Compare commits
No commits in common. 'i9c-beta' and 'c9' have entirely different histories.
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,172 @@
|
||||
commit cd3b344e0dbd19a812d0b4f34f9d089ed7c5c411
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Tue Mar 19 15:12:18 2024 +0100
|
||||
|
||||
Fix CVE-2024-28757
|
||||
|
||||
Upstream PRs #841 and #842
|
||||
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 2ae64e9..0896b16 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -6164,7 +6164,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
|
||||
dtd->keepProcessing = dtd->standalone;
|
||||
goto endEntityValue;
|
||||
}
|
||||
- if (entity->open) {
|
||||
+ if (entity->open || (entity == parser->m_declEntity)) {
|
||||
if (enc == parser->m_encoding)
|
||||
parser->m_eventPtr = entityTextPtr;
|
||||
result = XML_ERROR_RECURSIVE_ENTITY_REF;
|
||||
@@ -7680,6 +7680,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
|
||||
|
||||
static float
|
||||
accountingGetCurrentAmplification(XML_Parser rootParser) {
|
||||
+ // 1.........1.........12 => 22
|
||||
+ const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1;
|
||||
const XmlBigCount countBytesOutput
|
||||
= rootParser->m_accounting.countBytesDirect
|
||||
+ rootParser->m_accounting.countBytesIndirect;
|
||||
@@ -7687,7 +7689,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) {
|
||||
= rootParser->m_accounting.countBytesDirect
|
||||
? (countBytesOutput
|
||||
/ (float)(rootParser->m_accounting.countBytesDirect))
|
||||
- : 1.0f;
|
||||
+ : ((lenOfShortestInclude
|
||||
+ + rootParser->m_accounting.countBytesIndirect)
|
||||
+ / (float)lenOfShortestInclude);
|
||||
assert(! rootParser->m_parentParser);
|
||||
return amplificationFactor;
|
||||
}
|
||||
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
|
||||
index 941f61d..93adc45 100644
|
||||
--- a/expat/tests/runtests.c
|
||||
+++ b/expat/tests/runtests.c
|
||||
@@ -1788,6 +1788,48 @@ START_TEST(test_wfc_no_recursive_entity_refs) {
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+START_TEST(test_recursive_external_parameter_entity_2) {
|
||||
+ struct TestCase {
|
||||
+ const char *doc;
|
||||
+ enum XML_Status expectedStatus;
|
||||
+ };
|
||||
+
|
||||
+ struct TestCase cases[] = {
|
||||
+ {"<!ENTITY % p1 '%p1;'>", XML_STATUS_ERROR},
|
||||
+ {"<!ENTITY % p1 '%p1;'>"
|
||||
+ "<!ENTITY % p1 'first declaration wins'>",
|
||||
+ XML_STATUS_ERROR},
|
||||
+ {"<!ENTITY % p1 'first declaration wins'>"
|
||||
+ "<!ENTITY % p1 '%p1;'>",
|
||||
+ XML_STATUS_OK},
|
||||
+ {"<!ENTITY % p1 '%p1;'>", XML_STATUS_OK},
|
||||
+ };
|
||||
+
|
||||
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
|
||||
+ const char *const doc = cases[i].doc;
|
||||
+ const enum XML_Status expectedStatus = cases[i].expectedStatus;
|
||||
+
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+ assert_true(parser != NULL);
|
||||
+
|
||||
+ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
|
||||
+ assert_true(ext_parser != NULL);
|
||||
+
|
||||
+ const enum XML_Status actualStatus
|
||||
+ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, (int)strlen(doc), XML_TRUE);
|
||||
+
|
||||
+ assert_true(actualStatus == expectedStatus);
|
||||
+ if (actualStatus != XML_STATUS_OK) {
|
||||
+ assert_true(XML_GetErrorCode(ext_parser)
|
||||
+ == XML_ERROR_RECURSIVE_ENTITY_REF);
|
||||
+ }
|
||||
+
|
||||
+ XML_ParserFree(ext_parser);
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
/* Test incomplete external entities are faulted */
|
||||
START_TEST(test_ext_entity_invalid_parse) {
|
||||
const char *text = "<!DOCTYPE doc [\n"
|
||||
@@ -12719,6 +12761,60 @@ START_TEST(test_helper_unsigned_char_to_printable) {
|
||||
fail("unsignedCharToPrintable result mistaken");
|
||||
}
|
||||
END_TEST
|
||||
+
|
||||
+START_TEST(test_amplification_isolated_external_parser) {
|
||||
+ // NOTE: Length 44 is precisely twice the length of "<!ENTITY a SYSTEM 'b'>"
|
||||
+ // (22) that is used in function accountingGetCurrentAmplification in
|
||||
+ // xmlparse.c.
