File expat-CVE-2022-25314-before.patch of Package expat.35320
From 196bea60b1ef161d6a2957e6ddab00e2cb6c60ec Mon Sep 17 00:00:00 2001
From: Rhodri James <rhodri@kynesim.co.uk>
Date: Mon, 3 Jul 2017 17:47:00 +0100
Subject: [PATCH] Fix protocolEncodingName. (pull request #70)
Ensure that protocolEncodingName is always either NULL or points
to the correct encoding for the parser, even if the parser is
reset.
---
expat/lib/xmlparse.c | 46 ++++++++++++++++++++++++++++++++++++++++----
1 file changed, 42 insertions(+), 4 deletions(-)
Index: expat-2.1.0/lib/xmlparse.c
===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c
+++ expat-2.1.0/lib/xmlparse.c
@@ -439,6 +439,9 @@ static ELEMENT_TYPE *
getElementType(XML_Parser parser, const ENCODING *enc,
const char *ptr, const char *end);
+static XML_Char *copyString(const XML_Char *s,
+ const XML_Memory_Handling_Suite *memsuite);
+
static unsigned long generate_hash_secret_salt(XML_Parser parser);
static XML_Bool startParsing(XML_Parser parser);
@@ -848,6 +851,8 @@ parserCreate(const XML_Char *encodingNam
nsAttsVersion = 0;
nsAttsPower = 0;
+ protocolEncodingName = NULL;
+
poolInit(&tempPool, &(parser->m_mem));
poolInit(&temp2Pool, &(parser->m_mem));
parserInit(parser, encodingName);
@@ -874,9 +879,9 @@ parserInit(XML_Parser parser, const XML_
{
processor = prologInitProcessor;
XmlPrologStateInit(&prologState);
- protocolEncodingName = (encodingName != NULL
- ? poolCopyString(&tempPool, encodingName)
- : NULL);
+ if (encodingName != NULL) {
+ protocolEncodingName = copyString(encodingName, &(parser->m_mem));
+ }
curBase = NULL;
XmlInitEncoding(&initEncoding, &encoding, 0);
userData = NULL;
@@ -985,6 +990,8 @@ XML_ParserReset(XML_Parser parser, const
unknownEncodingRelease(unknownEncodingData);
poolClear(&tempPool);
poolClear(&temp2Pool);
+ FREE((void *)protocolEncodingName);
+ protocolEncodingName = NULL;
parserInit(parser, encodingName);
dtdReset(_dtd, &parser->m_mem);
return XML_TRUE;
@@ -999,10 +1006,16 @@ XML_SetEncoding(XML_Parser parser, const
*/
if (ps_parsing == XML_PARSING || ps_parsing == XML_SUSPENDED)
return XML_STATUS_ERROR;
+
+ /* Get rid of any previous encoding name */
+ FREE((void *)protocolEncodingName);
+
if (encodingName == NULL)
+ /* No new encoding name */
protocolEncodingName = NULL;
else {
- protocolEncodingName = poolCopyString(&tempPool, encodingName);
+ /* Copy the new encoding name into allocated memory */
+ protocolEncodingName = copyString(encodingName, &(parser->m_mem));
if (!protocolEncodingName)
return XML_STATUS_ERROR;
}
@@ -1200,6 +1213,7 @@ XML_ParserFree(XML_Parser parser)
destroyBindings(inheritedBindings, parser);
poolDestroy(&tempPool);
poolDestroy(&temp2Pool);
+ FREE((void *)protocolEncodingName);
#ifdef XML_DTD
/* external parameter entity parsers share the DTD structure
parser->m_dtd with the root parser, so we must not destroy it
@@ -3583,6 +3597,7 @@ initializeEncoding(XML_Parser parser)
const char *s;
#ifdef XML_UNICODE
char encodingBuf[128];
+ /* See comments abount `protoclEncodingName` in parserInit() */
if (!protocolEncodingName)
s = NULL;
else {
@@ -6754,3 +6769,26 @@ getElementType(XML_Parser parser,
}
return ret;
}
+
+static XML_Char *
+copyString(const XML_Char *s,
+ const XML_Memory_Handling_Suite *memsuite)
+{
+ int charsRequired = 0;
+ XML_Char *result;
+
+ /* First determine how long the string is */
+ while (s[charsRequired] != 0) {
+ charsRequired++;
+ }
+ /* Include the terminator */
+ charsRequired++;
+
+ /* Now allocate space for the copy */
+ result = memsuite->malloc_fcn(charsRequired * sizeof(XML_Char));
+ if (result == NULL)
+ return NULL;
+ /* Copy the original into place */
+ memcpy(result, s, charsRequired * sizeof(XML_Char));
+ return result;
+}
