File libxml2-2.9.1-CVE-2016-3627.patch of Package libxml2.2406

Overview Repositories Revisions Requests Users Attributes Meta

File libxml2-2.9.1-CVE-2016-3627.patch of Package libxml2.2406

From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons@suse.com>
Date: Thu, 14 Apr 2016 16:15:13 +0200
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
 recursions to avoid CVE-2016-3627

This patch prevents stack overflows like the one reported in
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
---
 tree.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Index: libxml2-2.9.1/tree.c
===================================================================
--- libxml2-2.9.1.orig/tree.c	2016-04-18 14:53:09.375753353 +0200
+++ libxml2-2.9.1/tree.c	2016-04-18 15:33:02.923379754 +0200
@@ -1459,6 +1459,8 @@ out:
     return(ret);
 }
 
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
+
 /**
  * xmlStringGetNodeList:
  * @doc:  the document
@@ -1470,6 +1472,11 @@ out:
  */
 xmlNodePtr
 xmlStringGetNodeList(xmlDocPtr doc, const xmlChar *value) {
+  return xmlStringGetNodeListInternal(doc, value, 0);
+}
+
+static xmlNodePtr
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
     xmlNodePtr ret = NULL, last = NULL;
     xmlNodePtr node;
     xmlChar *val;
@@ -1478,6 +1485,8 @@ xmlStringGetNodeList(xmlDocPtr doc, cons
     xmlEntityPtr ent;
     xmlBufPtr buf;
 
+    if (recursionLevel > 1024) return(NULL);
+
     if (value == NULL) return(NULL);
 
     buf = xmlBufCreateSize(0);
@@ -1588,8 +1597,9 @@ xmlStringGetNodeList(xmlDocPtr doc, cons
 			else if ((ent != NULL) && (ent->children == NULL)) {
 			    xmlNodePtr temp;
 
-			    ent->children = xmlStringGetNodeList(doc,
-				    (const xmlChar*)node->content);
+			    ent->children = xmlStringGetNodeListInternal(doc,
+				    (const xmlChar*)node->content,
+                                    recursionLevel+1);
 			    ent->owner = 1;
 			    temp = ent->children;
 			    while (temp) {

Places

File libxml2-2.9.1-CVE-2016-3627.patch of Package libxml2.2406

Places