1
From: Daniel Veillard <veillard@redhat.com>
2
Date: Tue, 14 Apr 2015 17:41:48 +0800
3
Subject: CVE-2015-1819 Enforce the reader to run in constant memory
5
One of the operation on the reader could resolve entities
6
leading to the classic expansion issue. Make sure the
7
buffer used for xmlreader operation is bounded.
8
Introduce a new allocation type for the buffers for this effect.
10
buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
11
include/libxml/tree.h | 3 ++-
12
xmlreader.c | 20 +++++++++++++++++++-
13
3 files changed, 63 insertions(+), 3 deletions(-)
15
diff --git a/buf.c b/buf.c
16
index 6efc7b6..07922ff 100644
20
#include <libxml/tree.h>
21
#include <libxml/globals.h>
22
#include <libxml/tree.h>
23
+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
26
#define WITH_BUFFER_COMPAT
27
@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
28
if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
29
(scheme == XML_BUFFER_ALLOC_EXACT) ||
30
(scheme == XML_BUFFER_ALLOC_HYBRID) ||
31
- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
32
+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
33
+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
36
buf->buffer->alloc = scheme;
37
@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
38
size = buf->use + len + 100;
41
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
43
+ * Used to provide parsing limits
45
+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
46
+ (buf->size >= XML_MAX_TEXT_LENGTH)) {
47
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
50
+ if (size >= XML_MAX_TEXT_LENGTH)
51
+ size = XML_MAX_TEXT_LENGTH;
53
if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
54
size_t start_buf = buf->content - buf->contentIO;
56
@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
59
if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
60
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
62
+ * Used to provide parsing limits
64
+ if (size >= XML_MAX_TEXT_LENGTH) {
65
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
70
/* Don't resize if we don't have to */
72
@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
74
needSize = buf->use + len + 2;
75
if (needSize > buf->size){
76
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
78
+ * Used to provide parsing limits
80
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
81
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
85
if (!xmlBufResize(buf, needSize)){
86
xmlBufMemoryError(buf, "growing buffer");
87
return XML_ERR_NO_MEMORY;
88
@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
90
needSize = buf->use + len + 2;
91
if (needSize > buf->size){
92
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
94
+ * Used to provide parsing limits
96
+ if (needSize >= XML_MAX_TEXT_LENGTH) {
97
+ xmlBufMemoryError(buf, "buffer error: text too long\n");
101
if (!xmlBufResize(buf, needSize)){
102
xmlBufMemoryError(buf, "growing buffer");
103
return XML_ERR_NO_MEMORY;
104
diff --git a/include/libxml/tree.h b/include/libxml/tree.h
105
index 2f90717..4a9b3bc 100644
106
--- a/include/libxml/tree.h
107
+++ b/include/libxml/tree.h
108
@@ -76,7 +76,8 @@ typedef enum {
109
XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
110
XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
111
XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
112
- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
113
+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
114
+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
115
} xmlBufferAllocationScheme;
118
diff --git a/xmlreader.c b/xmlreader.c
119
index f19e123..471e7e2 100644
122
@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
123
"xmlNewTextReader : malloc failed\n");
126
+ /* no operation on a reader should require a huge buffer */
127
+ xmlBufSetAllocationScheme(ret->buffer,
128
+ XML_BUFFER_ALLOC_BOUNDED);
129
ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
130
if (ret->sax == NULL) {
131
xmlBufFree(ret->buffer);
132
@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
133
return(((xmlNsPtr) node)->href);
134
case XML_ATTRIBUTE_NODE:{
135
xmlAttrPtr attr = (xmlAttrPtr) node;
136
+ const xmlChar *ret;
138
if ((attr->children != NULL) &&
139
(attr->children->type == XML_TEXT_NODE) &&
140
@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
141
"xmlTextReaderSetup : malloc failed\n");
144
+ xmlBufSetAllocationScheme(reader->buffer,
145
+ XML_BUFFER_ALLOC_BOUNDED);
147
xmlBufEmpty(reader->buffer);
148
xmlBufGetNodeContent(reader->buffer, node);
149
- return(xmlBufContent(reader->buffer));
150
+ ret = xmlBufContent(reader->buffer);
152
+ /* error on the buffer best to reallocate */
153
+ xmlBufFree(reader->buffer);
154
+ reader->buffer = xmlBufCreateSize(100);
155
+ xmlBufSetAllocationScheme(reader->buffer,
156
+ XML_BUFFER_ALLOC_BOUNDED);
163
@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
164
"xmlTextReaderSetup : malloc failed\n");
167
+ /* no operation on a reader should require a huge buffer */
168
+ xmlBufSetAllocationScheme(reader->buffer,
169
+ XML_BUFFER_ALLOC_BOUNDED);
170
if (reader->sax == NULL)
171
reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
172
if (reader->sax == NULL) {