Startseite Erkunden Hilfe
Registrieren Anmelden
GfA
/
DisplayGfA001-legal-info
5
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: master
Branches Tags
DisplayGfA001-l...
/
host-sources
/
libxml2-2.9.4
/
0002-Disallow-namespace-nodes-in-XPointer-ranges.patch

0002-Disallow-namespace-nodes-in-XPointer-ranges.patch 7.3 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 
  1. From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001
    2. 

  2. From: Nick Wellnhofer <wellnhofer@aevum.de>
    3. 

  3. Date: Tue, 28 Jun 2016 18:34:52 +0200
    4. 

  4. Subject: [PATCH] Disallow namespace nodes in XPointer ranges
    5. 

  5. 

  6. Namespace nodes must be copied to avoid use-after-free errors.
    7. 

  7. But they don't necessarily have a physical representation in a
    8. 

  8. document, so simply disallow them in XPointer ranges.
    9. 

  9. 

  10. Found with afl-fuzz.
    11. 

  11. 

  12. Fixes CVE-2016-4658.
    13. 

  13. 

  14. Signed-off-by: Baruch Siach <baruch@tkos.co.il>
    15. 

  15. ---
    16. 

  16. Patch status: upstream commit c1d1f712119403
    17. 

  17. 

  18.  xpointer.c | 149 +++++++++++++++++++++++--------------------------------------
    19. 

  19.  1 file changed, 56 insertions(+), 93 deletions(-)
    20. 

  20. 

  21. diff --git a/xpointer.c b/xpointer.c
    22. 

  22. index a7b03fbdae16..694d120e2e0b 100644
    23. 

  23. --- a/xpointer.c
    24. 

  24. +++ b/xpointer.c
    25. 

  25. @@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
    26. 

  26.  }
    27. 

  27.  
    28. 

  28.  /**
    29. 

  29. + * xmlXPtrNewRangeInternal:
    30. 

  30. + * @start:  the starting node
    31. 

  31. + * @startindex:  the start index
    32. 

  32. + * @end:  the ending point
    33. 

  33. + * @endindex:  the ending index
    34. 

  34. + *
    35. 

  35. + * Internal function to create a new xmlXPathObjectPtr of type range
    36. 

  36. + *
    37. 

  37. + * Returns the newly created object.
    38. 

  38. + */
    39. 

  39. +static xmlXPathObjectPtr
    40. 

  40. +xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
    41. 

  41. +                        xmlNodePtr end, int endindex) {
    42. 

  42. +    xmlXPathObjectPtr ret;
    43. 

  43. +
    44. 

  44. +    /*
    45. 

  45. +     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
    46. 

  46. +     * Disallow them for now.
    47. 

  47. +     */
    48. 

  48. +    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
    49. 

  49. +	return(NULL);
    50. 

  50. +    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
    51. 

  51. +	return(NULL);
    52. 

  52. +
    53. 

  53. +    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    54. 

  54. +    if (ret == NULL) {
    55. 

  55. +        xmlXPtrErrMemory("allocating range");
    56. 

  56. +	return(NULL);
    57. 

  57. +    }
    58. 

  58. +    memset(ret, 0, sizeof(xmlXPathObject));
    59. 

  59. +    ret->type = XPATH_RANGE;
    60. 

  60. +    ret->user = start;
    61. 

  61. +    ret->index = startindex;
    62. 

  62. +    ret->user2 = end;
    63. 

  63. +    ret->index2 = endindex;
    64. 

  64. +    return(ret);
    65. 

  65. +}
    66. 

  66. +
    67. 

  67. +/**
    68. 

  68.   * xmlXPtrNewRange:
    69. 

  69.   * @start:  the starting node
    70. 

  70.   * @startindex:  the start index
    71. 

  71. @@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
    72. 

  72.      if (endindex < 0)
    73. 

  73.  	return(NULL);
    74. 

  74.  
    75. 

  75. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    76. 

