diff --git a/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch b/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch new file mode 100644 index 0000000000000000000000000000000000000000..ebab7e3add24fafa3584369294299414b83cb3a9 --- /dev/null +++ b/backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch @@ -0,0 +1,40 @@ +From c471d1351ef5706dbafd63078f957a0a52689ffc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 16:56:10 +0100 +Subject: [PATCH 1/5] io: Check for memory buffer early in xmlParserInputGrow + +Reference:https://github.com/GNOME/libxml2/commit/9feafbc5c5cce13852062a527d719ecce6b54661 +Conflict:NA +--- + parserInternals.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/parserInternals.c b/parserInternals.c +index a41a195..849ebc8 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -311,6 +311,9 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + if (in->cur == NULL) return(-1); + if (in->buf->buffer == NULL) return(-1); + ++ /* Don't grow memory buffers. */ ++ if (in->buf->readcallback == NULL) return(0); ++ + CHECK_BUFFER(in); + + indx = in->cur - in->base; +@@ -320,10 +323,7 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + + return(0); + } +- if (in->buf->readcallback != NULL) { +- ret = xmlParserInputBufferGrow(in->buf, len); +- } else +- return(0); ++ ret = xmlParserInputBufferGrow(in->buf, len); + + /* + * NOTE : in->base may be a "dangling" i.e. freed pointer in this +-- +2.33.0 + diff --git a/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch b/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch new file mode 100644 index 0000000000000000000000000000000000000000..c34fa8f42b1022236815a53768c2fc2217a2a5d2 --- /dev/null +++ b/backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch @@ -0,0 +1,36 @@ +From cc645b439f54040b424bcb6c9b4c2c3f51cf2f9e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 15:08:44 +0100 +Subject: [PATCH 14/28] io: Fix "buffer full" error with certain buffer sizes + +Remove a useless check in xmlParserInputBufferGrow that could be +triggered after changing xmlBufAvail in c14cac8b. + +Fixes #438. + +Reference: https://github.com/GNOME/libxml2/commit/22d879bf0ab3ef14177a6388e28bb264bd36e64b +Conflict: NA +--- + xmlIO.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/xmlIO.c b/xmlIO.c +index 3f5307f..0762034 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -3247,12 +3247,6 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + if ((len <= MINLEN) && (len != 4)) + len = MINLEN; + +- if (xmlBufAvail(in->buffer) <= 0) { +- xmlIOErr(XML_IO_BUFFER_FULL, NULL); +- in->error = XML_IO_BUFFER_FULL; +- return(-1); +- } +- + if (xmlBufGrow(in->buffer, len + 1) < 0) { + xmlIOErrMemory("growing input buffer"); + in->error = XML_ERR_NO_MEMORY; +-- +2.33.0 + diff --git a/backport-io-Remove-xmlInputReadCallbackNop.patch b/backport-io-Remove-xmlInputReadCallbackNop.patch new file mode 100644 index 0000000000000000000000000000000000000000..4c197e318f6e227eed744f54aea1f569ebb89de3 --- /dev/null +++ b/backport-io-Remove-xmlInputReadCallbackNop.patch @@ -0,0 +1,114 @@ +From ad7390cf9545f5fd8f3d7fed7b21f8fe323ce3c7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 13 Nov 2022 16:30:46 +0100 +Subject: [PATCH 2/5] io: Remove xmlInputReadCallbackNop + +In some cases, for example when using encoders, the read callback was +set to NULL, in other cases it was set to xmlInputReadCallbackNop. +xmlGROW only tested for xmlInputReadCallbackNop, resulting in errors +when parsing large encoded content from memory. + +Always use a NULL callback for memory buffers to avoid ambiguities. + +Fixes #262. + +Reference:https://github.com/GNOME/libxml2/commit/46cd7d224ed5c4cdbd4f72ec899db24e18d21fe7 +Conflict:include/private/io.h +--- + parser.c | 2 +- + parserInternals.c | 3 ++- + xmlIO.c | 30 ++++-------------------------- + 3 files changed, 7 insertions(+), 28 deletions(-) + +diff --git a/parser.c b/parser.c +index 05a2732..5594091 100644 +--- a/parser.c ++++ b/parser.c +@@ -2134,7 +2134,7 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) { + if (((curEnd > XML_MAX_LOOKUP_LIMIT) || + (curBase > XML_MAX_LOOKUP_LIMIT)) && + ((ctxt->input->buf) && +- (ctxt->input->buf->readcallback != xmlInputReadCallbackNop)) && ++ (ctxt->input->buf->readcallback != NULL)) && + ((ctxt->options & XML_PARSE_HUGE) == 0)) { + xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup"); + xmlHaltParser(ctxt); +diff --git a/parserInternals.c b/parserInternals.c +index 849ebc8..2374133 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -312,7 +312,8 @@ xmlParserInputGrow(xmlParserInputPtr in, int len) { + if (in->buf->buffer == NULL) return(-1); + + /* Don't grow memory buffers. */ +- if (in->buf->readcallback == NULL) return(0); ++ if ((in->buf->encoder == NULL) && (in->buf->readcallback == NULL)) ++ return(0); + + CHECK_BUFFER(in); + +diff --git a/xmlIO.c b/xmlIO.c +index 0fb402b..bf25a1b 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -729,20 +729,6 @@ xmlCheckFilename (const char *path) + return 1; + } + +-/** +- * xmlInputReadCallbackNop: +- * +- * No Operation xmlInputReadCallback function, does nothing. +- * +- * Returns zero +- */ +-int +-xmlInputReadCallbackNop(void *context ATTRIBUTE_UNUSED, +- char *buffer ATTRIBUTE_UNUSED, +- int len ATTRIBUTE_UNUSED) { +- return(0); +-} +- + /** + * xmlFdRead: + * @context: the I/O context +@@ -2961,7 +2947,7 @@ xmlParserInputBufferCreateMem(const char *mem, int size, xmlCharEncoding enc) { + ret = xmlAllocParserInputBuffer(enc); + if (ret != NULL) { + ret->context = (void *) mem; +- ret->readcallback = xmlInputReadCallbackNop; ++ ret->readcallback = NULL; + ret->closecallback = NULL; + errcode = xmlBufAdd(ret->buffer, (const xmlChar *) mem, size); + if (errcode != 0) { +@@ -3265,10 +3251,8 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + res = in->readcallback(in->context, &buffer[0], len); + if (res <= 0) + in->readcallback = endOfInput; +- } else { +- xmlIOErr(XML_IO_NO_INPUT, NULL); +- in->error = XML_IO_NO_INPUT; +- return(-1); ++ } else if (in->encoder == NULL) { ++ return(0); + } + if (res < 0) { + return(-1); +@@ -3335,13 +3319,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + */ + int + xmlParserInputBufferRead(xmlParserInputBufferPtr in, int len) { +- if ((in == NULL) || (in->error)) return(-1); +- if (in->readcallback != NULL) +- return(xmlParserInputBufferGrow(in, len)); +- else if (xmlBufGetAllocationScheme(in->buffer) == XML_BUFFER_ALLOC_IMMUTABLE) +- return(0); +- else +- return(-1); ++ return(xmlParserInputBufferGrow(in, len)); + } + + #ifdef LIBXML_OUTPUT_ENABLED +-- +2.33.0 + diff --git a/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch b/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch new file mode 100644 index 0000000000000000000000000000000000000000..d2755895172e21858832e61f7949a560fb5a8e71 --- /dev/null +++ b/backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch @@ -0,0 +1,30 @@ +From d5dfc1ca95cc026e150c2ecea09ea0aeebfb2d2b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 23 Dec 2022 21:53:30 +0100 +Subject: [PATCH 5/5] parser: Don't increase depth twice when parsing internal + entities + +Fix xmlParseBalancedChunkMemoryInternal. + +Reference:https://github.com/GNOME/libxml2/commit/dd62e541ecd142ebfb16cb7abe3d3ef4ee6617bd +Conflict:NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 65c3d70..af54059 100644 +--- a/parser.c ++++ b/parser.c +@@ -13390,7 +13390,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + xmlAddChild((xmlNodePtr) ctxt->myDoc, newRoot); + nodePush(ctxt, ctxt->myDoc->children); + ctxt->instate = XML_PARSER_CONTENT; +- ctxt->depth = oldctxt->depth + 1; ++ ctxt->depth = oldctxt->depth; + + ctxt->validate = 0; + ctxt->loadsubset = oldctxt->loadsubset; +-- +2.33.0 + diff --git a/backport-parser-Fix-integer-overflow-of-input-ID.patch b/backport-parser-Fix-integer-overflow-of-input-ID.patch new file mode 100644 index 0000000000000000000000000000000000000000..61ad93ca2287dcd576c5c8532d011e7e0c408c54 --- /dev/null +++ b/backport-parser-Fix-integer-overflow-of-input-ID.patch @@ -0,0 +1,65 @@ +From 9e37d7dd30c82daeecc2a5c0baa4a08ca0eb2956 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 22 Dec 2022 15:22:01 +0100 +Subject: [PATCH 4/5] parser: Fix integer overflow of input ID + +Applies a patch from Chromium. Also stop incrementing input ID of +subcontexts. This isn't necessary. + +Fixes #465. + +Reference:https://github.com/GNOME/libxml2/commit/077df27eb1bdc2a3268f7596415fd91db76d29d4 +Conflict:NA +--- + parser.c | 8 ++------ + parserInternals.c | 7 ++++++- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/parser.c b/parser.c +index 33b396f..65c3d70 100644 +--- a/parser.c ++++ b/parser.c +@@ -13339,7 +13339,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, + ctxt->userData = ctxt; + if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); + ctxt->dict = oldctxt->dict; +- ctxt->input_id = oldctxt->input_id + 1; ++ ctxt->input_id = oldctxt->input_id; + ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); + ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); + ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); +@@ -13970,11 +13970,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, + if (pctx != NULL) { + ctxt->options = pctx->options; + ctxt->_private = pctx->_private; +- /* +- * this is a subparser of pctx, so the input_id should be +- * incremented to distinguish from main entity +- */ +- ctxt->input_id = pctx->input_id + 1; ++ ctxt->input_id = pctx->input_id; + } + + /* Don't read from stdin. */ +diff --git a/parserInternals.c b/parserInternals.c +index 2374133..e027ba5 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1378,8 +1378,13 @@ xmlNewInputStream(xmlParserCtxtPtr ctxt) { + * should not happen while parsing which is the situation where + * the id is actually needed. + */ +- if (ctxt != NULL) ++ if (ctxt != NULL) { ++ if (input->id >= INT_MAX) { ++ xmlErrMemory(ctxt, "Input ID overflow\n"); ++ return(NULL); ++ } + input->id = ctxt->input_id++; ++ } + + return(input); + } +-- +2.33.0 + diff --git a/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch b/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch new file mode 100644 index 0000000000000000000000000000000000000000..39364a7e4df56322983717d9d8558fdf560dcce9 --- /dev/null +++ b/backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch @@ -0,0 +1,35 @@ +From 9c66e12ce14bc59f549aa347bba04f2a9b837fcc Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Wed, 21 Dec 2022 19:21:30 -0800 +Subject: [PATCH 3/5] xmlParseStartTag2() contains typo when checking for + default definitions for an attribute in a namespace + +* parser.c: +(xmlParseStartTag2): +- Fix index into defaults->values. It is only correct the first + time through the loop when i == 0. + +Fixes #467.. + +Reference:https://github.com/GNOME/libxml2/commit/0bd4e4e032d57ecf982b57312eb6136efdd35d56 +Conflict:NA +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 5594091..33b396f 100644 +--- a/parser.c ++++ b/parser.c +@@ -9562,7 +9562,7 @@ next_attr: + if (j <= nbNs) continue; + + nsname = xmlGetNamespace(ctxt, attname); +- if (nsname != defaults->values[2]) { ++ if (nsname != defaults->values[5 * i + 2]) { + if (nsPush(ctxt, attname, + defaults->values[5 * i + 2]) > 0) + nbNs++; +-- +2.33.0 + diff --git a/libxml2.spec b/libxml2.spec index 0e992cc3128a80200cfd72b937c2869ebc365625..d5d10a493704a80bac77f518917d1389995984f8 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.12 -Release: 14 +Release: 15 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -50,6 +50,12 @@ Patch40:backport-CVE-2022-40303-Fix-integer-overflows-with-XML_PARSE_HUGE.patch Patch41:backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-reference-cycles.patch Patch42:backport-schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch Patch43:backport-parser-Fix-potential-memory-leak-in-xmlParseAttValue.patch +Patch44:backport-io-Fix-buffer-full-error-with-certain-buffer-sizes.patch +Patch45:backport-io-Check-for-memory-buffer-early-in-xmlParserInputGrow.patch +Patch46:backport-io-Remove-xmlInputReadCallbackNop.patch +Patch47:backport-xmlParseStartTag2-contains-typo-when-checking-for-default.patch +Patch48:backport-parser-Fix-integer-overflow-of-input-ID.patch +Patch49:backport-parser-Don-t-increase-depth-twice-when-parsing-internal.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -205,6 +211,12 @@ rm -fr %{buildroot} %changelog +* Tue Jan 31 2023 hubin - 2.9.12-15 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + * Mon Nov 21 2022 fuanan - 2.9.12-14 - Type:bugfix - CVE:NA