Revision: 6745
http://ipcop.svn.sourceforge.net/ipcop/?rev=6745&view=rev
Author: gespinasse
Date: 2012-08-05 06:59:20 +0000 (Sun, 05 Aug 2012)
Log Message:
-----------
Fix CVE-2012-2807 2 patches debian borrowed
Modified Paths:
--------------
ipcop/trunk/lfs/libxml2
Added Paths:
-----------
ipcop/trunk/src/patches/libxml2-2.8.0_entities-local-buffers-size-problems.patch
ipcop/trunk/src/patches/libxml2-2.8.0_parser-local-buffers-size-problems.patch
Modified: ipcop/trunk/lfs/libxml2
===================================================================
--- ipcop/trunk/lfs/libxml2 2012-08-05 06:49:57 UTC (rev 6744)
+++ ipcop/trunk/lfs/libxml2 2012-08-05 06:59:20 UTC (rev 6745)
@@ -86,6 +86,9 @@
$(TARGET) : $(firstword $(MAKEFILE_LIST)) $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ # CVE-2012-2807 2 patches debian borrowed
+ cd $(DIR_APP) && patch -p1 -i
$(DIR_PATCHES)/$(THISAPP)_parser-local-buffers-size-problems.patch
+ cd $(DIR_APP) && patch -p1 -i
$(DIR_PATCHES)/$(THISAPP)_entities-local-buffers-size-problems.patch
# Workaround install warning cannot stat `./*.html'
cd $(DIR_APP) && sed -i 's|$$(srcdir)/\*.html ||'
doc/examples/Makefile.in
Added:
ipcop/trunk/src/patches/libxml2-2.8.0_entities-local-buffers-size-problems.patch
===================================================================
---
ipcop/trunk/src/patches/libxml2-2.8.0_entities-local-buffers-size-problems.patch
(rev 0)
+++
ipcop/trunk/src/patches/libxml2-2.8.0_entities-local-buffers-size-problems.patch
2012-08-05 06:59:20 UTC (rev 6745)
@@ -0,0 +1,98 @@
+From: Daniel Veillard <[email protected]>
+Date: Wed, 18 Jul 2012 11:38:17 +0800
+Subject: Fix entities local buffers size problems
+
+---
+ entities.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/entities.c b/entities.c
+index 6aef49f..a02738d 100644
+--- a/entities.c
++++ b/entities.c
+@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) {
+ * Macro used to grow the current buffer.
+ */
+ #define growBufferReentrant() {
\
+- buffer_size *= 2; \
+- buffer = (xmlChar *) \
+- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \
+- if (buffer == NULL) { \
+- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
+- return(NULL); \
+- } \
++ xmlChar *tmp; \
++ size_t new_size = buffer_size * 2; \
++ if (new_size < buffer_size) goto mem_error; \
++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
++ if (tmp == NULL) goto mem_error; \
++ buffer = tmp; \
++ buffer_size = new_size; \
+ }
+
+
+@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar
*input) {
+ const xmlChar *cur = input;
+ xmlChar *buffer = NULL;
+ xmlChar *out = NULL;
+- int buffer_size = 0;
++ size_t buffer_size = 0;
+ int html = 0;
+
+ if (input == NULL) return(NULL);
+@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar
*input) {
+ out = buffer;
+
+ while (*cur != '\0') {
+- if (out - buffer > buffer_size - 100) {
+- int indx = out - buffer;
++ size_t indx = out - buffer;
++ if (indx + 100 > buffer_size) {
+
+ growBufferReentrant();
+ out = &buffer[indx];
+@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar
*input) {
+ }
+ *out = 0;
+ return(buffer);
++
++mem_error:
++ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
++ xmlFree(buffer);
++ return(NULL);
+ }
+
+ /**
+@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED,
const xmlChar *input) {
+ const xmlChar *cur = input;
+ xmlChar *buffer = NULL;
+ xmlChar *out = NULL;
+- int buffer_size = 0;
++ size_t buffer_size = 0;
+ if (input == NULL) return(NULL);
+
+ /*
+@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED,
const xmlChar *input) {
+ out = buffer;
+
+ while (*cur != '\0') {
+- if (out - buffer > buffer_size - 10) {
+- int indx = out - buffer;
++ size_t indx = out - buffer;
++ if (indx + 10 > buffer_size) {
+
+ growBufferReentrant();
+ out = &buffer[indx];
+@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED,
const xmlChar *input) {
+ }
+ *out = 0;
+ return(buffer);
++
++mem_error:
++ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
++ xmlFree(buffer);
++ return(NULL);
+ }
+
+ /**
+--
Added:
ipcop/trunk/src/patches/libxml2-2.8.0_parser-local-buffers-size-problems.patch
===================================================================
---
ipcop/trunk/src/patches/libxml2-2.8.0_parser-local-buffers-size-problems.patch
(rev 0)
+++
ipcop/trunk/src/patches/libxml2-2.8.0_parser-local-buffers-size-problems.patch
2012-08-05 06:59:20 UTC (rev 6745)
@@ -0,0 +1,261 @@
+From: Daniel Veillard <[email protected]>
+Date: Tue, 17 Jul 2012 16:19:17 +0800
+Subject: Fix parser local buffers size problems
+
+---
+ parser.c | 74 ++++++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 43 insertions(+), 31 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 2c38fae..9863275 100644
+--- a/parser.c
++++ b/parser.c
+@@ -40,6 +40,7 @@
+ #endif
+
+ #include <stdlib.h>
++#include <limits.h>
+ #include <string.h>
+ #include <stdarg.h>
+ #include <libxml/xmlmemory.h>
+@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL,
const xmlChar *ID,
+ * parser option.
