From 36e8cb37d7eb1fd3a71901544636fc4434a9a637 Mon Sep 17 00:00:00 2001 From: Xiaoming Ni Date: Tue, 1 Dec 2020 14:50:16 +0800 Subject: [PATCH] libxml2: fix memleak and Null pointer access 1. fix Null pointer access in xmlSchemaGetFacetValueAsULong() 2. fix memleak in xmlRegisterCharEncodingHandler() Signed-off-by: Xiaoming Ni --- ...c-xmlSchemaGetFacetValueAsULong-add-.patch | 33 +++++++++++ ...leak-in-xmlRegisterCharEncodingHandl.patch | 55 +++++++++++++++++++ libxml2.spec | 8 ++- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 0001-xmlschemastypes.c-xmlSchemaGetFacetValueAsULong-add-.patch create mode 100644 0002-encoding-fix-memleak-in-xmlRegisterCharEncodingHandl.patch diff --git a/0001-xmlschemastypes.c-xmlSchemaGetFacetValueAsULong-add-.patch b/0001-xmlschemastypes.c-xmlSchemaGetFacetValueAsULong-add-.patch new file mode 100644 index 0000000..b92bdcf --- /dev/null +++ b/0001-xmlschemastypes.c-xmlSchemaGetFacetValueAsULong-add-.patch @@ -0,0 +1,33 @@ +From 7e0350ffd1a9e008f5bb9a47541733c29e6ba5fb Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Tue, 24 Nov 2020 11:18:15 +0800 +Subject: [PATCH 1/2] xmlschemastypes.c: xmlSchemaGetFacetValueAsULong add + check "facet->val" + +The xmlSchemaGetFacetValueAsUlong() API is an external API. +The validity of external input parameters must be strictly verified. +Before accessing "facet->val->value", we need check whether "facet->val" is +a null pointer. + +Signed-off-by: wuqing +Signed-off-by: Xiaoming Ni +--- + xmlschemastypes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index e7764d9..e7fb83f 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -5069,7 +5069,7 @@ xmlSchemaGetFacetValueAsULong(xmlSchemaFacetPtr facet) + /* + * TODO: Check if this is a decimal. + */ +- if (facet == NULL) ++ if (facet == NULL || facet->val == NULL) + return 0; + return ((unsigned long) facet->val->value.decimal.lo); + } +-- +2.27.0 + diff --git a/0002-encoding-fix-memleak-in-xmlRegisterCharEncodingHandl.patch b/0002-encoding-fix-memleak-in-xmlRegisterCharEncodingHandl.patch new file mode 100644 index 0000000..a2773a6 --- /dev/null +++ b/0002-encoding-fix-memleak-in-xmlRegisterCharEncodingHandl.patch @@ -0,0 +1,55 @@ +From a0d4c8ada58389b188e46bd4465d202c84ec61d3 Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Tue, 24 Nov 2020 11:47:05 +0800 +Subject: [PATCH 2/2] encoding: fix memleak in xmlRegisterCharEncodingHandler() + +The return type of xmlRegisterCharEncodingHandler() is void. The invoker +cannot determine whether xmlRegisterCharEncodingHandler() is executed +successfully. when nbCharEncodingHandler >= MAX_ENCODING_HANDLERS, the +"handler" is not added to the array "handlers". As a result, the memory +of "handler" cannot be managed and released: memory leakage. + +so add "xmlfree(handler)" to fix memory leakage on the failure branch of +xmlRegisterCharEncodingHandler(). + +Reported-by: wuqing +Signed-off-by: Xiaoming Ni +--- + encoding.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/encoding.c b/encoding.c +index ad4d8a6..05681f7 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -1483,16 +1483,25 @@ xmlRegisterCharEncodingHandler(xmlCharEncodingHandlerPtr handler) { + if ((handler == NULL) || (handlers == NULL)) { + xmlEncodingErr(XML_I18N_NO_HANDLER, + "xmlRegisterCharEncodingHandler: NULL handler !\n", NULL); +- return; ++ goto free_handler; + } + + if (nbCharEncodingHandler >= MAX_ENCODING_HANDLERS) { + xmlEncodingErr(XML_I18N_EXCESS_HANDLER, + "xmlRegisterCharEncodingHandler: Too many handler registered, see %s\n", + "MAX_ENCODING_HANDLERS"); +- return; ++ goto free_handler; + } + handlers[nbCharEncodingHandler++] = handler; ++ return; ++ ++free_handler: ++ if (handler != NULL) { ++ if (handler->name != NULL) { ++ xmlFree(handler->name); ++ } ++ xmlFree(handler); ++ } + } + + /** +-- +2.27.0 + diff --git a/libxml2.spec b/libxml2.spec index efd198a..6a3aace 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 10 +Release: 11 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -56,6 +56,8 @@ Patch46: Limit-size-of-free-lists-in-XML-reader-when-fuzzing.patch Patch47: Fix-cleanup-of-attributes-in-XML-reader.patch Patch48: Fix-null-deref-in-XPointer-expression-error-path.patch Patch49: Fix-use-after-free-when-XIncluding-text-from-Reader.patch +patch50: 0001-xmlschemastypes.c-xmlSchemaGetFacetValueAsULong-add-.patch +patch52: 0002-encoding-fix-memleak-in-xmlRegisterCharEncodingHandl.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -216,6 +218,10 @@ rm -fr %{buildroot} %changelog +* Tue Dec 1 2020 Xiaoming Ni 2.9.10-11 +- xmlschemastypes.c: xmlSchemaGetFacetValueAsULong add check "facet->val" +- encoding: fix memleak in xmlRegisterCharEncodingHandler() + * Thu Nov 12 2020 Liquor - 2.9.10-10 - fix problems detected by oss-fuzz test -- Gitee