File libxml2-2.9.1-CVE-2016-3627.patch of Package libxml2.2672
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Thu, 14 Apr 2016 16:15:13 +0200
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
recursions to avoid CVE-2016-3627
This patch prevents stack overflows like the one reported in
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
---
tree.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
Index: libxml2-2.9.1/tree.c
===================================================================
--- libxml2-2.9.1.orig/tree.c 2016-04-18 14:53:09.375753353 +0200
+++ libxml2-2.9.1/tree.c 2016-04-18 15:33:02.923379754 +0200
@@ -1459,6 +1459,8 @@ out:
return(ret);
}
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
+
/**
* xmlStringGetNodeList:
* @doc: the document
@@ -1470,6 +1472,11 @@ out:
*/
xmlNodePtr
xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) {
+ return xmlStringGetNodeListInternal(doc, value, 0);
+}
+
+static xmlNodePtr
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
xmlNodePtr ret = NULL, last = NULL;
xmlNodePtr node;
xmlChar *val;
@@ -1478,6 +1485,8 @@ xmlStringGetNodeList(xmlDocPtr doc, cons
xmlEntityPtr ent;
xmlBufPtr buf;
+ if (recursionLevel > 1024) return(NULL);
+
if (value == NULL) return(NULL);
buf = xmlBufCreateSize(0);
@@ -1588,8 +1597,9 @@ xmlStringGetNodeList(xmlDocPtr doc, cons
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
- ent->children = xmlStringGetNodeList(doc,
- (const xmlChar*)node->content);
+ ent->children = xmlStringGetNodeListInternal(doc,
+ (const xmlChar*)node->content,
+ recursionLevel+1);
ent->owner = 1;
temp = ent->children;
while (temp) {