mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 12:32:15 +02:00
libxml2: 2.9.4 -> 2.9.5
(From OE-Core rev: a0d2427bb86668215d7c9e1be07cb9a2d86f6755) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
committed by
Richard Purdie
parent
11a51afa58
commit
7515e9f0bc
@@ -183,7 +183,7 @@ index 68cd824..5fa0a9b 100644
|
||||
- echo "*** If you have an old version installed, it is best to remove it, although"
|
||||
- echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" ],
|
||||
- [ echo "*** The test program failed to compile or link. See the file config.log for the"
|
||||
- echo "*** exact error that occured. This usually means LIBXML was incorrectly installed"
|
||||
- echo "*** exact error that occurred. This usually means LIBXML was incorrectly installed"
|
||||
- echo "*** or that you have moved LIBXML since it was installed. In the latter case, you"
|
||||
- echo "*** may want to edit the xml2-config script: $XML2_CONFIG" ])
|
||||
- CPPFLAGS="$ac_save_CPPFLAGS"
|
||||
|
||||
@@ -1,269 +0,0 @@
|
||||
libxml2-2.9.4: Fix CVE-2016-4658
|
||||
|
||||
[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4658
|
||||
|
||||
xpointer: Disallow namespace nodes in XPointer points and ranges
|
||||
|
||||
Namespace nodes must be copied to avoid use-after-free errors.
|
||||
But they don't necessarily have a physical representation in a
|
||||
document, so simply disallow them in XPointer ranges.
|
||||
|
||||
Upstream-Status: Backport
|
||||
- [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
|
||||
- [https://git.gnome.org/browse/libxml2/commit/?id=3f8a91036d338e51c059d54397a42d645f019c65]
|
||||
CVE: CVE-2016-4658
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
||||
|
||||
diff --git a/xpointer.c b/xpointer.c
|
||||
index 676c510..911680d 100644
|
||||
--- a/xpointer.c
|
||||
+++ b/xpointer.c
|
||||
@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
|
||||
}
|
||||
|
||||
/**
|
||||
+ * xmlXPtrNewRangeInternal:
|
||||
+ * @start: the starting node
|
||||
+ * @startindex: the start index
|
||||
+ * @end: the ending point
|
||||
+ * @endindex: the ending index
|
||||
+ *
|
||||
+ * Internal function to create a new xmlXPathObjectPtr of type range
|
||||
+ *
|
||||
+ * Returns the newly created object.
|
||||
+ */
|
||||
+static xmlXPathObjectPtr
|
||||
+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
|
||||
+ xmlNodePtr end, int endindex) {
|
||||
+ xmlXPathObjectPtr ret;
|
||||
+
|
||||
+ /*
|
||||
+ * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
|
||||
+ * Disallow them for now.
|
||||
+ */
|
||||
+ if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
|
||||
+ return(NULL);
|
||||
+ if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
|
||||
+ return(NULL);
|
||||
+
|
||||
+ ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
+ if (ret == NULL) {
|
||||
+ xmlXPtrErrMemory("allocating range");
|
||||
+ return(NULL);
|
||||
+ }
|
||||
+ memset(ret, 0, sizeof(xmlXPathObject));
|
||||
+ ret->type = XPATH_RANGE;
|
||||
+ ret->user = start;
|
||||
+ ret->index = startindex;
|
||||
+ ret->user2 = end;
|
||||
+ ret->index2 = endindex;
|
||||
+ return(ret);
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
* xmlXPtrNewRange:
|
||||
* @start: the starting node
|
||||
* @startindex: the start index
|
||||
@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
|
||||
if (endindex < 0)
|
||||
return(NULL);
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start;
|
||||
- ret->index = startindex;
|
||||
- ret->user2 = end;
|
||||
- ret->index2 = endindex;
|
||||
+ ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
|
||||
xmlXPtrRangeCheckOrder(ret);
|
||||
return(ret);
|
||||
}
|
||||
@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
|
||||
if (end->type != XPATH_POINT)
|
||||
return(NULL);
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start->user;
|
||||
- ret->index = start->index;
|
||||
- ret->user2 = end->user;
|
||||
- ret->index2 = end->index;
|
||||
+ ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
|
||||
+ end->index);
|
||||
xmlXPtrRangeCheckOrder(ret);
|
||||
return(ret);
|
||||
}
|
||||
@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
|
||||
if (start->type != XPATH_POINT)
|
||||
return(NULL);
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start->user;
|
||||
- ret->index = start->index;
|
||||
- ret->user2 = end;
|
||||
- ret->index2 = -1;
|
||||
+ ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
|
||||
xmlXPtrRangeCheckOrder(ret);
|
||||
return(ret);
|
||||
}
|
||||
