15808846 problem in LIBRARY/LIBXML s11u1-sru 0.175.1.5.0.1.0 S11.1SRU5.1
authorPetr Sumbera <petr.sumbera@oracle.com>
Mon, 04 Feb 2013 08:38:32 -0800
branchs11u1-sru
changeset 2482 c53d740a9580
parent 2479 e8d296a83439
child 2485 9c1e9850ee41
15808846 problem in LIBRARY/LIBXML
components/libxml2/patches/24-libxml2-Fix-parser-local-buffers-size-problems.patch
components/libxml2/patches/25-libxml2-Fix-entities-local-buffers-size-problems.patch
components/libxml2/patches/26-libxml2-Fix-an-error-in-previous-commit.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/24-libxml2-Fix-parser-local-buffers-size-problems.patch	Mon Feb 04 08:38:32 2013 -0800
@@ -0,0 +1,260 @@
+From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Tue, 17 Jul 2012 08:19:17 +0000
+Subject: Fix parser local buffers size problems
+
+---
+diff --git a/parser.c b/parser.c
+index 2c38fae..9863275 100644
+--- a/parser.c
++++ b/parser.c
[email protected]@ -40,6 +40,7 @@
+ #endif
+ 
+ #include <stdlib.h>
++#include <limits.h>
+ #include <string.h>
+ #include <stdarg.h>
+ #include <libxml/xmlmemory.h>
[email protected]@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID,
+  * parser option.
+  */
+ static int
+-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
++xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent)
+ {
+-    unsigned long consumed = 0;
++    size_t consumed = 0;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
[email protected]@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxtPtr ctxt) {
+ 
+ /*
+  * Macro used to grow the current buffer.
++ * buffer##_size is expected to be a size_t
++ * mem_error: is expected to handle memory allocation failures
+  */
+ #define growBuffer(buffer, n) {						\
+     xmlChar *tmp;							\
+-    buffer##_size *= 2;							\
+-    buffer##_size += n;							\
+-    tmp = (xmlChar *)							\
+-		xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));	\
++    size_t new_size = buffer##_size * 2 + n;                            \
++    if (new_size < buffer##_size) goto mem_error;                       \
++    tmp = (xmlChar *) xmlRealloc(buffer, new_size);                     \
+     if (tmp == NULL) goto mem_error;					\
+     buffer = tmp;							\
++    buffer##_size = new_size;                                           \
+ }
+ 
+ /**
[email protected]@ -2623,14 +2626,14 @@ xmlChar *
+ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		      int what, xmlChar end, xmlChar  end2, xmlChar end3) {
+     xmlChar *buffer = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
++    size_t nbchars = 0;
+ 
+     xmlChar *current = NULL;
+     xmlChar *rep = NULL;
+     const xmlChar *last;
+     xmlEntityPtr ent;
+     int c,l;
+-    int nbchars = 0;
+ 
+     if ((ctxt == NULL) || (str == NULL) || (len < 0))
+ 	return(NULL);
[email protected]@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+      * allocate a translation buffer.
+      */
+     buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
+-    buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
++    buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
+     if (buffer == NULL) goto mem_error;
+ 
+     /*
[email protected]@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 	    if (val != 0) {
+ 		COPY_BUF(0,buffer,nbchars,val);
+ 	    }
+-	    if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++	    if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 	        growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 	    }
+ 	} else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
[email protected]@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+ 		if (ent->content != NULL) {
+ 		    COPY_BUF(0,buffer,nbchars,ent->content[0]);
+-		    if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++		    if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 			growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 		    }
+ 		} else {
[email protected]@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+-			if (nbchars >
+-		            buffer_size - XML_PARSER_BUFFER_SIZE) {
++			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ 				goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
[email protected]@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		const xmlChar *cur = ent->name;
+ 
+ 		buffer[nbchars++] = '&';
+-		if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
++		if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 		    growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ 		}
+ 		for (;i > 0;i--)
[email protected]@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+-			if (nbchars >
+-		            buffer_size - XML_PARSER_BUFFER_SIZE) {
++			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ 			        goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
[email protected]@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 	} else {
+ 	    COPY_BUF(l,buffer,nbchars,c);
+ 	    str += l;
+-	    if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+-	      growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++	    if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
++	        growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 	    }
+ 	}
+ 	if (str < last)
[email protected]@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     xmlChar limit = 0;
+     xmlChar *buf = NULL;
+     xmlChar *rep = NULL;
+-    int len = 0;
+-    int buf_size = 0;
++    size_t len = 0;
++    size_t buf_size = 0;
+     int c, l, in_space = 0;
+     xmlChar *current = NULL;
+     xmlEntityPtr ent;
[email protected]@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+      * allocate a translation buffer.
