File libxml2-CVE-2016-9318.patch of Package libxml2.24046
From ad88b54f1a28a8565964a370b5d387927b633c0d Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 8 Dec 2017 09:42:31 +0100
Subject: [PATCH] Improve handling of context input_id
For https://bugzilla.gnome.org/show_bug.cgi?id=772726
This was used in xmlsec to detect issues with accessing external entities
and prevent them, but was unreliable, based on a patch from Aleksey Sanin
* parser.c: make sure input_id is incremented when creating sub-entities
for parsing or when parsing out of context
---
parser.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/parser.c b/parser.c
index 51264e6f..a30dd18e 100644
--- a/parser.c
+++ b/parser.c
@@ -13364,6 +13364,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt,
ctxt->userData = ctxt;
if (ctxt->dict != NULL) xmlDictFree(ctxt->dict);
ctxt->dict = oldctxt->dict;
+ ctxt->input_id = oldctxt->input_id + 1;
ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3);
ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5);
ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36);
@@ -13617,6 +13618,7 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen,
xmlDetectSAX2(ctxt);
ctxt->myDoc = doc;
/* parsing in context, i.e. as within existing content */
+ ctxt->input_id = 2;
ctxt->instate = XML_PARSER_CONTENT;
fake = xmlNewComment(NULL);
@@ -13829,6 +13831,7 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
newDoc->oldNs = doc->oldNs;
}
ctxt->instate = XML_PARSER_CONTENT;
+ ctxt->input_id = 2;
ctxt->depth = depth;
/*
@@ -13989,6 +13992,11 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
if (pctx != NULL) {
ctxt->options = pctx->options;
ctxt->_private = pctx->_private;
+ /*
+ * this is a subparser of pctx, so the input_id should be
+ * incremented to distinguish from main entity
+ */
+ ctxt->input_id = pctx->input_id + 1;
}
uri = xmlBuildURI(URL, base);
--
2.18.1