|
||||
+ // 1.........1.........1.........1.........1..4 => 44
|
||||
+ const char doc[] = "<!ENTITY % p1 '123456789_123456789_1234567'>";
|
||||
+ const int docLen = (int)sizeof(doc) - 1;
|
||||
+ const float maximumToleratedAmplification = 2.0f;
|
||||
+
|
||||
+ struct TestCase {
|
||||
+ int offsetOfThreshold;
|
||||
+ enum XML_Status expectedStatus;
|
||||
+ };
|
||||
+
|
||||
+ struct TestCase cases[] = {
|
||||
+ {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR},
|
||||
+ {+1, XML_STATUS_OK}, {+2, XML_STATUS_OK},
|
||||
+ };
|
||||
+
|
||||
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
|
||||
+ const int offsetOfThreshold = cases[i].offsetOfThreshold;
|
||||
+ const enum XML_Status expectedStatus = cases[i].expectedStatus;
|
||||
+ const unsigned long long activationThresholdBytes
|
||||
+ = docLen + offsetOfThreshold;
|
||||
+
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+ assert_true(parser != NULL);
|
||||
+
|
||||
+ assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification(
|
||||
+ parser, maximumToleratedAmplification)
|
||||
+ == XML_TRUE);
|
||||
+ assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold(
|
||||
+ parser, activationThresholdBytes)
|
||||
+ == XML_TRUE);
|
||||
+
|
||||
+ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
|
||||
+ assert_true(ext_parser != NULL);
|
||||
+
|
||||
+ const enum XML_Status actualStatus
|
||||
+ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE);
|
||||
+
|
||||
+ assert_true(actualStatus == expectedStatus);
|
||||
+ if (actualStatus != XML_STATUS_OK) {
|
||||
+ assert_true(XML_GetErrorCode(ext_parser)
|
||||
+ == XML_ERROR_AMPLIFICATION_LIMIT_BREACH);
|
||||
+ }
|
||||
+
|
||||
+ XML_ParserFree(ext_parser);
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
#endif // defined(XML_DTD)
|
||||
|
||||
static Suite *
|
||||
@@ -12871,6 +12967,8 @@ make_suite(void) {
|
||||
tcase_add_test__ifdef_xml_dtd(tc_basic, test_skipped_parameter_entity);
|
||||
tcase_add_test__ifdef_xml_dtd(tc_basic,
|
||||
test_recursive_external_parameter_entity);
|
||||
+ tcase_add_test__ifdef_xml_dtd(tc_basic,
|
||||
+ test_recursive_external_parameter_entity_2);
|
||||
tcase_add_test(tc_basic, test_undefined_ext_entity_in_external_dtd);
|
||||
tcase_add_test(tc_basic, test_suspend_xdecl);
|
||||
tcase_add_test(tc_basic, test_abort_epilog);
|
||||
@@ -13120,6 +13218,7 @@ make_suite(void) {
|
||||
tcase_add_test(tc_accounting, test_accounting_precision);
|
||||
tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api);
|
||||
tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable);
|
||||
+ tcase_add_test(tc_accounting, test_amplification_isolated_external_parser);
|
||||
#endif
|
||||
|
||||
return s;
|
||||
@ -0,0 +1,129 @@
|
||||
commit 05d87eb116ddde35bfa4e4c1d2ec7bcbda38c09b
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Wed Sep 11 13:48:58 2024 +0200
|
||||
|
||||
Fix CVE-2024-45490
|
||||
|
||||
https://github.com/libexpat/libexpat/pull/890
|
||||
|
||||
diff --git a/expat/doc/reference.html b/expat/doc/reference.html
|
||||
index a10f3cb..d618bd8 100644
|
||||
--- a/expat/doc/reference.html
|
||||
+++ b/expat/doc/reference.html
|
||||
