~ubuntu-branches/ubuntu/wily/libxml2/wily

« back to all changes in this revision

Viewing changes to debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch

Committer: Package Import Robot
Author(s): Aron Xu
Date: 2015-09-22 16:31:48 UTC
mfrom: (43.2.12 sid)
Revision ID: package-import@ubuntu.com-20150922163148-di6xmyfvb20jmtq2

Tags: 2.9.2+zdfsg1-4

http://bugs.debian.org/754424

http://bugs.debian.org/781232

http://bugs.debian.org/798642

http://bugs.debian.org/768089

http://bugs.debian.org/766884

http://bugs.debian.org/782782

http://bugs.debian.org/783010

* Revert everything in N'ACKed NMU revert to 2.9.1.
  - Resolving regression, Closes: #754424
  - Drop the following NMU, not needed in 2.9.2, Closes: #781232
  - Drop not approved patch for GNOME #746048
* Revert icu dbg drop, but don't hardcode version,
  thanks Matthias Klose <doko>, Closes: #798642
* Cherry pick upstream post release patches:
  - Fix for regression triggered by CVE-2014-3660, Closes: #768089
  - Fix for the spurious ID already defined error, Closes: #766884
  - Fix for CVE-2015-1819, Closes: #782782
  - Fix for GNOME #744980, Closes: #783010
  - Several fixes for memory related issues.

files added:
.pc/0003-Revert-Missing-initialization-for-the-catalog-module.patch

.pc/0003-Revert-Missing-initialization-for-the-catalog-module.patch/parser.c

.pc/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch

.pc/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch/parser.c

.pc/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch

.pc/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch/tree.c

.pc/0006-Stop-parsing-on-entities-boundaries-errors.patch

.pc/0006-Stop-parsing-on-entities-boundaries-errors.patch/parser.c

.pc/0007-Cleanup-conditional-section-error-handling.patch

.pc/0007-Cleanup-conditional-section-error-handling.patch/parser.c

.pc/0008-Fix-order-of-root-nodes.patch

.pc/0008-Fix-order-of-root-nodes.patch/xpath.c

.pc/0009-xmlMemUsed-is-not-thread-safe.patch

.pc/0009-xmlMemUsed-is-not-thread-safe.patch/xmlmemory.c

.pc/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch

.pc/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch/buf.c

.pc/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch/include

.pc/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch/include/libxml

.pc/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch/include/libxml/tree.h

.pc/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch/xmlreader.c

.pc/0011-Do-not-process-encoding-values-if-the-declaration-if.patch

.pc/0011-Do-not-process-encoding-values-if-the-declaration-if.patch/parser.c

.pc/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch

.pc/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch/parser.c

.pc/0013-Fix-a-self-assignment-issue-raised-by-clang.patch

.pc/0013-Fix-a-self-assignment-issue-raised-by-clang.patch/xmlschemas.c

.pc/0014-Fix-previous-change-to-node-sort-order.patch

.pc/0014-Fix-previous-change-to-node-sort-order.patch/xpath.c

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/result

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/result/valid

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/result/valid/737840.xml

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/test

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/test/valid

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/test/valid/737840.xml

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/test/valid/dtds

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/test/valid/dtds/737840.ent

.pc/0015-Fix-the-spurious-ID-already-defined-error.patch/valid.c

debian/patches/0003-Revert-Missing-initialization-for-the-catalog-module.patch

debian/patches/0004-Fix-missing-entities-after-CVE-2014-3660-fix.patch

debian/patches/0005-Account-for-ID-attributes-in-xmlSetTreeDoc.patch

debian/patches/0006-Stop-parsing-on-entities-boundaries-errors.patch

debian/patches/0007-Cleanup-conditional-section-error-handling.patch

debian/patches/0008-Fix-order-of-root-nodes.patch

debian/patches/0009-xmlMemUsed-is-not-thread-safe.patch

debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch

debian/patches/0011-Do-not-process-encoding-values-if-the-declaration-if.patch

debian/patches/0012-Fail-parsing-early-on-if-encoding-conversion-failed.patch

debian/patches/0013-Fix-a-self-assignment-issue-raised-by-clang.patch

debian/patches/0014-Fix-previous-change-to-node-sort-order.patch

debian/patches/0015-Fix-the-spurious-ID-already-defined-error.patch

files removed:
.pc/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch

.pc/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch/parser.c

.pc/fix-spurious-ID-already-defined-error.diff

.pc/fix-spurious-ID-already-defined-error.diff/result

.pc/fix-spurious-ID-already-defined-error.diff/result/valid

.pc/fix-spurious-ID-already-defined-error.diff/result/valid/737840.xml

.pc/fix-spurious-ID-already-defined-error.diff/test

.pc/fix-spurious-ID-already-defined-error.diff/test/valid

.pc/fix-spurious-ID-already-defined-error.diff/test/valid/737840.xml

.pc/fix-spurious-ID-already-defined-error.diff/test/valid/dtds

.pc/fix-spurious-ID-already-defined-error.diff/test/valid/dtds/737840.ent

.pc/fix-spurious-ID-already-defined-error.diff/valid.c

debian/patches/0003-Fix-missing-entities-after-CVE-2014-3660-fix.patch

debian/patches/fix-spurious-ID-already-defined-error.diff

files modified:
.pc/applied-patches

buf.c

debian/changelog

debian/control

debian/patches/series

debian/rules

include/libxml/tree.h

parser.c

tree.c

xmlmemory.c

xmlreader.c

xmlschemas.c

xpath.c

Show diffs side-by-side

added added

removed removed

debian/patches/0010-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch

From: Daniel Veillard <veillard@redhat.com>

Date: Tue, 14 Apr 2015 17:41:48 +0800

Subject: CVE-2015-1819 Enforce the reader to run in constant memory

One of the operation on the reader could resolve entities

leading to the classic expansion issue. Make sure the

buffer used for xmlreader operation is bounded.

