File expat-CVE-2022-25236.patch of Package expat.26154

From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sat, 12 Feb 2022 00:19:13 +0100
Subject: [PATCH 1/4] lib: Fix (harmless) use of uninitialized memory

---
 expat/lib/xmlparse.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Index: expat-2.1.0/lib/xmlparse.c
===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c
+++ expat-2.1.0/lib/xmlparse.c
@@ -683,8 +683,7 @@ XML_ParserCreate(const XML_Char *encodin
 XML_Parser XMLCALL
 XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
 {
-  XML_Char tmp[2];
-  *tmp = nsSep;
+  XML_Char tmp[2] = {nsSep, 0};
   return XML_ParserCreate_MM(encodingName, NULL, tmp);
 }
 
@@ -1075,8 +1074,7 @@ XML_ExternalEntityParserCreate(XML_Parse
      would be otherwise.
   */
   if (ns) {
-    XML_Char tmp[2];
-    *tmp = namespaceSeparator;
+    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
   }
   else {
@@ -3254,6 +3252,17 @@ addBinding(XML_Parser parser, PREFIX *pr
     if (!mustBeXML && isXMLNS
         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
       isXMLNS = XML_FALSE;
+    
+    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+    //       we have to at least make sure that the XML processor on top of
+    //       Expat (that is splitting tag names by namespace separator into
+    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+    //       by an attacker putting additional namespace separator characters
+    //       into namespace declarations.  That would be ambiguous and not to
+    //       be expected.
+    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+      return XML_ERROR_SYNTAX;
+    }
   }
   isXML = isXML && len == xmlLen;
   isXMLNS = isXMLNS && len == xmlnsLen;
Index: expat-2.1.0/tests/runtests.c
===================================================================
--- expat-2.1.0.orig/tests/runtests.c
+++ expat-2.1.0/tests/runtests.c
@@ -1550,6 +1550,35 @@ START_TEST(test_ns_unbound_prefix_on_ele
 }
 END_TEST
 
+START_TEST(test_ns_separator_in_uri) {
+  struct test_case {
+    enum XML_Status expectedStatus;
+    const char *doc;
+  };
+  struct test_case cases[] = {
+      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
+      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
+  };
+
+  size_t i = 0;
+  size_t failCount = 0;
+  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
+    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
+    XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
+    if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
+                  /*isFinal*/ XML_TRUE)
+        != cases[i].expectedStatus) {
+      failCount++;
+    }
+    XML_ParserFree(parser);
+  }
+
+  if (failCount) {
+    fail("Namespace separator handling is broken");
+  }
+}
+END_TEST
+
 /* Test for signed integer overflow CVE-2022-23852 */
 #if defined(XML_CONTEXT_BYTES)
 START_TEST(test_get_buffer_3_overflow) {
@@ -1645,6 +1674,7 @@ make_suite(void)
     tcase_add_test(tc_namespace, test_ns_duplicate_attrs_diff_prefixes);
     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_attribute);
     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element);
+    tcase_add_test(tc_namespace, test_ns_separator_in_uri);
 
 #if defined(XML_CONTEXT_BYTES)
     tcase_add_test(tc_basic, test_get_buffer_3_overflow);