From 29a3d16abf8b4e67b0d310e6017521856e20736e Mon Sep 17 00:00:00 2001 From: zou_lin77 <422351577@qq.com> Date: Fri, 28 Aug 2020 19:01:02 +0800 Subject: [PATCH] Fix more quadratic runtime issues in HTML push parse Fix reset HTML parser input before reporting error --- ...ic-runtime-issues-in-HTML-push-parse.patch | 57 +++++++++++++++++++ ...-parser-input-before-reporting-error.patch | 49 ++++++++++++++++ libxml2.spec | 10 +++- 3 files changed, 114 insertions(+), 2 deletions(-) create mode 100644 Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch create mode 100644 Reset-HTML-parser-input-before-reporting-error.patch diff --git a/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch b/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch new file mode 100644 index 0000000..dff0094 --- /dev/null +++ b/Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch @@ -0,0 +1,57 @@ +From 3da8d947df1f84e54b12145ca2cfa1ff6456f532 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 9 Jul 2020 16:08:38 +0200 +Subject: [PATCH] Fix more quadratic runtime issues in HTML push parser + +Make sure that checkIndex is set when returning without match from +inside a comment. Also track parser state in htmlParseLookupChars. + +Found by OSS-Fuzz. + +diff --git a/HTMLparser.c b/HTMLparser.c +index 366c19b..9b12dd1 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -5205,7 +5205,7 @@ htmlParseLookupSequence(htmlParserCtxtPtr ctxt, xmlChar first, + } + if (incomment) { + if (base + 3 > len) +- return (-1); ++ break; + if ((buf[base] == '-') && (buf[base + 1] == '-') && + (buf[base + 2] == '>')) { + incomment = 0; +@@ -5294,8 +5294,11 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop, + if (base < 0) + return (-1); + +- if (ctxt->checkIndex > base) ++ if (ctxt->checkIndex > base) { + base = ctxt->checkIndex; ++ /* Abuse hasPErefs member to restore current state. */ ++ incomment = ctxt->hasPErefs & 1 ? 1 : 0; ++ } + + if (in->buf == NULL) { + buf = in->base; +@@ -5316,7 +5319,7 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop, + } + if (incomment) { + if (base + 3 > len) +- return (-1); ++ break; + if ((buf[base] == '-') && (buf[base + 1] == '-') && + (buf[base + 2] == '>')) { + incomment = 0; +@@ -5332,6 +5335,8 @@ htmlParseLookupChars(htmlParserCtxtPtr ctxt, const xmlChar * stop, + } + } + ctxt->checkIndex = base; ++ /* Abuse hasPErefs member to track current state. */ ++ ctxt->hasPErefs = incomment; + return (-1); + } + +-- +1.8.3.1 + diff --git a/Reset-HTML-parser-input-before-reporting-error.patch b/Reset-HTML-parser-input-before-reporting-error.patch new file mode 100644 index 0000000..39f7ab3 --- /dev/null +++ b/Reset-HTML-parser-input-before-reporting-error.patch @@ -0,0 +1,49 @@ +From 3f18e7486d5feb8ae41911ce3c122e05641a4c3d Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 11 Jul 2020 14:34:57 +0200 +Subject: [PATCH] Reset HTML parser input before reporting error + +Avoid use-after-free, similar to 13ba5b61. Also make sure that +xmlBufSetInputBaseCur sets valid pointers in case of buffer errors. + +Found by OSS-Fuzz. + +diff --git a/HTMLparser.c b/HTMLparser.c +index 9b12dd1..1dea794 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -6150,12 +6150,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size, + int res; + + res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk); ++ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); + if (res < 0) { + ctxt->errNo = XML_PARSER_EOF; + ctxt->disableSAX = 1; + return (XML_PARSER_EOF); + } +- xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur); + #ifdef DEBUG_PUSH + xmlGenericError(xmlGenericErrorContext, "HPP: pushed %d\n", size); + #endif +diff --git a/buf.c b/buf.c +index 8ad18a1..24368d3 100644 +--- a/buf.c ++++ b/buf.c +@@ -1334,8 +1334,12 @@ xmlBufGetInputBase(xmlBufPtr buf, xmlParserInputPtr input) { + int + xmlBufSetInputBaseCur(xmlBufPtr buf, xmlParserInputPtr input, + size_t base, size_t cur) { +- if ((input == NULL) || (buf == NULL) || (buf->error)) ++ if (input == NULL) ++ return(-1); ++ if ((buf == NULL) || (buf->error)) { ++ input->base = input->cur = input->end = BAD_CAST ""; + return(-1); ++ } + CHECK_COMPAT(buf) + input->base = &buf->content[base]; + input->cur = input->base + cur; +-- +1.8.3.1 + diff --git a/libxml2.spec b/libxml2.spec index 4ddc8bf..b189e00 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 5 +Release: 6 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -18,7 +18,7 @@ Patch8: Use-random-seed-in-xmlDictComputeFastKey.patch Patch9: Fix-more-memory-leaks-in-error-paths-of-XPath-parser.patch Patch10: Fix-freeing-of-nested-documents.patch Patch11: Fix-overflow-check-in-xmlNodeDump.patch -Patch12: Check-for-overflow-when-allocating-two-dimensional-a.patch +Patch12: Check-for-overflow-when-allocating-two-dimensional-arrays.patch Patch13: Fix-integer-overflow-in-xmlBufferResize.patch Patch14: Fix-copying-of-entities-in-xmlParseReference.patch Patch15: Copy-some-XMLReader-option-flags-to-parser-context.patch @@ -31,6 +31,8 @@ Patch21: Report-error-for-invalid-regexp-quantifiers.patch Patch22: Add-regexp-regression-tests.patch Patch23: Limit-regexp-nesting-depth.patch Patch24: Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch +Patch25: Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch +Patch26: Reset-HTML-parser-input-before-reporting-error.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -222,6 +224,10 @@ rm -fr %{buildroot} %changelog +* Fri Aug 28 2020 zoulin - 2.9.10-6 +- Fix more quadratic runtime issues in HTML push parse +- Fix reset HTML parser input before reporting error + * Wed Aug 12 2020 Liquor - 2.9.10-5 - Limit regexp nesting depth - Fix exponential runtime in xmlFARecurseDeterminism -- Gitee