@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
|
||||
if (end->type != XPATH_POINT)
|
||||
return(NULL);
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start;
|
||||
- ret->index = -1;
|
||||
- ret->user2 = end->user;
|
||||
- ret->index2 = end->index;
|
||||
+ ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
|
||||
xmlXPtrRangeCheckOrder(ret);
|
||||
return(ret);
|
||||
}
|
||||
@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
|
||||
if (end == NULL)
|
||||
return(NULL);
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start;
|
||||
- ret->index = -1;
|
||||
- ret->user2 = end;
|
||||
- ret->index2 = -1;
|
||||
+ ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
|
||||
xmlXPtrRangeCheckOrder(ret);
|
||||
return(ret);
|
||||
}
|
||||
@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
|
||||
if (start == NULL)
|
||||
return(NULL);
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start;
|
||||
- ret->index = -1;
|
||||
- ret->user2 = NULL;
|
||||
- ret->index2 = -1;
|
||||
+ ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
|
||||
return(ret);
|
||||
}
|
||||
|
||||
@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
|
||||
*/
|
||||
xmlXPathObjectPtr
|
||||
xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
|
||||
+ xmlNodePtr endNode;
|
||||
+ int endIndex;
|
||||
xmlXPathObjectPtr ret;
|
||||
|
||||
if (start == NULL)
|
||||
@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
|
||||
return(NULL);
|
||||
switch (end->type) {
|
||||
case XPATH_POINT:
|
||||
+ endNode = end->user;
|
||||
+ endIndex = end->index;
|
||||
+ break;
|
||||
case XPATH_RANGE:
|
||||
+ endNode = end->user2;
|
||||
+ endIndex = end->index2;
|
||||
break;
|
||||
case XPATH_NODESET:
|
||||
/*
|
||||
@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
|
||||
*/
|
||||
if (end->nodesetval->nodeNr <= 0)
|
||||
return(NULL);
|
||||
+ endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
|
||||
+ endIndex = -1;
|
||||
break;
|
||||
default:
|
||||
/* TODO */
|
||||
return(NULL);
|
||||
}
|
||||
|
||||
- ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
|
||||
- if (ret == NULL) {
|
||||
- xmlXPtrErrMemory("allocating range");
|
||||
- return(NULL);
|
||||
- }
|
||||
- memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
|
||||
- ret->type = XPATH_RANGE;
|
||||
- ret->user = start;
|
||||
- ret->index = -1;
|
||||
- switch (end->type) {
|
||||
- case XPATH_POINT:
|
||||
- ret->user2 = end->user;
|
||||
- ret->index2 = end->index;
|
||||
- break;
|
||||
- case XPATH_RANGE:
|
||||
- ret->user2 = end->user2;
|
||||
- ret->index2 = end->index2;
|
||||
- break;
|
||||
- case XPATH_NODESET: {
|
||||
- ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
|
||||
- ret->index2 = -1;
|
||||
- break;
|
||||
- }
|
||||
- default:
|
||||
- STRANGE
|
||||
- return(NULL);
|
||||
- }
|
||||
+ ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
|
||||
xmlXPtrRangeCheckOrder(ret);
|
||||
return(ret);
|
||||
}
|
||||
@@ -1835,8 +1798,8 @@ xmlXPtrStartPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
case XPATH_RANGE: {
|
||||
xmlNodePtr node = tmp->user;
|
||||
if (node != NULL) {
|
||||
- if (node->type == XML_ATTRIBUTE_NODE) {
|
||||
- /* TODO: Namespace Nodes ??? */
|
||||
+ if ((node->type == XML_ATTRIBUTE_NODE) ||
|
||||
+ (node->type == XML_NAMESPACE_DECL)) {
|
||||
xmlXPathFreeObject(obj);
|
||||
xmlXPtrFreeLocationSet(newset);
|
||||
XP_ERROR(XPTR_SYNTAX_ERROR);
|
||||
@@ -1931,8 +1894,8 @@ xmlXPtrEndPointFunction(xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
case XPATH_RANGE: {
|
||||
xmlNodePtr node = tmp->user2;
|
||||
if (node != NULL) {
|
||||
- if (node->type == XML_ATTRIBUTE_NODE) {
|
||||
- /* TODO: Namespace Nodes ??? */
|
||||
+ if ((node->type == XML_ATTRIBUTE_NODE) ||
|
||||
+ (node->type == XML_NAMESPACE_DECL)) {
|
||||
xmlXPathFreeObject(obj);
|
||||
xmlXPtrFreeLocationSet(newset);
|
||||
XP_ERROR(XPTR_SYNTAX_ERROR);
|
||||
@@ -1,180 +0,0 @@
|
||||
From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 28 Jun 2016 14:22:23 +0200
|
||||
Subject: [PATCH] Fix XPointer paths beginning with range-to
|
||||
|
||||
The old code would invoke the broken xmlXPtrRangeToFunction. range-to
|
||||
isn't really a function but a special kind of location step. Remove
|
||||
this function and always handle range-to in the XPath code.
|
||||
|
||||
The old xmlXPtrRangeToFunction could also be abused to trigger a
|
||||
use-after-free error with the potential for remote code execution.
|
||||
|
||||
Found with afl-fuzz.
|
||||
|
||||
Fixes CVE-2016-5131.