  76. -    if (ret == NULL) {
    77. 

  77. -        xmlXPtrErrMemory("allocating range");
    78. 

  78. -	return(NULL);
    79. 

  79. -    }
    80. 

  80. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    81. 

  81. -    ret->type = XPATH_RANGE;
    82. 

  82. -    ret->user = start;
    83. 

  83. -    ret->index = startindex;
    84. 

  84. -    ret->user2 = end;
    85. 

  85. -    ret->index2 = endindex;
    86. 

  86. +    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
    87. 

  87.      xmlXPtrRangeCheckOrder(ret);
    88. 

  88.      return(ret);
    89. 

  89.  }
    90. 

  90. @@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
    91. 

  91.      if (end->type != XPATH_POINT)
    92. 

  92.  	return(NULL);
    93. 

  93.  
    94. 

  94. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    95. 

  95. -    if (ret == NULL) {
    96. 

  96. -        xmlXPtrErrMemory("allocating range");
    97. 

  97. -	return(NULL);
    98. 

  98. -    }
    99. 

  99. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    100. 

  100. -    ret->type = XPATH_RANGE;
    101. 

  101. -    ret->user = start->user;
    102. 

  102. -    ret->index = start->index;
    103. 

  103. -    ret->user2 = end->user;
    104. 

  104. -    ret->index2 = end->index;
    105. 

  105. +    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
    106. 

  106. +                                  end->index);
    107. 

  107.      xmlXPtrRangeCheckOrder(ret);
    108. 

  108.      return(ret);
    109. 

  109.  }
    110. 

  110. @@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
    111. 

  111.      if (start->type != XPATH_POINT)
    112. 

  112.  	return(NULL);
    113. 

  113.  
    114. 

  114. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    115. 

  115. -    if (ret == NULL) {
    116. 

  116. -        xmlXPtrErrMemory("allocating range");
    117. 

  117. -	return(NULL);
    118. 

  118. -    }
    119. 

  119. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    120. 

  120. -    ret->type = XPATH_RANGE;
    121. 

  121. -    ret->user = start->user;
    122. 

  122. -    ret->index = start->index;
    123. 

  123. -    ret->user2 = end;
    124. 

  124. -    ret->index2 = -1;
    125. 

  125. +    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
    126. 

  126.      xmlXPtrRangeCheckOrder(ret);
    127. 

  127.      return(ret);
    128. 

  128.  }
    129. 

  129. @@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
    130. 

  130.      if (end->type != XPATH_POINT)
    131. 

  131.  	return(NULL);
    132. 

  132.  
    133. 

  133. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    134. 

  134. -    if (ret == NULL) {
    135. 

  135. -        xmlXPtrErrMemory("allocating range");
    136. 

  136. -	return(NULL);
    137. 

  137. -    }
    138. 

  138. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    139. 

  139. -    ret->type = XPATH_RANGE;
    140. 

  140. -    ret->user = start;
    141. 

  141. -    ret->index = -1;
    142. 

  142. -    ret->user2 = end->user;
    143. 

  143. -    ret->index2 = end->index;
    144. 

  144. +    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
    145. 

  145.      xmlXPtrRangeCheckOrder(ret);
    146. 

  146.      return(ret);
    147. 

  147.  }
    148. 

  148. @@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
    149. 

  149.      if (end == NULL)
    150. 

  150.  	return(NULL);
    151. 

  151.  
    152. 

  152. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    153. 

  153. -    if (ret == NULL) {
    154. 

  154. -        xmlXPtrErrMemory("allocating range");
    155. 

  155. -	return(NULL);
    156. 

  156. -    }
    157. 

  157. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    158. 

  158. -    ret->type = XPATH_RANGE;
    159. 

  159. -    ret->user = start;
    160. 

  160. -    ret->index = -1;
    161. 

  161. -    ret->user2 = end;
    162. 

  162. -    ret->index2 = -1;
    163. 

