diff --git a/Fix-use-after-free-with-validating-reader.patch b/Fix-use-after-free-with-validating-reader.patch new file mode 100644 index 0000000000000000000000000000000000000000..e81455a32d488cd4f34087b0d9f2535899a037e7 --- /dev/null +++ b/Fix-use-after-free-with-validating-reader.patch @@ -0,0 +1,91 @@ +From 2af3c2a8b974cb5896cd3beb74561ba979de9f34 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 8 Jun 2020 12:49:51 +0200 +Subject: [PATCH] Fix use-after-free with validating reader + +Just like IDs, IDREF attributes must be removed from the document's +refs table when they're freed by a reader. This bug is often hidden +because xmlAttr structs are reused and strings are stored in a +dictionary unless XML_PARSE_NODICT is specified. + +Found by OSS-Fuzz. +--- + xmlreader.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/xmlreader.c b/xmlreader.c +index 3fd9aa4c0..6ae6e9229 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -278,6 +278,59 @@ xmlTextReaderRemoveID(xmlDocPtr doc, xmlAttrPtr attr) { + return(0); + } + ++/** ++ * xmlTextReaderWalkRemoveRef: ++ * @data: Contents of current link ++ * @user: Value supplied by the user ++ * ++ * Returns 0 to abort the walk or 1 to continue ++ */ ++static int ++xmlTextReaderWalkRemoveRef(const void *data, void *user) ++{ ++ xmlRefPtr ref = (xmlRefPtr)data; ++ xmlAttrPtr attr = (xmlAttrPtr)user; ++ ++ if (ref->attr == attr) { /* Matched: remove and terminate walk */ ++ ref->name = xmlStrdup(attr->name); ++ ref->attr = NULL; ++ return 0; ++ } ++ return 1; ++} ++ ++/** ++ * xmlTextReaderRemoveRef: ++ * @doc: the document ++ * @attr: the attribute ++ * ++ * Remove the given attribute from the Ref table maintained internally. ++ * ++ * Returns -1 if the lookup failed and 0 otherwise ++ */ ++static int ++xmlTextReaderRemoveRef(xmlDocPtr doc, xmlAttrPtr attr) { ++ xmlListPtr ref_list; ++ xmlRefTablePtr table; ++ xmlChar *ID; ++ ++ if (doc == NULL) return(-1); ++ if (attr == NULL) return(-1); ++ table = (xmlRefTablePtr) doc->refs; ++ if (table == NULL) ++ return(-1); ++ ++ ID = xmlNodeListGetString(doc, attr->children, 1); ++ if (ID == NULL) ++ return(-1); ++ ref_list = xmlHashLookup(table, ID); ++ xmlFree(ID); ++ if(ref_list == NULL) ++ return (-1); ++ xmlListWalk(ref_list, xmlTextReaderWalkRemoveRef, attr); ++ return(0); ++} ++ + /** + * xmlTextReaderFreeProp: + * @reader: the xmlTextReaderPtr used +@@ -304,6 +357,8 @@ xmlTextReaderFreeProp(xmlTextReaderPtr reader, xmlAttrPtr cur) { + (cur->parent->doc->extSubset != NULL))) { + if (xmlIsID(cur->parent->doc, cur->parent, cur)) + xmlTextReaderRemoveID(cur->parent->doc, cur); ++ if (xmlIsRef(cur->parent->doc, cur->parent, cur)) ++ xmlTextReaderRemoveRef(cur->parent->doc, cur); + } + if (cur->children != NULL) + xmlTextReaderFreeNodeList(reader, cur->children); +-- +GitLab + diff --git a/Never-expand-parameter-entities-in-text-declaration.patch b/Never-expand-parameter-entities-in-text-declaration.patch new file mode 100644 index 0000000000000000000000000000000000000000..8640cf7479a9bd5327da4d92f614bd3280d88eb7 --- /dev/null +++ b/Never-expand-parameter-entities-in-text-declaration.patch @@ -0,0 +1,70 @@ +From a28f7d8789e63f5e2ac63b42083754cba58f1a0e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 10 Jun 2020 13:41:13 +0200 +Subject: [PATCH] Never expand parameter entities in text declaration + +When parsing the text declaration of external DTDs or entities, make +sure that parameter entities are not expanded. This also fixes a memory +leak in certain error cases. + +The change to xmlSkipBlankChars assumes that the parser state is +maintained correctly when parsing external DTDs or parameter entities, +and might expose bugs in the code that were hidden previously. + +Found by OSS-Fuzz. +--- + parser.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 046f1cec3..3559aaaec 100644 +--- a/parser.c ++++ b/parser.c +@@ -2156,7 +2156,7 @@ xmlSkipBlankChars(xmlParserCtxtPtr ctxt) { + * It's Okay to use CUR/NEXT here since all the blanks are on + * the ASCII range. + */ +- if ((ctxt->inputNr == 1) && (ctxt->instate != XML_PARSER_DTD)) { ++ if (ctxt->instate != XML_PARSER_DTD) { + const xmlChar *cur; + /* + * if we are in the document content, go really fast +@@ -6852,6 +6852,7 @@ void + xmlParseTextDecl(xmlParserCtxtPtr ctxt) { + xmlChar *version; + const xmlChar *encoding; ++ int oldstate; + + /* + * We know that 'instate; ++ ctxt->instate = XML_PARSER_START; ++ + if (SKIP_BLANKS == 0) { + xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, + "Space needed after 'instate = oldstate; + return; + } + if ((encoding == NULL) && (ctxt->errNo == XML_ERR_OK)) { +@@ -6909,6 +6915,8 @@ xmlParseTextDecl(xmlParserCtxtPtr ctxt) { + MOVETO_ENDTAG(CUR_PTR); + NEXT; + } ++ ++ ctxt->instate = oldstate; + } + + /** +-- +GitLab + diff --git a/libxml2.spec b/libxml2.spec index 25446265e80a02c28148b7d3e90afd72a5f663a8..5d743bc2166e16139496d3d4c0ef5366a735bf8a 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 2 +Release: 3 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -24,6 +24,8 @@ Patch14: Fix-copying-of-entities-in-xmlParseReference.patch Patch15: Copy-some-XMLReader-option-flags-to-parser-context.patch Patch16: Merge-code-paths-loading-external-entities.patch Patch17: Don-t-load-external-entity-from-xmlSAX2GetEntity.patch +Patch18: Fix-use-after-free-with-validating-reader.patch +Patch19: Never-expand-parameter-entities-in-text-declaration.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python2-devel @@ -215,6 +217,10 @@ rm -fr %{buildroot} %changelog +* Tue Jul 28 2020 shenyangyang - 2.9.10-3 +- Fix-use-after-free-with-validating-reader and + Never-expand-parameter-entities-in-text-declaration + * Fri Jul 3 2020 wangchen - 2.9.10-2 - Sync some patches from community