+ */
+ static int
+-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
++xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ xmlEntityPtr ent)
+ {
+- unsigned long consumed = 0;
++ size_t consumed = 0;
+
+ if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+ return (0);
+@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+
+ /*
+ * Macro used to grow the current buffer.
++ * buffer##_size is expected to be a size_t
++ * mem_error: is expected to handle memory allocation failures
+ */
+ #define growBuffer(buffer, n) {
\
+ xmlChar *tmp; \
+- buffer##_size *= 2;
\
+- buffer##_size += n;
\
+- tmp = (xmlChar *) \
+- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
++ size_t new_size = buffer##_size * 2 + n; \
++ if (new_size < buffer##_size) goto mem_error; \
++ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
+ if (tmp == NULL) goto mem_error; \
+ buffer = tmp; \
++ buffer##_size = new_size; \
+ }
+
+ /**
+@@ -2623,14 +2626,14 @@ xmlChar *
+ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ int what, xmlChar end, xmlChar end2, xmlChar end3) {
+ xmlChar *buffer = NULL;
+- int buffer_size = 0;
++ size_t buffer_size = 0;
++ size_t nbchars = 0;
+
+ xmlChar *current = NULL;
+ xmlChar *rep = NULL;
+ const xmlChar *last;
+ xmlEntityPtr ent;
+ int c,l;
+- int nbchars = 0;
+
+ if ((ctxt == NULL) || (str == NULL) || (len < 0))
+ return(NULL);
+@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ * allocate a translation buffer.
+ */
+ buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
+- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
++ buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
+ if (buffer == NULL) goto mem_error;
+
+ /*
+@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ if (val != 0) {
+ COPY_BUF(0,buffer,nbchars,val);
+ }
+- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ }
+ } else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
+@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+ if (ent->content != NULL) {
+ COPY_BUF(0,buffer,nbchars,ent->content[0]);
+- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ }
+ } else {
+@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ current = rep;
+ while (*current != 0) { /* non input consuming loop */
+ buffer[nbchars++] = *current++;
+- if (nbchars >
+- buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ goto int_error;
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ const xmlChar *cur = ent->name;
+
+ buffer[nbchars++] = '&';
+- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ }
+ for (;i > 0;i--)
+@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ current = rep;
+ while (*current != 0) { /* non input consuming loop */
+ buffer[nbchars++] = *current++;
+- if (nbchars >
+- buffer_size - XML_PARSER_BUFFER_SIZE) {
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ goto int_error;
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const
xmlChar *str, int len,
+ } else {
+ COPY_BUF(l,buffer,nbchars,c);
+ str += l;
+- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
++ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ }
+ }
+ if (str < last)
+@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ xmlChar limit = 0;
+ xmlChar *buf = NULL;
+ xmlChar *rep = NULL;
+- int len = 0;
+- int buf_size = 0;
++ size_t len = 0;
++ size_t buf_size = 0;
+ int c, l, in_space = 0;
+ xmlChar *current = NULL;
+ xmlEntityPtr ent;
+@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ * allocate a translation buffer.
+ */
+ buf_size = XML_PARSER_BUFFER_SIZE;
+- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
++ buf = (xmlChar *) xmlMallocAtomic(buf_size);
+ if (buf == NULL) goto mem_error;
+
+ /*
+@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+
+ if (val == '&') {
+ if (ctxt->replaceEntities) {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ buf[len++] = '&';
+@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ * The reparsing will be done in xmlStringGetNodeList()
+ * called by the attribute() function in SAX.c
+ */
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ buf[len++] = '&';
+@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ buf[len++] = ';';
+ }
+ } else if (val != 0) {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ len += xmlCopyChar(0, &buf[len], val);
+@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ ctxt->nbentities += ent->owner;
+ if ((ent != NULL) &&
+ (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ if ((ctxt->replaceEntities == 0) &&
+@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ current++;
+ } else
+ buf[len++] = *current++;
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ }
+@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ rep = NULL;
+ }
+ } else {
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ if (ent->content != NULL)
+@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ * Just output the reference
+ */
+ buf[len++] = '&';
+- while (len > buf_size - i - 10) {
++ while (len + i + 10 > buf_size) {
+ growBuffer(buf, i + 10);
+ }
+ for (;i > 0;i--)
+@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ if ((len != 0) || (!normalize)) {
+ if ((!normalize) || (!in_space)) {
+ COPY_BUF(l,buf,len,0x20);
+- while (len > buf_size - 10) {
++ while (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ }
+@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ } else {
+ in_space = 0;
+ COPY_BUF(l,buf,len,c);
+- if (len > buf_size - 10) {
++ if (len + 10 > buf_size) {
+ growBuffer(buf, 10);
+ }
+ }
+@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int
*attlen, int normalize) {
+ }
+ } else
+ NEXT;
+- if (attlen != NULL) *attlen = len;
++
++ /*
++ * There we potentially risk an overflow, don't allow attribute value of
++ * lenght more than INT_MAX it is a very reasonnable assumption !
++ */
++ if (len >= INT_MAX) {
++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
++ "AttValue lenght too long\n");
++ goto mem_error;
++ }
++
++ if (attlen != NULL) *attlen = (int) len;
+ return(buf);
+
+ mem_error:
+--
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
