Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 162889 Details for
Bug 234099
dev-libs/libxml2 <2.7.0 xmlStringLenDecodeEntities() Denial of Service (CVE-2008-3281)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
libxml2-2.6.32-CVE-2008-3281.patch
libxml2-2.6.32-CVE-2008-3281.patch (text/plain), 8.22 KB, created by
Robert Buchholz (RETIRED)
on 2008-08-14 12:54:34 UTC
(
hide
)
Description:
libxml2-2.6.32-CVE-2008-3281.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-08-14 12:54:34 UTC
Size:
8.22 KB
patch
obsolete
>Index: libxml2-2.6.32/include/libxml/parser.h >=================================================================== >--- libxml2-2.6.32.orig/include/libxml/parser.h >+++ libxml2-2.6.32/include/libxml/parser.h >@@ -297,6 +297,7 @@ struct _xmlParserCtxt { > */ > xmlError lastError; > xmlParserMode parseMode; /* the parser mode */ >+ unsigned long nbentities; /* number of entities references */ > }; > > /** >Index: libxml2-2.6.32/include/libxml/entities.h >=================================================================== >--- libxml2-2.6.32.orig/include/libxml/entities.h >+++ libxml2-2.6.32/include/libxml/entities.h >@@ -57,6 +57,7 @@ struct _xmlEntity { > const xmlChar *URI; /* the full URI as computed */ > int owner; /* does the entity own the childrens */ > int checked; /* was the entity content checked */ >+ unsigned long nbentities; /* the number of entities references */ > }; > > /* >Index: libxml2-2.6.32/entities.c >=================================================================== >--- libxml2-2.6.32.orig/entities.c >+++ libxml2-2.6.32/entities.c >@@ -31,35 +31,35 @@ static xmlEntity xmlEntityLt = { > NULL, NULL, NULL, NULL, NULL, NULL, > BAD_CAST "<", BAD_CAST "<", 1, > XML_INTERNAL_PREDEFINED_ENTITY, >- NULL, NULL, NULL, NULL, 0, 1 >+ NULL, NULL, NULL, NULL, 0, 1, 0 > }; > static xmlEntity xmlEntityGt = { > NULL, XML_ENTITY_DECL, BAD_CAST "gt", > NULL, NULL, NULL, NULL, NULL, NULL, > BAD_CAST ">", BAD_CAST ">", 1, > XML_INTERNAL_PREDEFINED_ENTITY, >- NULL, NULL, NULL, NULL, 0, 1 >+ NULL, NULL, NULL, NULL, 0, 1, 0 > }; > static xmlEntity xmlEntityAmp = { > NULL, XML_ENTITY_DECL, BAD_CAST "amp", > NULL, NULL, NULL, NULL, NULL, NULL, > BAD_CAST "&", BAD_CAST "&", 1, > XML_INTERNAL_PREDEFINED_ENTITY, >- NULL, NULL, NULL, NULL, 0, 1 >+ NULL, NULL, NULL, NULL, 0, 1, 0 > }; > static xmlEntity xmlEntityQuot = { > NULL, XML_ENTITY_DECL, BAD_CAST "quot", > NULL, NULL, NULL, NULL, NULL, NULL, > BAD_CAST "\"", BAD_CAST "\"", 1, > XML_INTERNAL_PREDEFINED_ENTITY, >- NULL, NULL, NULL, NULL, 0, 1 >+ NULL, NULL, NULL, NULL, 0, 1, 0 > }; > static xmlEntity xmlEntityApos = { > NULL, XML_ENTITY_DECL, BAD_CAST "apos", > NULL, NULL, NULL, NULL, NULL, NULL, > BAD_CAST "'", BAD_CAST "'", 1, > XML_INTERNAL_PREDEFINED_ENTITY, >- NULL, NULL, NULL, NULL, 0, 1 >+ NULL, NULL, NULL, NULL, 0, 1, 0 > }; > > /** >Index: libxml2-2.6.32/parserInternals.c >=================================================================== >--- libxml2-2.6.32.orig/parserInternals.c >+++ libxml2-2.6.32/parserInternals.c >@@ -1669,6 +1669,7 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) > ctxt->depth = 0; > ctxt->charset = XML_CHAR_ENCODING_UTF8; > ctxt->catalogs = NULL; >+ ctxt->nbentities = 0; > xmlInitNodeInfoSeq(&ctxt->node_seq); > return(0); > } >Index: libxml2-2.6.32/parser.c >=================================================================== >--- libxml2-2.6.32.orig/parser.c >+++ libxml2-2.6.32/parser.c >@@ -2344,7 +2344,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt > return(NULL); > last = str + len; > >- if (ctxt->depth > 40) { >+ if ((ctxt->depth > 40) || (ctxt->nbentities >= 500000)) { > xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); > return(NULL); > } >@@ -2382,6 +2382,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt > "String decoding Entity Reference: %.30s\n", > str); > ent = xmlParseStringEntityRef(ctxt, &str); >+ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) >+ goto int_error; >+ ctxt->nbentities++; >+ if (ent != NULL) >+ ctxt->nbentities += ent->nbentities; > if ((ent != NULL) && > (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { > if (ent->content != NULL) { >@@ -2427,6 +2432,11 @@ xmlStringLenDecodeEntities(xmlParserCtxt > xmlGenericError(xmlGenericErrorContext, > "String decoding PE Reference: %.30s\n", str); > ent = xmlParseStringPEReference(ctxt, &str); >+ if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) >+ goto int_error; >+ ctxt->nbentities++; >+ if (ent != NULL) >+ ctxt->nbentities += ent->nbentities; > if (ent != NULL) { > if (ent->content == NULL) { > if (xmlLoadEntityContent(ctxt, ent) < 0) { >@@ -2466,6 +2476,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt > > mem_error: > xmlErrMemory(ctxt, NULL); >+int_error: > if (rep != NULL) > xmlFree(rep); > if (buffer != NULL) >@@ -3280,6 +3291,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr > } > } else { > ent = xmlParseEntityRef(ctxt); >+ ctxt->nbentities++; >+ if (ent != NULL) >+ ctxt->nbentities += ent->nbentities; > if ((ent != NULL) && > (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) { > if (len > buf_size - 10) { >@@ -4566,6 +4580,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt > int isParameter = 0; > xmlChar *orig = NULL; > int skipped; >+ unsigned long oldnbent = ctxt->nbentities; > > /* GROW; done in the caller */ > if (CMP8(CUR_PTR, '<', '!', 'E', 'N', 'T', 'I', 'T', 'Y')) { >@@ -4783,6 +4798,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt > } > } > if (cur != NULL) { >+ cur->nbentities = ctxt->nbentities - oldnbent; > if (cur->orig != NULL) > xmlFree(orig); > else >@@ -6189,6 +6205,11 @@ xmlParseReference(xmlParserCtxtPtr ctxt) > if (ent == NULL) return; > if (!ctxt->wellFormed) > return; >+ ctxt->nbentities++; >+ if (ctxt->nbentities >= 500000) { >+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); >+ return; >+ } > was_checked = ent->checked; > if ((ent->name != NULL) && > (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY)) { >@@ -6249,6 +6270,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) > xmlFreeNodeList(list); > } > } else { >+ unsigned long oldnbent = ctxt->nbentities; > /* > * 4.3.2: An internal general parsed entity is well-formed > * if its replacement text matches the production labeled >@@ -6271,6 +6293,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) > ret = xmlParseBalancedChunkMemoryInternal(ctxt, > value, user_data, &list); > ctxt->depth--; >+ > } else if (ent->etype == > XML_EXTERNAL_GENERAL_PARSED_ENTITY) { > ctxt->depth++; >@@ -6283,6 +6306,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) > xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, > "invalid entity type found\n", NULL); > } >+ ent->nbentities = ctxt->nbentities - oldnbent; > if (ret == XML_ERR_ENTITY_LOOP) { > xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); > return; >@@ -6341,6 +6365,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) > } > ent->checked = 1; > } >+ ctxt->nbentities += ent->nbentities; > > if (ent->children == NULL) { > /* >@@ -11480,7 +11505,7 @@ xmlParseCtxtExternalEntity(xmlParserCtxt > > if (ctx == NULL) return(-1); > >- if (ctx->depth > 40) { >+ if ((ctx->depth > 40) || (ctx->nbentities >= 500000)) { > return(XML_ERR_ENTITY_LOOP); > } > >@@ -11681,7 +11706,8 @@ xmlParseExternalEntityPrivate(xmlDocPtr > xmlChar start[4]; > xmlCharEncoding enc; > >- if (depth > 40) { >+ if ((depth > 40) || >+ ((oldctxt != NULL) && (oldctxt->nbentities >= 500000))) { > return(XML_ERR_ENTITY_LOOP); > } > >@@ -11824,6 +11850,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr > oldctxt->node_seq.maximum = ctxt->node_seq.maximum; > oldctxt->node_seq.length = ctxt->node_seq.length; > oldctxt->node_seq.buffer = ctxt->node_seq.buffer; >+ oldctxt->nbentities += ctxt->nbentities; > ctxt->node_seq.maximum = 0; > ctxt->node_seq.length = 0; > ctxt->node_seq.buffer = NULL; >@@ -11924,7 +11951,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP > int size; > xmlParserErrors ret = XML_ERR_OK; > >- if (oldctxt->depth > 40) { >+ if ((oldctxt->depth > 40) || (oldctxt->nbentities >= 500000)) { > return(XML_ERR_ENTITY_LOOP); > } > >@@ -12048,6 +12075,7 @@ xmlParseBalancedChunkMemoryInternal(xmlP > ctxt->myDoc->last = last; > } > >+ oldctxt->nbentities += ctxt->nbentities; > ctxt->sax = oldsax; > ctxt->dict = NULL; > ctxt->attsDefault = NULL; >@@ -13363,6 +13391,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) > ctxt->depth = 0; > ctxt->charset = XML_CHAR_ENCODING_UTF8; > ctxt->catalogs = NULL; >+ ctxt->nbentities = 0; > xmlInitNodeInfoSeq(&ctxt->node_seq); > > if (ctxt->attsDefault != NULL) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 234099
:
162368
|
162398
| 162889