1 Patch origin: upstream

     2 Patch status: will be part of next version

     3 

     4 https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9

     5 

     6 From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001

     7 From: Daniel Veillard <[email protected]>

     8 Date: Tue, 14 Apr 2015 17:41:48 +0800

     9 Subject: CVE-2015-1819 Enforce the reader to run in constant memory

    10 

    11 One of the operation on the reader could resolve entities

    12 leading to the classic expansion issue. Make sure the

    13 buffer used for xmlreader operation is bounded.

    14 Introduce a new allocation type for the buffers for this effect.

    15 

    16 diff --git a/buf.c b/buf.c

    17 index 6efc7b6..07922ff 100644

    18 --- a/buf.c

    19 +++ b/buf.c

    20 @@ -27,6 +27,7 @@

    21  #include <libxml/tree.h>

    22  #include <libxml/globals.h>

    23  #include <libxml/tree.h>

    24 +#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */

    25  #include "buf.h"

    26  

    27  #define WITH_BUFFER_COMPAT

    28 @@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,

    29      if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||

    30          (scheme == XML_BUFFER_ALLOC_EXACT) ||

    31          (scheme == XML_BUFFER_ALLOC_HYBRID) ||

    32 -        (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {

    33 +        (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||

    34 +	(scheme == XML_BUFFER_ALLOC_BOUNDED)) {

    35  	buf->alloc = scheme;

    36          if (buf->buffer)

    37              buf->buffer->alloc = scheme;

    38 @@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {

    39      size = buf->use + len + 100;

    40  #endif

    41  

    42 +    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

    43 +        /*

    44 +	 * Used to provide parsing limits

    45 +	 */

    46 +        if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||

    47 +	    (buf->size >= XML_MAX_TEXT_LENGTH)) {

    48 +	    xmlBufMemoryError(buf, "buffer error: text too long\n");

    49 +	    return(0);

    50 +	}

    51 +	if (size >= XML_MAX_TEXT_LENGTH)

    52 +	    size = XML_MAX_TEXT_LENGTH;

    53 +    }

    54      if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {

    55          size_t start_buf = buf->content - buf->contentIO;

    56  

    57 @@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)

    58      CHECK_COMPAT(buf)

    59  

    60      if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);

    61 +    if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

    62 +        /*

    63 +	 * Used to provide parsing limits

    64 +	 */

    65 +        if (size >= XML_MAX_TEXT_LENGTH) {

    66 +	    xmlBufMemoryError(buf, "buffer error: text too long\n");

    67 +	    return(0);

    68 +	}

    69 +    }

    70  

    71      /* Don't resize if we don't have to */

    72      if (size < buf->size)

    73 @@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {

    74  

    75      needSize = buf->use + len + 2;

    76      if (needSize > buf->size){

    77 +	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

    78 +	    /*

    79 +	     * Used to provide parsing limits

    80 +	     */

    81 +	    if (needSize >= XML_MAX_TEXT_LENGTH) {

    82 +		xmlBufMemoryError(buf, "buffer error: text too long\n");

    83 +		return(-1);

    84 +	    }

    85 +	}

    86          if (!xmlBufResize(buf, needSize)){

    87  	    xmlBufMemoryError(buf, "growing buffer");

    88              return XML_ERR_NO_MEMORY;

    89 @@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {

    90      }

    91      needSize = buf->use + len + 2;

    92      if (needSize > buf->size){

    93 +	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {

    94 +	    /*

    95 +	     * Used to provide parsing limits

    96 +	     */

    97 +	    if (needSize >= XML_MAX_TEXT_LENGTH) {

    98 +		xmlBufMemoryError(buf, "buffer error: text too long\n");

    99 +		return(-1);

   100 +	    }

   101 +	}

   102          if (!xmlBufResize(buf, needSize)){

   103  	    xmlBufMemoryError(buf, "growing buffer");

   104              return XML_ERR_NO_MEMORY;

   105 diff --git a/include/libxml/tree.h b/include/libxml/tree.h

   106 index 2f90717..4a9b3bc 100644

   107 --- a/include/libxml/tree.h

   108 +++ b/include/libxml/tree.h

   109 @@ -76,7 +76,8 @@ typedef enum {

   110      XML_BUFFER_ALLOC_EXACT,	/* grow only to the minimal size */

   111      XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */

   112      XML_BUFFER_ALLOC_IO,	/* special allocation scheme used for I/O */

   113 -    XML_BUFFER_ALLOC_HYBRID	/* exact up to a threshold, and doubleit thereafter */

   114 +    XML_BUFFER_ALLOC_HYBRID,	/* exact up to a threshold, and doubleit thereafter */

   115 +    XML_BUFFER_ALLOC_BOUNDED	/* limit the upper size of the buffer */

   116  } xmlBufferAllocationScheme;

   117  

   118  /**

   119 diff --git a/xmlreader.c b/xmlreader.c

   120 index f19e123..471e7e2 100644

   121 --- a/xmlreader.c

   122 +++ b/xmlreader.c

   123 @@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {

   124  		"xmlNewTextReader : malloc failed\n");

   125  	return(NULL);

   126      }

   127 +    /* no operation on a reader should require a huge buffer */

   128 +    xmlBufSetAllocationScheme(ret->buffer,

   129 +			      XML_BUFFER_ALLOC_BOUNDED);

   130      ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));

   131      if (ret->sax == NULL) {

   132  	xmlBufFree(ret->buffer);

   133 @@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {

   134  	    return(((xmlNsPtr) node)->href);

   135          case XML_ATTRIBUTE_NODE:{

   136  	    xmlAttrPtr attr = (xmlAttrPtr) node;

   137 +	    const xmlChar *ret;

   138  

   139  	    if ((attr->children != NULL) &&

   140  	        (attr->children->type == XML_TEXT_NODE) &&

   141 @@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {

   142                                          "xmlTextReaderSetup : malloc failed\n");

   143                          return (NULL);

   144                      }

   145 +		    xmlBufSetAllocationScheme(reader->buffer,

   146 +		                              XML_BUFFER_ALLOC_BOUNDED);

   147                  } else

   148                      xmlBufEmpty(reader->buffer);

   149  	        xmlBufGetNodeContent(reader->buffer, node);

   150 -		return(xmlBufContent(reader->buffer));

   151 +		ret = xmlBufContent(reader->buffer);

   152 +		if (ret == NULL) {

   153 +		    /* error on the buffer best to reallocate */

   154 +		    xmlBufFree(reader->buffer);

   155 +		    reader->buffer = xmlBufCreateSize(100);

   156 +		    xmlBufSetAllocationScheme(reader->buffer,

   157 +		                              XML_BUFFER_ALLOC_BOUNDED);

   158 +		    ret = BAD_CAST "";

   159 +		}

   160 +		return(ret);

   161  	    }

   162  	    break;

   163  	}

   164 @@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,

   165                          "xmlTextReaderSetup : malloc failed\n");

   166          return (-1);

   167      }

   168 +    /* no operation on a reader should require a huge buffer */

   169 +    xmlBufSetAllocationScheme(reader->buffer,

   170 +			      XML_BUFFER_ALLOC_BOUNDED);

   171      if (reader->sax == NULL)

   172  	reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));

   173      if (reader->sax == NULL) {

   174 -- 

   175 cgit v0.10.2

   176