|
||||
|
||||
CVE: CVE-2016-5131
|
||||
Upstream-Status: Backport
|
||||
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windirver.com>
|
||||
---
|
||||
result/XPath/xptr/vidbase | 13 ++++++++
|
||||
test/XPath/xptr/vidbase | 1 +
|
||||
xpath.c | 7 ++++-
|
||||
xpointer.c | 76 ++++-------------------------------------------
|
||||
4 files changed, 26 insertions(+), 71 deletions(-)
|
||||
|
||||
diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
|
||||
index 8b9e92d..f19193e 100644
|
||||
--- a/result/XPath/xptr/vidbase
|
||||
+++ b/result/XPath/xptr/vidbase
|
||||
@@ -17,3 +17,16 @@ Object is a Location Set:
|
||||
To node
|
||||
ELEMENT p
|
||||
|
||||
+
|
||||
+========================
|
||||
+Expression: xpointer(range-to(id('chapter2')))
|
||||
+Object is a Location Set:
|
||||
+1 : Object is a range :
|
||||
+ From node
|
||||
+ /
|
||||
+ To node
|
||||
+ ELEMENT chapter
|
||||
+ ATTRIBUTE id
|
||||
+ TEXT
|
||||
+ content=chapter2
|
||||
+
|
||||
diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
|
||||
index b146383..884b106 100644
|
||||
--- a/test/XPath/xptr/vidbase
|
||||
+++ b/test/XPath/xptr/vidbase
|
||||
@@ -1,2 +1,3 @@
|
||||
xpointer(id('chapter1')/p)
|
||||
xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
|
||||
+xpointer(range-to(id('chapter2')))
|
||||
diff --git a/xpath.c b/xpath.c
|
||||
index d992841..5a01b1b 100644
|
||||
--- a/xpath.c
|
||||
+++ b/xpath.c
|
||||
@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
|
||||
lc = 1;
|
||||
break;
|
||||
} else if ((NXT(len) == '(')) {
|
||||
- /* Note Type or Function */
|
||||
+ /* Node Type or Function */
|
||||
if (xmlXPathIsNodeType(name)) {
|
||||
#ifdef DEBUG_STEP
|
||||
xmlGenericError(xmlGenericErrorContext,
|
||||
"PathExpr: Type search\n");
|
||||
#endif
|
||||
lc = 1;
|
||||
+#ifdef LIBXML_XPTR_ENABLED
|
||||
+ } else if (ctxt->xptr &&
|
||||
+ xmlStrEqual(name, BAD_CAST "range-to")) {
|
||||
+ lc = 1;
|
||||
+#endif
|
||||
} else {
|
||||
#ifdef DEBUG_STEP
|
||||
xmlGenericError(xmlGenericErrorContext,
|
||||
diff --git a/xpointer.c b/xpointer.c
|
||||
index 676c510..d74174a 100644
|
||||
--- a/xpointer.c
|
||||
+++ b/xpointer.c
|
||||
@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
|
||||
ret->here = here;
|
||||
ret->origin = origin;
|
||||
|
||||
- xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
|
||||
- xmlXPtrRangeToFunction);
|
||||
xmlXPathRegisterFunc(ret, (xmlChar *)"range",
|
||||
xmlXPtrRangeFunction);
|
||||
xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
|
||||
@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
* @nargs: the number of args
|
||||
*
|
||||
* Implement the range-to() XPointer function
|
||||
+ *
|
||||
+ * Obsolete. range-to is not a real function but a special type of location
|
||||
+ * step which is handled in xpath.c.
|
||||
*/
|
||||
void
|
||||
-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
- xmlXPathObjectPtr range;
|
||||
- const xmlChar *cur;
|
||||
- xmlXPathObjectPtr res, obj;
|
||||
- xmlXPathObjectPtr tmp;
|
||||
- xmlLocationSetPtr newset = NULL;
|
||||
- xmlNodeSetPtr oldset;
|
||||
- int i;
|
||||
-
|
||||
- if (ctxt == NULL) return;
|
||||
- CHECK_ARITY(1);
|
||||
- /*
|
||||
- * Save the expression pointer since we will have to evaluate
|
||||
- * it multiple times. Initialize the new set.
|
||||
- */
|
||||
- CHECK_TYPE(XPATH_NODESET);
|
||||
- obj = valuePop(ctxt);
|
||||
- oldset = obj->nodesetval;
|
||||
- ctxt->context->node = NULL;
|
||||
-
|
||||
- cur = ctxt->cur;
|
||||
- newset = xmlXPtrLocationSetCreate(NULL);
|
||||
-
|
||||
- for (i = 0; i < oldset->nodeNr; i++) {
|
||||
- ctxt->cur = cur;
|
||||
-
|
||||
- /*
|
||||
- * Run the evaluation with a node list made of a single item
|
||||
- * in the nodeset.
|
||||
- */
|
||||
- ctxt->context->node = oldset->nodeTab[i];
|
||||
- tmp = xmlXPathNewNodeSet(ctxt->context->node);
|
||||
- valuePush(ctxt, tmp);
|
||||
-
|
||||
- xmlXPathEvalExpr(ctxt);
|
||||
- CHECK_ERROR;
|
||||
-
|
||||
- /*
|
||||
- * The result of the evaluation need to be tested to
|
||||
- * decided whether the filter succeeded or not
|
||||
- */
|
||||
- res = valuePop(ctxt);
|
||||
- range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
|
||||
- if (range != NULL) {
|
||||
- xmlXPtrLocationSetAdd(newset, range);
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * Cleanup
|
||||
- */
|
||||
- if (res != NULL)
|
||||
- xmlXPathFreeObject(res);
|
||||
- if (ctxt->value == tmp) {
|
||||
- res = valuePop(ctxt);
|
||||
- xmlXPathFreeObject(res);
|
||||
- }
|
||||
-
|
||||
- ctxt->context->node = NULL;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * The result is used as the new evaluation set.