@@ -1098,7 +1098,9 @@ containing part (or perhaps all) of the document. The number of bytes of s
|
||||
that are part of the document is indicated by <code>len</code>. This means
|
||||
that <code>s</code> doesn't have to be null terminated. It also means that
|
||||
if <code>len</code> is larger than the number of bytes in the block of
|
||||
-memory that <code>s</code> points at, then a memory fault is likely. The
|
||||
+memory that <code>s</code> points at, then a memory fault is likely.
|
||||
+Negative values for <code>len</code> are rejected since Expat 2.2.1.
|
||||
+The
|
||||
<code>isFinal</code> parameter informs the parser that this is the last
|
||||
piece of the document. Frequently, the last piece is empty (i.e.
|
||||
<code>len</code> is zero.)
|
||||
@@ -1114,11 +1116,17 @@ XML_ParseBuffer(XML_Parser p,
|
||||
int isFinal);
|
||||
</pre>
|
||||
<div class="fcndef">
|
||||
+<p>
|
||||
This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
|
||||
except in this case Expat provides the buffer. By obtaining the
|
||||
buffer from Expat with the <code><a href= "#XML_GetBuffer"
|
||||
>XML_GetBuffer</a></code> function, the application can avoid double
|
||||
copying of the input.
|
||||
+</p>
|
||||
+
|
||||
+<p>
|
||||
+Negative values for <code>len</code> are rejected since Expat 2.6.3.
|
||||
+</p>
|
||||
</div>
|
||||
|
||||
<h4 id="XML_GetBuffer">XML_GetBuffer</h4>
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 0896b16..f54e258 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -1998,6 +1998,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
|
||||
|
||||
if (parser == NULL)
|
||||
return XML_STATUS_ERROR;
|
||||
+
|
||||
+ if (len < 0) {
|
||||
+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
|
||||
+ return XML_STATUS_ERROR;
|
||||
+ }
|
||||
+
|
||||
switch (parser->m_parsingStatus.parsing) {
|
||||
case XML_SUSPENDED:
|
||||
parser->m_errorCode = XML_ERROR_SUSPENDED;
|
||||
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
|
||||
index 93adc45..ed88f9f 100644
|
||||
--- a/expat/tests/runtests.c
|
||||
+++ b/expat/tests/runtests.c
|
||||
@@ -3856,6 +3856,57 @@ START_TEST(test_empty_parse) {
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+/* Test XML_Parse for len < 0 */
|
||||
+START_TEST(test_negative_len_parse) {
|
||||
+ const char *const doc = "<root/>";
|
||||
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
|
||||
+ fail("There was not supposed to be any initial parse error.");
|
||||
+
|
||||
+ const enum XML_Status status = XML_Parse(parser, doc, -1, isFinal);
|
||||
+
|
||||
+ if (status != XML_STATUS_ERROR)
|
||||
+ fail("Negative len was expected to fail the parse but did not.");
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
|
||||
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
|
||||
+
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+/* Test XML_ParseBuffer for len < 0 */
|
||||
+START_TEST(test_negative_len_parse_buffer) {
|
||||
+ const char *const doc = "<root/>";
|
||||
+ for (int isFinal = 0; isFinal < 2; isFinal++) {
|
||||
+ XML_Parser parser = XML_ParserCreate(NULL);
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_NONE)
|
||||
+ fail("There was not supposed to be any initial parse error.");