+      */
+     buf_size = XML_PARSER_BUFFER_SIZE;
+-    buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
++    buf = (xmlChar *) xmlMallocAtomic(buf_size);
+     if (buf == NULL) goto mem_error;
+ 
+     /*
[email protected]@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 
+ 		if (val == '&') {
+ 		    if (ctxt->replaceEntities) {
+-			if (len > buf_size - 10) {
++			if (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 			buf[len++] = '&';
[email protected]@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 			 * The reparsing will be done in xmlStringGetNodeList()
+ 			 * called by the attribute() function in SAX.c
+ 			 */
+-			if (len > buf_size - 10) {
++			if (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 			buf[len++] = '&';
[email protected]@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 			buf[len++] = ';';
+ 		    }
+ 		} else if (val != 0) {
+-		    if (len > buf_size - 10) {
++		    if (len + 10 > buf_size) {
+ 			growBuffer(buf, 10);
+ 		    }
+ 		    len += xmlCopyChar(0, &buf[len], val);
[email protected]@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 		    ctxt->nbentities += ent->owner;
+ 		if ((ent != NULL) &&
+ 		    (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+-		    if (len > buf_size - 10) {
++		    if (len + 10 > buf_size) {
+ 			growBuffer(buf, 10);
+ 		    }
+ 		    if ((ctxt->replaceEntities == 0) &&
[email protected]@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+                                     current++;
+                                 } else
+                                     buf[len++] = *current++;
+-				if (len > buf_size - 10) {
++				if (len + 10 > buf_size) {
+ 				    growBuffer(buf, 10);
+ 				}
+ 			    }
[email protected]@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 			    rep = NULL;
+ 			}
+ 		    } else {
+-			if (len > buf_size - 10) {
++			if (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 			if (ent->content != NULL)
[email protected]@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 		     * Just output the reference
+ 		     */
+ 		    buf[len++] = '&';
+-		    while (len > buf_size - i - 10) {
++		    while (len + i + 10 > buf_size) {
+ 			growBuffer(buf, i + 10);
+ 		    }
+ 		    for (;i > 0;i--)
[email protected]@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 	        if ((len != 0) || (!normalize)) {
+ 		    if ((!normalize) || (!in_space)) {
+ 			COPY_BUF(l,buf,len,0x20);
+-			while (len > buf_size - 10) {
++			while (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 		    }
[email protected]@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 	    } else {
+ 	        in_space = 0;
+ 		COPY_BUF(l,buf,len,c);
+-		if (len > buf_size - 10) {
++		if (len + 10 > buf_size) {
+ 		    growBuffer(buf, 10);
+ 		}
+ 	    }
[email protected]@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+         }
+     } else
+ 	NEXT;
+-    if (attlen != NULL) *attlen = len;
++
++    /*
++     * There we potentially risk an overflow, don't allow attribute value of
++     * lenght more than INT_MAX it is a very reasonnable assumption !