Introduce a new allocation type for the buffers for this effect.

---

buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-

include/libxml/tree.h | 3 ++-

xmlreader.c | 20 +++++++++++++++++++-

3 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/buf.c b/buf.c

index 6efc7b6..07922ff 100644

--- a/buf.c

+++ b/buf.c

@@ -27,6 +27,7 @@

#include <libxml/tree.h>

#include <libxml/globals.h>

#include <libxml/tree.h>

+#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */

#include "buf.h"

#define WITH_BUFFER_COMPAT

@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,

if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||

(scheme == XML_BUFFER_ALLOC_EXACT) ||

(scheme == XML_BUFFER_ALLOC_HYBRID) ||

- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {

+ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||

+ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {

buf->alloc = scheme;

if (buf->buffer)

buf->buffer->alloc = scheme;

@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {

size = buf->use + len + 100;

#endif

+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+ /*

+ * Used to provide parsing limits

+ */

+ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||

+ (buf->size >= XML_MAX_TEXT_LENGTH)) {

+ xmlBufMemoryError(buf, "buffer error: text too long\n");

+ return(0);

+ }

+ if (size >= XML_MAX_TEXT_LENGTH)

+ size = XML_MAX_TEXT_LENGTH;

+ }

if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {

size_t start_buf = buf->content - buf->contentIO;

@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)

CHECK_COMPAT(buf)

if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);

+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+ /*

+ * Used to provide parsing limits

+ */

+ if (size >= XML_MAX_TEXT_LENGTH) {

+ xmlBufMemoryError(buf, "buffer error: text too long\n");

+ return(0);

+ }

/* Don't resize if we don't have to */

if (size < buf->size)

@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {

needSize = buf->use + len + 2;

if (needSize > buf->size){

+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+ /*

+ * Used to provide parsing limits

+ */

+ if (needSize >= XML_MAX_TEXT_LENGTH) {

+ xmlBufMemoryError(buf, "buffer error: text too long\n");

+ return(-1);

+ }

if (!xmlBufResize(buf, needSize)){

xmlBufMemoryError(buf, "growing buffer");

return XML_ERR_NO_MEMORY;

@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {

}

needSize = buf->use + len + 2;

if (needSize > buf->size){

+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

+ /*

+ * Used to provide parsing limits

+ */

+ if (needSize >= XML_MAX_TEXT_LENGTH) {

+ xmlBufMemoryError(buf, "buffer error: text too long\n");

+ return(-1);

+ }

100

+ }

101

if (!xmlBufResize(buf, needSize)){

102

xmlBufMemoryError(buf, "growing buffer");

103

return XML_ERR_NO_MEMORY;

104

diff --git a/include/libxml/tree.h b/include/libxml/tree.h

105

index 2f90717..4a9b3bc 100644

106

--- a/include/libxml/tree.h

107

+++ b/include/libxml/tree.h

108

@@ -76,7 +76,8 @@ typedef enum {

109

XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */

110

XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */

111

XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */

112

- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */

113

+ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */

114

+ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */

115

} xmlBufferAllocationScheme;

116

117

/**

118

diff --git a/xmlreader.c b/xmlreader.c

119

index f19e123..471e7e2 100644

120

--- a/xmlreader.c

121

+++ b/xmlreader.c

122

@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {

123

"xmlNewTextReader : malloc failed\n");

124

return(NULL);

125

}

126

+ /* no operation on a reader should require a huge buffer */

127

+ xmlBufSetAllocationScheme(ret->buffer,

128

+ XML_BUFFER_ALLOC_BOUNDED);

129

ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));

130

if (ret->sax == NULL) {

131

xmlBufFree(ret->buffer);

132

@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {

133

return(((xmlNsPtr) node)->href);

134

case XML_ATTRIBUTE_NODE:{

135

xmlAttrPtr attr = (xmlAttrPtr) node;

136

+ const xmlChar *ret;

137

138

if ((attr->children != NULL) &&

139

(attr->children->type == XML_TEXT_NODE) &&

140

@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {

141

"xmlTextReaderSetup : malloc failed\n");

142

return (NULL);

143

}

144

+ xmlBufSetAllocationScheme(reader->buffer,

145

+ XML_BUFFER_ALLOC_BOUNDED);

146

} else

147

xmlBufEmpty(reader->buffer);

148

xmlBufGetNodeContent(reader->buffer, node);

149

- return(xmlBufContent(reader->buffer));

150

+ ret = xmlBufContent(reader->buffer);

151

+ if (ret == NULL) {

152

+ /* error on the buffer best to reallocate */

153

+ xmlBufFree(reader->buffer);

154

+ reader->buffer = xmlBufCreateSize(100);

155

+ xmlBufSetAllocationScheme(reader->buffer,

156

+ XML_BUFFER_ALLOC_BOUNDED);

157

+ ret = BAD_CAST "";

158

+ }

159

+ return(ret);

160

}

161

break;

162

}

163

@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,

164

"xmlTextReaderSetup : malloc failed\n");

165

return (-1);

166

}

167

+ /* no operation on a reader should require a huge buffer */

168

+ xmlBufSetAllocationScheme(reader->buffer,

169

+ XML_BUFFER_ALLOC_BOUNDED);

170

if (reader->sax == NULL)

171

reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));

172

if (reader->sax == NULL) {

Older »