File libxml2-2.9.1-CVE-2015-8317.patch of Package libxml2.2672
From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 29 Jun 2015 09:08:25 +0800
Subject: Do not process encoding values if the declaration if broken
CVE-2015-8317
For https://bugzilla.gnome.org/show_bug.cgi?id=751603
If the string is not properly terminated do not try to convert
to the given encoding.
From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Mon, 29 Jun 2015 16:10:26 +0800
Subject: Fail parsing early on if encoding conversion failed
For https://bugzilla.gnome.org/show_bug.cgi?id=751631
If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
---
parser.c | 4 ++++
1 file changed, 4 insertions(+)
Index: libxml2-2.9.1/parser.c
===================================================================
--- libxml2-2.9.1.orig/parser.c
+++ libxml2-2.9.1/parser.c
@@ -10347,6 +10347,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ct
encoding = xmlParseEncName(ctxt);
if (RAW != '"') {
xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
+ xmlFree((xmlChar *) encoding);
+ return(NULL);
} else
NEXT;
} else if (RAW == '\''){
@@ -10354,6 +10356,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ct
encoding = xmlParseEncName(ctxt);
if (RAW != '\'') {
xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL);
+ xmlFree((xmlChar *) encoding);
+ return(NULL);
} else
NEXT;
} else {
@@ -10408,7 +10412,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ct
handler = xmlFindCharEncodingHandler((const char *) encoding);
if (handler != NULL) {
- xmlSwitchToEncoding(ctxt, handler);
+ if (xmlSwitchToEncoding(ctxt, handler) < 0) {
+ /* failed to convert */
+ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING;
+ return(NULL);
+ }
} else {
xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING,
"Unsupported encoding %s\n", encoding);