|
||||
- */
|
||||
- xmlXPathFreeObject(obj);
|
||||
- ctxt->context->node = NULL;
|
||||
- ctxt->context->contextSize = -1;
|
||||
- ctxt->context->proximityPosition = -1;
|
||||
- valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
|
||||
+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
|
||||
+ int nargs ATTRIBUTE_UNUSED) {
|
||||
+ XP_ERROR(XPATH_EXPR_ERROR);
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.7.4
|
||||
|
||||
@@ -1,40 +0,0 @@
|
||||
libxml2: Fix CVE-2017-0663
|
||||
|
||||
[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=780228
|
||||
|
||||
valid: Fix type confusion in xmlValidateOneNamespace
|
||||
|
||||
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
|
||||
on namespace declarations make no practical sense anyway.
|
||||
|
||||
Fixes bug 780228
|
||||
|
||||
Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
|
||||
CVE: CVE-2017-0663
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
|
||||
diff --git a/valid.c b/valid.c
|
||||
index 19f84b8..e03d35e 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -4621,6 +4621,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
|
||||
}
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
|
||||
+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
|
||||
+ * no practical sense to use ID types anyway.
|
||||
+ */
|
||||
+#if 0
|
||||
/* Validity Constraint: ID uniqueness */
|
||||
if (attrDecl->atype == XML_ATTRIBUTE_ID) {
|
||||
if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
|
||||
@@ -4632,6 +4638,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
|
||||
if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
|
||||
ret = 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
/* Validity Constraint: Notation Attributes */
|
||||
if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
|
||||
@@ -1,62 +0,0 @@
|
||||
libxml2-2.9.4: Fix CVE-2017-5969
|
||||
|
||||
[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=758422
|
||||
|
||||
valid: Fix NULL pointer deref in xmlDumpElementContent
|
||||
|
||||
Can only be triggered in recovery mode.
|
||||
|
||||
Fixes bug 758422
|
||||
|
||||
Upstream-Status: Backport - [https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882]
|
||||
CVE: CVE-2017-5969
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
|
||||
diff --git a/valid.c b/valid.c
|
||||
index 19f84b8..0a8e58a 100644
|
||||
--- a/valid.c
|
||||
+++ b/valid.c
|
||||
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
|
||||
xmlBufferWriteCHAR(buf, content->name);
|
||||
break;
|
||||
case XML_ELEMENT_CONTENT_SEQ:
|
||||
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
|
||||
+ if ((content->c1 != NULL) &&
|
||||
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
|
||||
xmlDumpElementContent(buf, content->c1, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c1, 0);
|
||||
xmlBufferWriteChar(buf, " , ");
|
||||
- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
|
||||
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
|
||||
+ if ((content->c2 != NULL) &&
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
|
||||
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
|
||||
xmlDumpElementContent(buf, content->c2, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c2, 0);
|
||||
break;
|
||||
case XML_ELEMENT_CONTENT_OR:
|
||||
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
|
||||
+ if ((content->c1 != NULL) &&
|
||||
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
|
||||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
|
||||
xmlDumpElementContent(buf, content->c1, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c1, 0);
|
||||
xmlBufferWriteChar(buf, " | ");
|
||||
- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
|
||||
- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
|
||||
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
|
||||
+ if ((content->c2 != NULL) &&
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
|
||||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
|
||||
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
|
||||
xmlDumpElementContent(buf, content->c2, 1);
|
||||
else
|
||||
xmlDumpElementContent(buf, content->c2, 0);
|
||||
@@ -1,37 +0,0 @@
|
||||
From d2f873a541c72b0f67e15562819bf98b884b30b7 Mon Sep 17 00:00:00 2001
|
||||
From: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
Date: Wed, 23 Aug 2017 16:04:49 +0800
|
||||
Subject: [PATCH] fix CVE-2017-8872
|
||||
|
||||
this makes xmlHaltParser "empty" the buffer, as it resets cur and ava
|
||||
il too here.
|
||||
|
||||
this seems to cure this specific issue, and also passes the testsuite
|
||||
|
||||
Signed-off-by: Marcus Meissner <meissner@suse.de>
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=775200
|
||||
Upstream-Status: Backport [https://bugzilla.gnome.org/attachment.cgi?id=355527&action=diff]
|
||||
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
---
|
||||
parser.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 9506ead..6c07ffd 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -12664,6 +12664,10 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) {
|
||||
}
|
||||
ctxt->input->cur = BAD_CAST"";
|
||||
ctxt->input->base = ctxt->input->cur;
|
||||
+ if (ctxt->input->buf) {
|
||||
+ xmlBufEmpty (ctxt->input->buf->buffer);
|
||||
+ } else
|
||||
+ ctxt->input->length = 0;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,291 +0,0 @@
|
||||
libxml2-2.9.4: Fix CVE-2017-9049 and CVE-2017-9050
|
||||
|
||||
[No upstream tracking] -- https://bugzilla.gnome.org/show_bug.cgi?id=781205
|
||||
-- https://bugzilla.gnome.org/show_bug.cgi?id=781361
|
||||
|
||||
parser: Fix handling of parameter-entity references
|
||||
|
||||
There were two bugs where parameter-entity references could lead to an
|
||||
unexpected change of the input buffer in xmlParseNameComplex and
|
||||
xmlDictLookup being called with an invalid pointer.
