File Fix-for-CVE-2021-26221-ezxml-bug-21.patch of Package netcdf.21642
From: Egbert Eich <eich@suse.com>
Date: Mon Oct 25 15:44:54 2021 +0200
Subject: Fix for CVE-2021-26221 / ezxml bug 21
Patch-mainline: Not yet
Git-commit: 9c8180f466dc672dc5fd7ce8513bb4994ad84364
References:
Make sure malloc() succeeds.
This fixes
https://sourceforge.net/p/ezxml/bugs/21/
Signed-off-by: Egbert Eich <eich@suse.com>
---
libdap4/ezxml.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libdap4/ezxml.c b/libdap4/ezxml.c
index 17b2eb8..fb470df 100644
--- a/libdap4/ezxml.c
+++ b/libdap4/ezxml.c
@@ -485,6 +485,7 @@ ezxml_t ezxml_parse_str(char *s, size_t len)
char q, e, *d, **attr, **a = NULL; /* initialize a to avoid compile warning*/
int l, i, j;
+ if (!root) return NULL; // bug#21 / CVE-2021-26221
root->m = s;
if (! len) return ezxml_err(root, NULL, "root tag missing");
root->u = ezxml_str2utf8(&s, &len); /* convert utf-16 to utf-8*/
@@ -806,8 +807,9 @@ ezxml_t ezxml_new(const char *name)
{
static char *ent[] = { "lt;", "<", "gt;", ">", "quot;", """,
"apos;", "'", "amp;", "&", NULL };
- ezxml_root_t root = (ezxml_root_t)memset(malloc(sizeof(struct ezxml_root)),
- '\0', sizeof(struct ezxml_root));
+ ezxml_root_t root;
+ if (!(root = malloc(sizeof(struct ezxml_root)))) return NULL; // bug#21
+ root = (ezxml_root_t)memset(root, '\0', sizeof(struct ezxml_root));
root->xml.name = (char *)name;
root->cur = &root->xml;
strcpy(root->err, root->xml.txt = "");