|
||||
+
|
||||
+ void *const buffer = XML_GetBuffer(parser, (int)strlen(doc));
|
||||
+
|
||||
+ if (buffer == NULL)
|
||||
+ fail("XML_GetBuffer failed.");
|
||||
+
|
||||
+ memcpy(buffer, doc, strlen(doc));
|
||||
+
|
||||
+ const enum XML_Status status = XML_ParseBuffer(parser, -1, isFinal);
|
||||
+
|
||||
+ if (status != XML_STATUS_ERROR)
|
||||
+ fail("Negative len was expected to fail the parse but did not.");
|
||||
+
|
||||
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_ARGUMENT)
|
||||
+ fail("Parse error does not match XML_ERROR_INVALID_ARGUMENT.");
|
||||
+
|
||||
+ XML_ParserFree(parser);
|
||||
+ }
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
/* Test odd corners of the XML_GetBuffer interface */
|
||||
static enum XML_Status
|
||||
get_feature(enum XML_FeatureEnum feature_id, long *presult) {
|
||||
@@ -12937,6 +12988,8 @@ make_suite(void) {
|
||||
tcase_add_test__ifdef_xml_dtd(tc_basic, test_user_parameters);
|
||||
tcase_add_test__ifdef_xml_dtd(tc_basic, test_ext_entity_ref_parameter);
|
||||
tcase_add_test(tc_basic, test_empty_parse);
|
||||
+ tcase_add_test(tc_basic, test_negative_len_parse);
|
||||
+ tcase_add_test(tc_basic, test_negative_len_parse_buffer);
|
||||
tcase_add_test(tc_basic, test_get_buffer_1);
|
||||
tcase_add_test(tc_basic, test_get_buffer_2);
|
||||
#if defined(XML_CONTEXT_BYTES)
|
||||
@ -0,0 +1,31 @@
|
||||
From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Pipping <sebastian@pipping.org>
|
||||
Date: Mon, 19 Aug 2024 22:34:13 +0200
|
||||
Subject: [PATCH] lib: Detect integer overflow in dtdCopy
|
||||
|
||||
Reported by TaiYou
|
||||
---
|
||||
expat/lib/xmlparse.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 91682c188..e2327bdcf 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
|
||||
if (! newE)
|
||||
return 0;
|
||||
if (oldE->nDefaultAtts) {
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if ((size_t)oldE->nDefaultAtts
|
||||
+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
newE->defaultAtts
|
||||
= ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
|
||||
if (! newE->defaultAtts) {
|
||||
@ -0,0 +1,30 @@
|
||||
From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
|
||||
From: Sebastian Pipping <sebastian@pipping.org>
|
||||
Date: Mon, 19 Aug 2024 22:37:16 +0200
|
||||
Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
|
||||
|
||||
Reported by TaiYou
|
||||
---
|
||||
expat/lib/xmlparse.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
|
||||
index 91682c188..f737575ea 100644
|
||||
--- a/expat/lib/xmlparse.c
|
||||
+++ b/expat/lib/xmlparse.c
|
||||
@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
|
||||
int next;
|
||||
|
||||
if (! dtd->scaffIndex) {
|
||||
+ /* Detect and prevent integer overflow.
|
||||
+ * The preprocessor guard addresses the "always false" warning
|
||||
+ * from -Wtype-limits on platforms where
|
||||
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||
+#if UINT_MAX >= SIZE_MAX
|
||||
+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+#endif
|
||||
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
|
||||
if (! dtd->scaffIndex)
|
||||
return -1;
|
||||
Loading…
Reference in new issue