|
||||
|
||||
Percent sign in DTD Names
|
||||
=========================
|
||||
|
||||
The NEXTL macro used to call xmlParserHandlePEReference. When parsing
|
||||
"complex" names inside the DTD, this could result in entity expansion
|
||||
which created a new input buffer. The fix is to simply remove the call
|
||||
to xmlParserHandlePEReference from the NEXTL macro. This is safe because
|
||||
no users of the macro require expansion of parameter entities.
|
||||
|
||||
- xmlParseNameComplex
|
||||
- xmlParseNCNameComplex
|
||||
- xmlParseNmtoken
|
||||
|
||||
The percent sign is not allowed in names, which are grammatical tokens.
|
||||
|
||||
- xmlParseEntityValue
|
||||
|
||||
Parameter-entity references in entity values are expanded but this
|
||||
happens in a separate step in this function.
|
||||
|
||||
- xmlParseSystemLiteral
|
||||
|
||||
Parameter-entity references are ignored in the system literal.
|
||||
|
||||
- xmlParseAttValueComplex
|
||||
- xmlParseCharDataComplex
|
||||
- xmlParseCommentComplex
|
||||
- xmlParsePI
|
||||
- xmlParseCDSect
|
||||
|
||||
Parameter-entity references are ignored outside the DTD.
|
||||
|
||||
- xmlLoadEntityContent
|
||||
|
||||
This function is only called from xmlStringLenDecodeEntities and
|
||||
entities are replaced in a separate step immediately after the function
|
||||
call.
|
||||
|
||||
This bug could also be triggered with an internal subset and double
|
||||
entity expansion.
|
||||
|
||||
This fixes bug 766956 initially reported by Wei Lei and independently by
|
||||
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
|
||||
involved.
|
||||
|
||||
xmlParseNameComplex with XML_PARSE_OLD10
|
||||
========================================
|
||||
|
||||
When parsing Names inside an expanded parameter entity with the
|
||||
XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
|
||||
GROW macro if the input buffer was exhausted. At the end of the
|
||||
parameter entity's replacement text, this function would then call
|
||||
xmlPopInput which invalidated the input buffer.
|
||||
|
||||
There should be no need to invoke GROW in this situation because the
|
||||
buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
|
||||
at least for UTF-8, in xmlCurrentChar. This also matches the code path
|
||||
executed when XML_PARSE_OLD10 is not set.
|
||||
|
||||
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
|
||||
Thanks to Marcel Böhme and Thuan Pham for the report.
|
||||
|
||||
Additional hardening
|
||||
====================
|
||||
|
||||
A separate check was added in xmlParseNameComplex to validate the
|
||||
buffer size.
|
||||
|
||||
Fixes bug 781205 and bug 781361
|
||||
|
||||
Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74]
|
||||
CVE: CVE-2017-9049 CVE-2017-9050
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 9f988b0..dab15a4 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -422,6 +422,24 @@ Errtests : xmllint$(EXEEXT)
|
||||
if [ -n "$$log" ] ; then echo $$name result ; echo $$log ; fi ; \
|
||||
rm result.$$name error.$$name ; \
|
||||
fi ; fi ; done)
|
||||
+ @echo "## Error cases regression tests (old 1.0)"
|
||||
+ -@(for i in $(srcdir)/test/errors10/*.xml ; do \
|
||||
+ name=`basename $$i`; \
|
||||
+ if [ ! -d $$i ] ; then \
|
||||
+ if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
|
||||
+ echo New test file $$name ; \
|
||||
+ $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
|
||||
+ 2> $(srcdir)/result/errors10/$$name.err \
|
||||
+ > $(srcdir)/result/errors10/$$name ; \
|
||||
+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
|
||||
+ else \
|
||||
+ log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
|
||||
+ grep "MORY ALLO" .memdump | grep -v "MEMORY ALLOCATED : 0"; \
|
||||
+ diff $(srcdir)/result/errors10/$$name result.$$name ; \
|
||||
+ diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
|
||||
+ if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
|
||||
+ rm result.$$name error.$$name ; \
|
||||
+ fi ; fi ; done)
|
||||
@echo "## Error cases stream regression tests"
|
||||
-@(for i in $(srcdir)/test/errors/*.xml ; do \
|
||||
name=`basename $$i`; \
|
||||
diff --git a/parser.c b/parser.c
|
||||
index 609a270..8e11c12 100644
|
||||
--- a/parser.c
|
||||
+++ b/parser.c
|
||||
@@ -2115,7 +2115,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
|
||||
ctxt->input->line++; ctxt->input->col = 1; \
|
||||
} else ctxt->input->col++; \
|
||||
ctxt->input->cur += l; \
|
||||
- if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt); \
|
||||
} while (0)
|
||||
|
||||
#define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
|
||||
@@ -3406,13 +3405,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
len += l;
|
||||
NEXTL(l);
|
||||
c = CUR_CHAR(l);
|
||||
- if (c == 0) {
|
||||
- count = 0;
|
||||
- GROW;
|
||||
- if (ctxt->instate == XML_PARSER_EOF)
|
||||
- return(NULL);
|
||||
- c = CUR_CHAR(l);
|
||||
- }
|
||||
}
|
||||
}
|
||||
if ((len > XML_MAX_NAME_LENGTH) &&
|
||||
@@ -3420,6 +3412,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
|
||||
xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
|
||||
return(NULL);
|
||||
}
|
||||
+ if (ctxt->input->cur - ctxt->input->base < len) {
|
||||
+ /*
|
||||
+ * There were a couple of bugs where PERefs lead to to a change
|
||||
+ * of the buffer. Check the buffer size to avoid passing an invalid
|
||||
+ * pointer to xmlDictLookup.
