mirror of
https://git.yoctoproject.org/poky
synced 2026-07-06 02:14:33 +02:00
libxml-parser-perl: fix for CVE-2006-10003
Pick patch from [1]. [1] https://security-tracker.debian.org/tracker/CVE-2006-10003 More details : https://nvd.nist.gov/vuln/detail/CVE-2006-10003 (From OE-Core rev: 2abf26e7551a8a306d6aaabc9653f655f66b15a1) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
d8f806b3c6
commit
34cf18e8c1
@@ -0,0 +1,73 @@
|
||||
From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001
|
||||
From: Toddr Bot <toddbot@rinaldo.us>
|
||||
Date: Mon, 16 Mar 2026 22:16:11 +0000
|
||||
Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack
|
||||
growth check
|
||||
|
||||
When st_serial_stackptr == st_serial_stacksize - 1, the old check
|
||||
(stackptr >= stacksize) would not trigger reallocation. The subsequent
|
||||
++stackptr then writes at index stacksize, one element past the
|
||||
allocated buffer.
|
||||
|
||||
Fix by checking stackptr + 1 >= stacksize so the buffer is grown
|
||||
before the pre-increment write.
|
||||
|
||||
Add a deep nesting test (600 levels) to exercise this code path.
|
||||
|
||||
Fixes #39
|
||||
|
||||
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
||||
|
||||
CVE: CVE-2006-10003
|
||||
Upstream-Status: Backport [https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1]
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
Expat/Expat.xs | 2 +-
|
||||
t/deep_nesting.t | 22 ++++++++++++++++++++++
|
||||
2 files changed, 23 insertions(+), 1 deletion(-)
|
||||
create mode 100644 t/deep_nesting.t
|
||||
|
||||
diff --git a/Expat/Expat.xs b/Expat/Expat.xs
|
||||
index dbad380..f04a0cf 100644
|
||||
--- a/Expat/Expat.xs
|
||||
+++ b/Expat/Expat.xs
|
||||
@@ -499,7 +499,7 @@ startElement(void *userData, const char *name, const char **atts)
|
||||
}
|
||||
}
|
||||
|
||||
- if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
|
||||
+ if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
|
||||
unsigned int newsize = cbv->st_serial_stacksize + 512;
|
||||
|
||||
Renew(cbv->st_serial_stack, newsize, unsigned int);
|
||||
diff --git a/t/deep_nesting.t b/t/deep_nesting.t
|
||||
new file mode 100644
|
||||
index 0000000..8237b5f
|
||||
--- /dev/null
|
||||
+++ b/t/deep_nesting.t
|
||||
@@ -0,0 +1,22 @@
|
||||
+BEGIN { print "1..1\n"; }
|
||||
+
|
||||
+# Test for deeply nested elements to exercise st_serial_stack reallocation.
|
||||
+# This catches off-by-one errors in the stack growth check (GH #39).
|
||||
+
|
||||
+use XML::Parser;
|
||||
+
|
||||
+my $depth = 600;
|
||||
+
|
||||
+my $xml = '';
|
||||
+for my $i (1 .. $depth) {
|
||||
+ $xml .= "<e$i>";
|
||||
+}
|
||||
+for my $i (reverse 1 .. $depth) {
|
||||
+ $xml .= "</e$i>";
|
||||
+}
|
||||
+
|
||||
+my $p = XML::Parser->new;
|
||||
+eval { $p->parse($xml) };
|
||||
+
|
||||
+print "not " if $@;
|
||||
+print "ok 1\n";
|
||||
--
|
||||
2.50.1
|
||||
|
||||
@@ -8,6 +8,7 @@ DEPENDS += "expat"
|
||||
|
||||
SRC_URI = "${CPAN_MIRROR}/authors/id/T/TO/TODDR/XML-Parser-${PV}.tar.gz \
|
||||
file://0001-Makefile.PL-make-check_lib-cross-friendly.patch \
|
||||
file://CVE-2006-10003.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "ad4aae643ec784f489b956abe952432871a622d4e2b5c619e8855accbfc4d1d8"
|
||||
|
||||
Reference in New Issue
Block a user