat.com/show_bug.cgi?id=1658512 +--- + Expat/Expat.xs | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/Expat/Expat.xs b/Expat/Expat.xs +index ed66531..dbad380 100644 +--- a/Expat/Expat.xs ++++ b/Expat/Expat.xs +@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref) + } + else { + tbuff = newSV(0); +- tsiz = newSViv(BUFSIZE); +- buffsize = BUFSIZE; ++ tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */ ++ buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */ + } + + while (! done) +@@ -386,9 +386,11 @@ parse_stream(XML_Parser parser, SV * ioref) + croak("read error"); + + tb = SvPV(tbuff, br); +- if (br > 0) ++ if (br > 0) { ++ if (br > buffsize) ++ croak("The input buffer is not large enough for read UTF-8 decoded string"); + Copy(tb, buffer, br, char); +- else ++ } else + done = 1; + + PUTBACK ; +-- +2.18.1 + diff --git a/perl-XML-Parser.spec b/perl-XML-Parser.spec index 5031c32..bcb6a1b 100644 --- a/perl-XML-Parser.spec +++ b/perl-XML-Parser.spec @@ -1,11 +1,14 @@ Name: perl-XML-Parser Version: 2.44 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Perl module for parsing XML documents License: GPL+ or Artistic Url: https://metacpan.org/release/XML-Parser Source0: https://cpan.metacpan.org/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz +# Fix a buffer overwrite in parse_stream() with wide characters on the standard +# input, bug #1473368, CPAN RT#128006 +Patch0: XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch BuildRequires: coreutils BuildRequires: findutils @@ -56,6 +59,7 @@ creation time. %prep %setup -q -n XML-Parser-%{version} +%patch0 -p1 chmod 644 samples/{canonical,xml*} perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' samples/{canonical,xml*} @@ -89,6 +93,10 @@ make test %changelog +* Thu Dec 13 2018 Petr Pisar - 2.44-14 +- Fix a buffer overwrite in parse_stream() with wide characters on the standard + input (bug #1473368) + * Mon Jul 23 2018 Jitka Plesnikova - 2.44-13 - Specify all dependencies