|
||||
+ */
|
||||
+ xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
|
||||
+ "unexpected change of input buffer");
|
||||
+ return (NULL);
|
||||
+ }
|
||||
if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
|
||||
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
|
||||
return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
|
||||
diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
|
||||
new file mode 100644
|
||||
index 0000000..da15c3f
|
||||
--- /dev/null
|
||||
+++ b/result/errors10/781205.xml.err
|
||||
@@ -0,0 +1,21 @@
|
||||
+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
|
||||
+
|
||||
+ %a;
|
||||
+ ^
|
||||
+Entity: line 1:
|
||||
+<:0000
|
||||
+^
|
||||
+Entity: line 1: parser error : DOCTYPE improperly terminated
|
||||
+ %a;
|
||||
+ ^
|
||||
+Entity: line 1:
|
||||
+<:0000
|
||||
+^
|
||||
+namespace error : Failed to parse QName ':0000'
|
||||
+ %a;
|
||||
+ ^
|
||||
+<:0000
|
||||
+ ^
|
||||
+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
|
||||
+
|
||||
+^
|
||||
diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
|
||||
new file mode 100644
|
||||
index 0000000..655f41a
|
||||
--- /dev/null
|
||||
+++ b/result/errors10/781361.xml.err
|
||||
@@ -0,0 +1,13 @@
|
||||
+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
|
||||
+
|
||||
+^
|
||||
+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
|
||||
+
|
||||
+
|
||||
+^
|
||||
+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
|
||||
+
|
||||
+^
|
||||
+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
|
||||
+
|
||||
+^
|
||||
diff --git a/result/valid/766956.xml b/result/valid/766956.xml
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
|
||||
new file mode 100644
|
||||
index 0000000..34b1dae
|
||||
--- /dev/null
|
||||
+++ b/result/valid/766956.xml.err
|
||||
@@ -0,0 +1,9 @@
|
||||
+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
|
||||
+%ä%ent;
|
||||
+ ^
|
||||
+Entity: line 1: parser error : Content error in the external subset
|
||||
+ %ent;
|
||||
+ ^
|
||||
+Entity: line 1:
|
||||
+value
|
||||
+^
|
||||
diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
|
||||
new file mode 100644
|
||||
index 0000000..7760346
|
||||
--- /dev/null
|
||||
+++ b/result/valid/766956.xml.err.rdr
|
||||
@@ -0,0 +1,10 @@
|
||||
+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
|
||||
+%ä%ent;
|
||||
+ ^
|
||||
+Entity: line 1: parser error : Content error in the external subset
|
||||
+ %ent;
|
||||
+ ^
|
||||
+Entity: line 1:
|
||||
+value
|
||||
+^
|
||||
+./test/valid/766956.xml : failed to parse
|
||||
diff --git a/runtest.c b/runtest.c
|
||||
index bb74d2a..63e8c20 100644
|
||||
--- a/runtest.c
|
||||
+++ b/runtest.c
|
||||
@@ -4202,6 +4202,9 @@ testDesc testDescriptions[] = {
|
||||
{ "Error cases regression tests",
|
||||
errParseTest, "./test/errors/*.xml", "result/errors/", "", ".err",
|
||||
0 },
|
||||
+ { "Error cases regression tests (old 1.0)",
|
||||
+ errParseTest, "./test/errors10/*.xml", "result/errors10/", "", ".err",
|
||||
+ XML_PARSE_OLD10 },
|
||||
#ifdef LIBXML_READER_ENABLED
|
||||
{ "Error cases stream regression tests",
|
||||
streamParseTest, "./test/errors/*.xml", "result/errors/", NULL, ".str",
|
||||
diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
|
||||
new file mode 100644
|
||||
index 0000000..d9e9e83
|
||||
--- /dev/null
|
||||
+++ b/test/errors10/781205.xml
|
||||
@@ -0,0 +1,3 @@
|
||||
+<!DOCTYPE D [
|
||||
+ <!ENTITY % a "<:0000">
|
||||
+ %a;
|
||||
diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
|
||||
new file mode 100644
|
||||
index 0000000..67476bc
|
||||
--- /dev/null
|
||||
+++ b/test/errors10/781361.xml
|
||||
@@ -0,0 +1,3 @@
|
||||
+<!DOCTYPE doc [
|
||||
+ <!ENTITY % elem "<!ELEMENT e0000000000">
|
||||
+ %elem;
|
||||
diff --git a/test/valid/766956.xml b/test/valid/766956.xml
|
||||
new file mode 100644
|
||||
index 0000000..19a95a0
|
||||
--- /dev/null
|
||||
+++ b/test/valid/766956.xml
|
||||
@@ -0,0 +1,2 @@
|
||||
+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
|
||||
+<test/>
|
||||
diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
|
||||
new file mode 100644
|
||||
index 0000000..dddde68
|
||||
--- /dev/null
|
||||
+++ b/test/valid/dtds/766956.dtd
|
||||
@@ -0,0 +1,2 @@
|
||||
+<!ENTITY % ent "value">
|
||||
+%ä%ent;
|
||||
@@ -1,45 +0,0 @@
|
||||
libxml2-2.9.4: Fix more NULL pointer derefs
|
||||
|
||||
xpointer: Fix more NULL pointer derefs
|
||||
|
||||
Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=e905f08123e4a6e7731549e6f09dadff4cab65bd]
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
||||
|
||||
diff --git a/xpointer.c b/xpointer.c
|
||||
index 676c510..074db24 100644
|
||||
--- a/xpointer.c
|
||||
+++ b/xpointer.c
|
||||
@@ -555,7 +555,7 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
|
||||
/*
|
||||
* Empty set ...