  163. +    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
    164. 

  164.      xmlXPtrRangeCheckOrder(ret);
    165. 

  165.      return(ret);
    166. 

  166.  }
    167. 

  167. @@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
    168. 

  168.      if (start == NULL)
    169. 

  169.  	return(NULL);
    170. 

  170.  
    171. 

  171. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    172. 

  172. -    if (ret == NULL) {
    173. 

  173. -        xmlXPtrErrMemory("allocating range");
    174. 

  174. -	return(NULL);
    175. 

  175. -    }
    176. 

  176. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    177. 

  177. -    ret->type = XPATH_RANGE;
    178. 

  178. -    ret->user = start;
    179. 

  179. -    ret->index = -1;
    180. 

  180. -    ret->user2 = NULL;
    181. 

  181. -    ret->index2 = -1;
    182. 

  182. +    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
    183. 

  183.      return(ret);
    184. 

  184.  }
    185. 

  185.  
    186. 

  186. @@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
    187. 

  187.   */
    188. 

  188.  xmlXPathObjectPtr
    189. 

  189.  xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
    190. 

  190. +    xmlNodePtr endNode;
    191. 

  191. +    int endIndex;
    192. 

  192.      xmlXPathObjectPtr ret;
    193. 

  193.  
    194. 

  194.      if (start == NULL)
    195. 

  195. @@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
    196. 

  196.  	return(NULL);
    197. 

  197.      switch (end->type) {
    198. 

  198.  	case XPATH_POINT:
    199. 

  199. +	    endNode = end->user;
    200. 

  200. +	    endIndex = end->index;
    201. 

  201. +	    break;
    202. 

  202.  	case XPATH_RANGE:
    203. 

  203. +	    endNode = end->user2;
    204. 

  204. +	    endIndex = end->index2;
    205. 

  205.  	    break;
    206. 

  206.  	case XPATH_NODESET:
    207. 

  207.  	    /*
    208. 

  208. @@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
    209. 

  209.  	     */
    210. 

  210.  	    if (end->nodesetval->nodeNr <= 0)
    211. 

  211.  		return(NULL);
    212. 

  212. +	    endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
    213. 

  213. +	    endIndex = -1;
    214. 

  214.  	    break;
    215. 

  215.  	default:
    216. 

  216.  	    /* TODO */
    217. 

  217.  	    return(NULL);
    218. 

  218.      }
    219. 

  219.  
    220. 

  220. -    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
    221. 

  221. -    if (ret == NULL) {
    222. 

  222. -        xmlXPtrErrMemory("allocating range");
    223. 

  223. -	return(NULL);
    224. 

  224. -    }
    225. 

  225. -    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
    226. 

  226. -    ret->type = XPATH_RANGE;
    227. 

  227. -    ret->user = start;
    228. 

  228. -    ret->index = -1;
    229. 

  229. -    switch (end->type) {
    230. 

  230. -	case XPATH_POINT:
    231. 

  231. -	    ret->user2 = end->user;
    232. 

  232. -	    ret->index2 = end->index;
    233. 

  233. -	    break;
    234. 

  234. -	case XPATH_RANGE:
    235. 

  235. -	    ret->user2 = end->user2;
    236. 

  236. -	    ret->index2 = end->index2;
    237. 

  237. -	    break;
    238. 

  238. -	case XPATH_NODESET: {
    239. 

  239. -	    ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
    240. 

  240. -	    ret->index2 = -1;
    241. 

  241. -	    break;
    242. 

  242. -	}
    243. 

  243. -	default:
    244. 

  244. -	    STRANGE
    245. 

  245. -	    return(NULL);
    246. 

  246. -    }
    247. 

  247. +    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
    248. 

  248.      xmlXPtrRangeCheckOrder(ret);
    249. 

  249.      return(ret);
    250. 

  250.  }
    251. 

  251. -- 
    252. 

  252. 2.10.2
    253. 

  253.