1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
This patch backported from libxml2-2.7.2-CVE-2008-422x.patch.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Original changelog message:
Mon Nov 17 16:56:18 CET 2008 Daniel Veillard <daniel@...> (upstream revision 3803)
* SAX2.c parser.c: fix for CVE-2008-4226, a memory overflow
when building gigantic text nodes, and a bit of cleanup
to better handled out of memory problem in that code.
* tree.c: fix for CVE-2008-4225, lack of testing leads to
a busy loop test assuming one have enough core memory.
diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/SAX2.c libxml2-2.6.32/SAX2.c
--- libxml2-2.6.32.orig/SAX2.c 2008-01-25 05:10:04.000000000 -0800
+++ libxml2-2.6.32/SAX2.c 2008-12-22 20:42:14.039171616 -0800
@@ -11,6 +11,7 @@
#include "libxml.h"
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <libxml/xmlmemory.h>
#include <libxml/tree.h>
#include <libxml/parser.h>
@@ -26,6 +27,11 @@
#include <libxml/HTMLtree.h>
#include <libxml/globals.h>
+/* Define SIZE_T_MAX unless defined through <limits.h>. */
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX ((size_t)-1)
+#endif /* !SIZE_T_MAX */
+
/* #define DEBUG_SAX2 */
/* #define DEBUG_SAX2_TREE */
@@ -2445,9 +2451,14 @@
(xmlDictOwns(ctxt->dict, lastChild->content))) {
lastChild->content = xmlStrdup(lastChild->content);
}
+ if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len ||
+ (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
+ return;
+ }
if (ctxt->nodelen + len >= ctxt->nodemem) {
xmlChar *newbuf;
- int size;
+ size_t size;
size = ctxt->nodemem + len;
size *= 2;
diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/tree.c libxml2-2.6.32/tree.c
--- libxml2-2.6.32.orig/tree.c 2008-04-08 06:54:48.000000000 -0700
+++ libxml2-2.6.32/tree.c 2008-12-22 20:47:22.365674451 -0800
@@ -14,7 +14,7 @@
#include "libxml.h"
#include <string.h> /* for memset() only ! */
-
+#include <limits.h>
#ifdef HAVE_CTYPE_H
#include <ctype.h>
#endif
@@ -6916,7 +6916,13 @@
case XML_BUFFER_ALLOC_DOUBLEIT:
/*take care of empty case*/
newSize = (buf->size ? buf->size*2 : size + 10);
- while (size > newSize) newSize *= 2;
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+ return 0;
+ }
+ newSize *= 2;
+ }
break;
case XML_BUFFER_ALLOC_EXACT:
newSize = size+10;
diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/parser.c libxml2-2.6.32/parser.c
--- libxml2-2.6.32.orig/parser.c 2008-04-08 07:47:58.000000000 -0700
+++ libxml2-2.6.32/parser.c 2008-12-22 20:42:14.053327110 -0800
@@ -3758,6 +3758,9 @@
line = ctxt->input->line;
col = ctxt->input->col;
}
+ /* something really bad happened in the SAX callback */
+ if (ctxt->instate != XML_PARSER_CONTENT)
+ return;
}
ctxt->input->cur = in;
if (*in == 0xD) {
@@ -3838,6 +3841,9 @@
}
}
nbchar = 0;
+ /* something really bad happened in the SAX callback */
+ if (ctxt->instate != XML_PARSER_CONTENT)
+ return;
}
count++;
if (count > 50) {
|
GitWeb