|
||||
*/
|
||||
- if (end->nodesetval->nodeNr <= 0)
|
||||
+ if ((end->nodesetval == NULL) || (end->nodesetval->nodeNr <= 0))
|
||||
return(NULL);
|
||||
break;
|
||||
default:
|
||||
@@ -1400,7 +1400,7 @@ xmlXPtrEval(const xmlChar *str, xmlXPathContextPtr ctx) {
|
||||
*/
|
||||
xmlNodeSetPtr set;
|
||||
set = tmp->nodesetval;
|
||||
- if ((set->nodeNr != 1) ||
|
||||
+ if ((set == NULL) || (set->nodeNr != 1) ||
|
||||
(set->nodeTab[0] != (xmlNodePtr) ctx->doc))
|
||||
stack++;
|
||||
} else
|
||||
@@ -2073,9 +2073,11 @@ xmlXPtrRangeFunction(xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
xmlXPathFreeObject(set);
|
||||
XP_ERROR(XPATH_MEMORY_ERROR);
|
||||
}
|
||||
- for (i = 0;i < oldset->locNr;i++) {
|
||||
- xmlXPtrLocationSetAdd(newset,
|
||||
- xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
|
||||
+ if (oldset != NULL) {
|
||||
+ for (i = 0;i < oldset->locNr;i++) {
|
||||
+ xmlXPtrLocationSetAdd(newset,
|
||||
+ xmlXPtrCoveringRange(ctxt, oldset->locTab[i]));
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
File diff suppressed because one or more lines are too long
@@ -1,67 +0,0 @@
|
||||
libxml2-2.9.4: Fix comparison with root node in xmlXPathCmpNodes and NULL pointer deref in XPointer
|
||||
|
||||
xpath:
|
||||
- Check for errors after evaluating first operand.
|
||||
- Add sanity check for empty stack.
|
||||
- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
|
||||
|
||||
Upstream-Status: Backport
|
||||
- [https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b]
|
||||
- [https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8]
|
||||
CVE: CVE-2016-5131
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
||||
|
||||
diff --git a/result/XPath/xptr/viderror b/result/XPath/xptr/viderror
|
||||
new file mode 100644
|
||||
index 0000000..d589882
|
||||
--- /dev/null
|
||||
+++ b/result/XPath/xptr/viderror
|
||||
@@ -0,0 +1,4 @@
|
||||
+
|
||||
+========================
|
||||
+Expression: xpointer(non-existing-fn()/range-to(id('chapter2')))
|
||||
+Object is empty (NULL)
|
||||
diff --git a/test/XPath/xptr/viderror b/test/XPath/xptr/viderror
|
||||
new file mode 100644
|
||||
index 0000000..da8c53b
|
||||
--- /dev/null
|
||||
+++ b/test/XPath/xptr/viderror
|
||||
@@ -0,0 +1 @@
|
||||
+xpointer(non-existing-fn()/range-to(id('chapter2')))
|
||||
diff --git a/xpath.c b/xpath.c
|
||||
index 113bce6..d992841 100644
|
||||
--- a/xpath.c
|
||||
+++ b/xpath.c
|
||||
@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
|
||||
* compute depth to root
|
||||
*/
|
||||
for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
|
||||
- if (cur == node1)
|
||||
+ if (cur->parent == node1)
|
||||
return(1);
|
||||
depth2++;
|
||||
}
|
||||
root = cur;
|
||||
for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
|
||||
- if (cur == node2)
|
||||
+ if (cur->parent == node2)
|
||||
return(-1);
|
||||
depth1++;
|
||||
}
|
||||
@@ -14005,9 +14005,14 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
||||
xmlNodeSetPtr oldset;
|
||||
int i, j;
|
||||
|
||||
- if (op->ch1 != -1)
|
||||
+ if (op->ch1 != -1) {
|
||||
total +=
|
||||
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
|
||||
+ CHECK_ERROR0;
|
||||
+ }
|
||||
+ if (ctxt->value == NULL) {
|
||||
+ XP_ERROR0(XPATH_INVALID_OPERAND);
|
||||
+ }
|
||||
if (op->ch2 == -1)
|
||||
return (total);
|
||||
|
||||
@@ -2,47 +2,29 @@ Add 'install-ptest' rule.
|
||||
Print a standard result line for each test.
