File libxml2-CVE-2017-16932.patch of Package libxml2.37639
From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 25 Jul 2017 14:59:49 +0200
Subject: [PATCH] Detect infinite recursion in parameter entities
When expanding a parameter entity in a DTD, infinite recursion could
lead to an infinite loop or memory exhaustion.
Thanks to Wei Lei for the first of many reports.
Fixes bug 759579.
---
parser.c | 11 ++++++++++-
result/errors/759579.xml | 0
result/errors/759579.xml.err | 6 ++++++
result/errors/759579.xml.str | 7 +++++++
test/errors/759579.xml | 11 +++++++++++
5 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 result/errors/759579.xml
create mode 100644 result/errors/759579.xml.err
create mode 100644 result/errors/759579.xml.str
create mode 100644 test/errors/759579.xml
Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -2267,6 +2267,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlP
xmlGenericError(xmlGenericErrorContext,
"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
}
+ if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
+ (ctxt->inputNr > 1024)) {
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ while (ctxt->inputNr > 1)
+ xmlFreeInputStream(inputPop(ctxt));
+ return(-1);
+ }
ret = inputPush(ctxt, input);
if (ctxt->instate == XML_PARSER_EOF)
return(-1);
@@ -8199,8 +8206,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctx
* c.f. http://www.w3.org/TR/REC-xml#as-PE
*/
input = xmlNewEntityInputStream(ctxt, entity);
- if (xmlPushInput(ctxt, input) < 0)
- return;
+ if (xmlPushInput(ctxt, input) < 0) {
+ xmlFreeInputStream(input);
+ return;
+ }
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
(CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
(IS_BLANK_CH(NXT(5)))) {
