1 Patch origin: upstream |
|
2 Patch status: will be part of next version |
|
3 |
|
4 https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 |
|
5 |
|
6 From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 |
|
7 From: Daniel Veillard <[email protected]> |
|
8 Date: Tue, 14 Apr 2015 17:41:48 +0800 |
|
9 Subject: CVE-2015-1819 Enforce the reader to run in constant memory |
|
10 |
|
11 One of the operation on the reader could resolve entities |
|
12 leading to the classic expansion issue. Make sure the |
|
13 buffer used for xmlreader operation is bounded. |
|
14 Introduce a new allocation type for the buffers for this effect. |
|
15 |
|
16 diff --git a/buf.c b/buf.c |
|
17 index 6efc7b6..07922ff 100644 |
|
18 --- a/buf.c |
|
19 +++ b/buf.c |
|
20 @@ -27,6 +27,7 @@ |
|
21 #include <libxml/tree.h> |
|
22 #include <libxml/globals.h> |
|
23 #include <libxml/tree.h> |
|
24 +#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ |
|
25 #include "buf.h" |
|
26 |
|
27 #define WITH_BUFFER_COMPAT |
|
28 @@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, |
|
29 if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || |
|
30 (scheme == XML_BUFFER_ALLOC_EXACT) || |
|
31 (scheme == XML_BUFFER_ALLOC_HYBRID) || |
|
32 - (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { |
|
33 + (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || |
|
34 + (scheme == XML_BUFFER_ALLOC_BOUNDED)) { |
|
35 buf->alloc = scheme; |
|
36 if (buf->buffer) |
|
37 buf->buffer->alloc = scheme; |
|
38 @@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { |
|
39 size = buf->use + len + 100; |
|
40 #endif |
|
41 |
|
42 + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
|
43 + /* |
|
44 + * Used to provide parsing limits |
|
45 + */ |
|
46 + if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || |
|
47 + (buf->size >= XML_MAX_TEXT_LENGTH)) { |
|
48 + xmlBufMemoryError(buf, "buffer error: text too long\n"); |
|
49 + return(0); |
|
50 + } |
|
51 + if (size >= XML_MAX_TEXT_LENGTH) |
|
52 + size = XML_MAX_TEXT_LENGTH; |
|
53 + } |
|
54 if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { |
|
55 size_t start_buf = buf->content - buf->contentIO; |
|
56 |
|
57 @@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) |
|
58 CHECK_COMPAT(buf) |
|
59 |
|
60 if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); |
|
61 + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
|
62 + /* |
|
63 + * Used to provide parsing limits |
|
64 + */ |
|
65 + if (size >= XML_MAX_TEXT_LENGTH) { |
|
66 + xmlBufMemoryError(buf, "buffer error: text too long\n"); |
|
67 + return(0); |
|
68 + } |
|
69 + } |
|
70 |
|
71 /* Don't resize if we don't have to */ |
|
72 if (size < buf->size) |
|
73 @@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { |
|
74 |
|
75 needSize = buf->use + len + 2; |
|
76 if (needSize > buf->size){ |
|
77 + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
|
78 + /* |
|
79 + * Used to provide parsing limits |
|
80 + */ |
|
81 + if (needSize >= XML_MAX_TEXT_LENGTH) { |
|
82 + xmlBufMemoryError(buf, "buffer error: text too long\n"); |
|
83 + return(-1); |
|
84 + } |
|
85 + } |
|
86 if (!xmlBufResize(buf, needSize)){ |
|
87 xmlBufMemoryError(buf, "growing buffer"); |
|
88 return XML_ERR_NO_MEMORY; |
|
89 @@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { |
|
90 } |
|
91 needSize = buf->use + len + 2; |
|
92 if (needSize > buf->size){ |
|
93 + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { |
|
94 + /* |
|
95 + * Used to provide parsing limits |
|
96 + */ |
|
97 + if (needSize >= XML_MAX_TEXT_LENGTH) { |
|
98 + xmlBufMemoryError(buf, "buffer error: text too long\n"); |
|
99 + return(-1); |
|
100 + } |
|
101 + } |
|
102 if (!xmlBufResize(buf, needSize)){ |
|
103 xmlBufMemoryError(buf, "growing buffer"); |
|
104 return XML_ERR_NO_MEMORY; |
|
105 diff --git a/include/libxml/tree.h b/include/libxml/tree.h |
|
106 index 2f90717..4a9b3bc 100644 |
|
107 --- a/include/libxml/tree.h |
|
108 +++ b/include/libxml/tree.h |
|
109 @@ -76,7 +76,8 @@ typedef enum { |
|
110 XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ |
|
111 XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ |
|
112 XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ |
|
113 - XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ |
|
114 + XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ |
|
115 + XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ |
|
116 } xmlBufferAllocationScheme; |
|
117 |
|
118 /** |
|
119 diff --git a/xmlreader.c b/xmlreader.c |
|
120 index f19e123..471e7e2 100644 |
|
121 --- a/xmlreader.c |
|
122 +++ b/xmlreader.c |
|
123 @@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { |
|
124 "xmlNewTextReader : malloc failed\n"); |
|
125 return(NULL); |
|
126 } |
|
127 + /* no operation on a reader should require a huge buffer */ |
|
128 + xmlBufSetAllocationScheme(ret->buffer, |
|
129 + XML_BUFFER_ALLOC_BOUNDED); |
|
130 ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); |
|
131 if (ret->sax == NULL) { |
|
132 xmlBufFree(ret->buffer); |
|
133 @@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { |
|
134 return(((xmlNsPtr) node)->href); |
|
135 case XML_ATTRIBUTE_NODE:{ |
|
136 xmlAttrPtr attr = (xmlAttrPtr) node; |
|
137 + const xmlChar *ret; |
|
138 |
|
139 if ((attr->children != NULL) && |
|
140 (attr->children->type == XML_TEXT_NODE) && |
|
141 @@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { |
|
142 "xmlTextReaderSetup : malloc failed\n"); |
|
143 return (NULL); |
|
144 } |
|
145 + xmlBufSetAllocationScheme(reader->buffer, |
|
146 + XML_BUFFER_ALLOC_BOUNDED); |
|
147 } else |
|
148 xmlBufEmpty(reader->buffer); |
|
149 xmlBufGetNodeContent(reader->buffer, node); |
|
150 - return(xmlBufContent(reader->buffer)); |
|
151 + ret = xmlBufContent(reader->buffer); |
|
152 + if (ret == NULL) { |
|
153 + /* error on the buffer best to reallocate */ |
|
154 + xmlBufFree(reader->buffer); |
|
155 + reader->buffer = xmlBufCreateSize(100); |
|
156 + xmlBufSetAllocationScheme(reader->buffer, |
|
157 + XML_BUFFER_ALLOC_BOUNDED); |
|
158 + ret = BAD_CAST ""; |
|
159 + } |
|
160 + return(ret); |
|
161 } |
|
162 break; |
|
163 } |
|
164 @@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, |
|
165 "xmlTextReaderSetup : malloc failed\n"); |
|
166 return (-1); |
|
167 } |
|
168 + /* no operation on a reader should require a huge buffer */ |
|
169 + xmlBufSetAllocationScheme(reader->buffer, |
|
170 + XML_BUFFER_ALLOC_BOUNDED); |
|
171 if (reader->sax == NULL) |
|
172 reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); |
|
173 if (reader->sax == NULL) { |
|
174 -- |
|
175 cgit v0.10.2 |
|
176 |
|