++     */
++    if (len >= INT_MAX) {
++        xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
++                       "AttValue lenght too long\n");
++        goto mem_error;
++    }
++
++    if (attlen != NULL) *attlen = (int) len;
+     return(buf);
+ 
+ mem_error:
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/25-libxml2-Fix-entities-local-buffers-size-problems.patch	Mon Feb 04 08:38:32 2013 -0800
@@ -0,0 +1,97 @@
+From 4f9fdc709c4861c390cd84e2ed1fd878b3442e28 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <[email protected]>
+Date: Wed, 18 Jul 2012 03:38:17 +0000
+Subject: Fix entities local buffers size problems
+
+---
+diff --git a/entities.c b/entities.c
+index 6aef49f..859ec3b 100644
+--- a/entities.c
++++ b/entities.c
[email protected]@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) {
+  * Macro used to grow the current buffer.
+  */
+ #define growBufferReentrant() {						\
+-    buffer_size *= 2;							\
+-    buffer = (xmlChar *)						\
+-    		xmlRealloc(buffer, buffer_size * sizeof(xmlChar));	\
+-    if (buffer == NULL) {						\
+-        xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
+-	return(NULL);							\
+-    }									\
++    xmlChar *tmp;                                                       \
++    size_t new_size = buffer_size *= 2;                                 \
++    if (new_size < buffer_size) goto mem_error;                         \
++    tmp = (xmlChar *) xmlRealloc(buffer, new_size);	                \
++    if (tmp == NULL) goto mem_error;                                    \
++    buffer = tmp;							\
++    buffer_size = new_size;						\
+ }
+ 
+ 
[email protected]@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+     const xmlChar *cur = input;
+     xmlChar *buffer = NULL;
+     xmlChar *out = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
+     int html = 0;
+ 
+     if (input == NULL) return(NULL);
[email protected]@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+     out = buffer;
+ 
+     while (*cur != '\0') {
+-        if (out - buffer > buffer_size - 100) {
+-	    int indx = out - buffer;
++        size_t indx = out - buffer;
++        if (indx + 100 > buffer_size) {
+ 
+ 	    growBufferReentrant();
+ 	    out = &buffer[indx];
[email protected]@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc, const xmlChar *input) {
+     }
+     *out = 0;
+     return(buffer);
++
++mem_error:
++    xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
++    xmlFree(buffer);
++    return(NULL);
+ }
+ 
+ /**
[email protected]@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+     const xmlChar *cur = input;
+     xmlChar *buffer = NULL;
+     xmlChar *out = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
+     if (input == NULL) return(NULL);
+ 
+     /*
[email protected]@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+     out = buffer;
+ 
+     while (*cur != '\0') {
+-        if (out - buffer > buffer_size - 10) {
+-	    int indx = out - buffer;
++        size_t indx = out - buffer;
++        if (indx + 10 > buffer_size) {
+ 
+ 	    growBufferReentrant();
+ 	    out = &buffer[indx];
[email protected]@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTRIBUTE_UNUSED, const xmlChar *input) {
+     }
+     *out = 0;
+     return(buffer);
++
++mem_error:
++    xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
++    xmlFree(buffer);
++    return(NULL);
+ }
+ 
+ /**
+--
+cgit v0.9.0.2
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/libxml2/patches/26-libxml2-Fix-an-error-in-previous-commit.patch	Mon Feb 04 08:38:32 2013 -0800
@@ -0,0 +1,21 @@
+From baaf03f80f817bb34c421421e6cb4d68c353ac9a Mon Sep 17 00:00:00 2001
+From: Aron Xu <[email protected]>
+Date: Fri, 20 Jul 2012 07:41:34 +0000
+Subject: Fix an error in previous commit
+
+---
+diff --git a/entities.c b/entities.c
+index 859ec3b..7d06820 100644
+--- a/entities.c
++++ b/entities.c
[email protected]@ -529,7 +529,7 @@ xmlGetDocEntity(xmlDocPtr doc, const xmlChar *name) {
+  */
+ #define growBufferReentrant() {						\
+     xmlChar *tmp;                                                       \
+-    size_t new_size = buffer_size *= 2;                                 \
++    size_t new_size = buffer_size * 2;                                  \
+     if (new_size < buffer_size) goto mem_error;                         \
+     tmp = (xmlChar *) xmlRealloc(buffer, new_size);	                \
+     if (tmp == NULL) goto mem_error;                                    \
+--
+cgit v0.9.0.2