File libxml2-2.9.1-CVE-2015-7499.patch of Package libxml2.2672
From 28cd9cb747a94483f4aea7f0968d202c20bb4cfc Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 14:55:30 +0800
Subject: Add xmlHaltParser() to stop the parser
The problem is doing it in a consistent and safe fashion
It's more complex than just setting ctxt->instate = XML_PARSER_EOF
Update the public function to reuse that new internal routine
From 35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Fri, 20 Nov 2015 15:04:09 +0800
Subject: Detect incoherency on GROW
the current pointer to the input has to be between the base and end
if not stop everything we have an internal state error.
Index: libxml2-2.9.1/parser.c
===================================================================
--- libxml2-2.9.1.orig/parser.c
+++ libxml2-2.9.1/parser.c
@@ -94,6 +94,8 @@ static xmlParserCtxtPtr
xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
const xmlChar *base, xmlParserCtxtPtr pctx);
+static void xmlHaltParser(xmlParserCtxtPtr ctxt);
+
/************************************************************************
* *
* Arbitrary limits set in the parser. See XML_PARSE_HUGE *
@@ -2070,9 +2072,16 @@ static void xmlGROW (xmlParserCtxtPtr ct
((ctxt->input->buf) && (ctxt->input->buf->readcallback != (xmlInputReadCallback) xmlNop)) &&
((ctxt->options & XML_PARSE_HUGE) == 0)) {
xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
- ctxt->instate = XML_PARSER_EOF;
+ xmlHaltParser(ctxt);
+ return;
}
xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ if ((ctxt->input->cur > ctxt->input->end) ||
+ (ctxt->input->cur < ctxt->input->base)) {
+ xmlHaltParser(ctxt);
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "cur index out of bound");
+ return;
+ }
if ((ctxt->input->cur != NULL) && (*ctxt->input->cur == 0) &&
(xmlParserInputGrow(ctxt->input, INPUT_CHUNK) <= 0))
xmlPopInput(ctxt);
@@ -12542,25 +12551,47 @@ xmlCreatePushParserCtxt(xmlSAXHandlerPtr
#endif /* LIBXML_PUSH_ENABLED */
/**
- * xmlStopParser:
+ * xmlHaltParser:
* @ctxt: an XML parser context
*
- * Blocks further parser processing
+ * Blocks further parser processing don't override error
+ * for internal use
*/
-void
-xmlStopParser(xmlParserCtxtPtr ctxt) {
+static void
+xmlHaltParser(xmlParserCtxtPtr ctxt) {
if (ctxt == NULL)
return;
ctxt->instate = XML_PARSER_EOF;
- ctxt->errNo = XML_ERR_USER_STOP;
ctxt->disableSAX = 1;
if (ctxt->input != NULL) {
+ /*
+ * in case there was a specific allocation deallocate before
+ * overriding base
+ */
+ if (ctxt->input->free != NULL) {
+ ctxt->input->free((xmlChar *) ctxt->input->base);
+ ctxt->input->free = NULL;
+ }
ctxt->input->cur = BAD_CAST"";
ctxt->input->base = ctxt->input->cur;
}
}
/**
+ * xmlStopParser:
+ * @ctxt: an XML parser context
+ *
+ * Blocks further parser processing
+ */
+void
+xmlStopParser(xmlParserCtxtPtr ctxt) {
+ if (ctxt == NULL)
+ return;
+ xmlHaltParser(ctxt);
+ ctxt->errNo = XML_ERR_USER_STOP;
+}
+
+/**
* xmlCreateIOParserCtxt:
* @sax: a SAX handler
* @user_data: The user data returned on SAX callbacks