|
||||
|
||||
Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
|
||||
Signed-off-by: Andrej Valek <andrej.valek@enea.com>
|
||||
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||
Upstream-Status: Backport
|
||||
|
||||
diff -uNr a/Makefile.am b/Makefile.am
|
||||
--- a/Makefile.am 2016-05-22 03:49:02.000000000 +0200
|
||||
+++ b/Makefile.am 2017-06-14 10:38:43.381305385 +0200
|
||||
@@ -202,10 +202,24 @@
|
||||
--- a/Makefile.am 2017-08-28 15:01:14.000000000 +0200
|
||||
+++ b/Makefile.am 2017-09-05 08:06:05.752287323 +0200
|
||||
@@ -202,6 +202,15 @@
|
||||
#testOOM_DEPENDENCIES = $(DEPS)
|
||||
#testOOM_LDADD= $(LDADDS)
|
||||
|
||||
+install-ptest:
|
||||
+ @(if [ -d .libs ] ; then cd .libs; fi; \
|
||||
+ install $(noinst_PROGRAMS) $(DESTDIR))
|
||||
+ install $(check_PROGRAMS) $(DESTDIR))
|
||||
+ cp -r $(srcdir)/test $(DESTDIR)
|
||||
+ cp -r $(srcdir)/result $(DESTDIR)
|
||||
+ cp -r $(srcdir)/python $(DESTDIR)
|
||||
+ cp Makefile $(DESTDIR)
|
||||
+ sed -i -e 's|^Makefile:|_Makefile:|' $(DESTDIR)/Makefile
|
||||
+
|
||||
runtests:
|
||||
runtests: runtest$(EXEEXT) testrecurse$(EXEEXT) testapi$(EXEEXT) \
|
||||
testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT)
|
||||
[ -d test ] || $(LN_S) $(srcdir)/test .
|
||||
[ -d result ] || $(LN_S) $(srcdir)/result .
|
||||
- $(CHECKER) ./runtest$(EXEEXT) && $(CHECKER) ./testrecurse$(EXEEXT) &&$(CHECKER) ./testapi$(EXEEXT) && $(CHECKER) ./testchar$(EXEEXT)&& $(CHECKER) ./testdict$(EXEEXT) && $(CHECKER) ./runxmlconf$(EXEEXT)
|
||||
+ $(CHECKER) ./runtest$(EXEEXT) && \
|
||||
+ $(CHECKER) ./testrecurse$(EXEEXT) && \
|
||||
+ ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) ./testapi$(EXEEXT) && \
|
||||
+ $(CHECKER) ./testchar$(EXEEXT) && \
|
||||
+ $(CHECKER) ./testdict$(EXEEXT) && \
|
||||
+ $(CHECKER) ./runxmlconf$(EXEEXT)
|
||||
@(if [ "$(PYTHON_SUBDIR)" != "" ] ; then cd python ; \
|
||||
$(MAKE) tests ; fi)
|
||||
|
||||
@@ -229,7 +243,7 @@
|
||||
|
||||
APItests: testapi$(EXEEXT)
|
||||
@echo "## Running the API regression tests this may take a little while"
|
||||
- -@($(CHECKER) $(top_builddir)/testapi -q)
|
||||
+ -@(ASAN_OPTIONS="$$ASAN_OPTIONS:detect_leaks=0" $(CHECKER) $(top_builddir)/testapi -q)
|
||||
|
||||
HTMLtests : testHTML$(EXEEXT)
|
||||
@(echo > .memdump)
|
||||
|
||||
diff -uNr a/runsuite.c b/runsuite.c
|
||||
--- a/runsuite.c 2013-04-12 16:17:11.462823238 +0200
|
||||
+++ b/runsuite.c 2013-04-17 14:07:24.352693211 +0200
|
||||
|
||||
@@ -19,21 +19,11 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
|
||||
file://run-ptest \
|
||||
file://python-sitepackages-dir.patch \
|
||||
file://libxml-m4-use-pkgconfig.patch \
|
||||
file://libxml2-fix_node_comparison.patch \
|
||||
file://libxml2-CVE-2016-5131.patch \
|
||||
file://libxml2-CVE-2016-4658.patch \
|
||||
file://libxml2-fix_NULL_pointer_derefs.patch \
|
||||
file://libxml2-fix_and_simplify_xmlParseStartTag2.patch \
|
||||
file://libxml2-CVE-2017-9047_CVE-2017-9048.patch \
|
||||
file://libxml2-CVE-2017-9049_CVE-2017-9050.patch \
|
||||
file://libxml2-CVE-2017-5969.patch \
|
||||
file://libxml2-CVE-2017-0663.patch \
|
||||
file://libxml2-CVE-2017-8872.patch \
|
||||
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
|
||||
"
|
||||
|
||||
SRC_URI[libtar.md5sum] = "ae249165c173b1ff386ee8ad676815f5"
|
||||
SRC_URI[libtar.sha256sum] = "ffb911191e509b966deb55de705387f14156e1a56b21824357cdf0053233633c"
|
||||
SRC_URI[libtar.md5sum] = "5ce0da9bdaa267b40c4ca36d35363b8b"
|
||||
SRC_URI[libtar.sha256sum] = "4031c1ecee9ce7ba4f313e91ef6284164885cdb69937a123f6a83bb6a72dcd38"
|
||||
SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
|
||||
SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
|
||||
|
||||
@@ -81,6 +71,10 @@ do_configure_prepend () {
|
||||
find ${WORKDIR}/xmlconf/ -type f -exec chmod -x {} \+
|
||||
}
|
||||
|
||||
do_compile_ptest() {
|
||||
oe_runmake check-am
|
||||
}
|
||||
|
||||
do_install_ptest () {
|
||||
cp -r ${WORKDIR}/xmlconf ${D}${PTEST_PATH}
|
||||
if [ "${@bb.utils.filter('PACKAGECONFIG', 'python', d)}" ]; then
|
||||
Reference in New Issue
Block a user