860c603684
- Security fix (CVE-2019-15903, bsc#1149429) * Crafted XML input results in heap-based buffer over-read by fooling the parser into changing from DTD parsing to document parsing * Added patches: - expat-CVE-2019-15903.patch - expat-CVE-2019-15903-tests.patch OBS-URL: https://build.opensuse.org/request/show/730208 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=78
94 lines
3.5 KiB
Diff
94 lines
3.5 KiB
Diff
From 438493691f1b8620a71d5aee658fe160103ff863 Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Pipping <sebastian@pipping.org>
|
|
Date: Wed, 28 Aug 2019 15:14:19 +0200
|
|
Subject: [PATCH] tests: Cover denying internal entities closing the doctype
|
|
|
|
---
|
|
expat/tests/runtests.c | 67 ++++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 67 insertions(+)
|
|
|
|
Index: expat-2.2.5/tests/runtests.c
|
|
===================================================================
|
|
--- expat-2.2.5.orig/tests/runtests.c
|
|
+++ expat-2.2.5/tests/runtests.c
|
|
@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co
|
|
CharData_AppendXMLChars(storage, XCS("\n"), 1);
|
|
}
|
|
|
|
+#ifdef XML_DTD
|
|
+START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
|
|
+ const char *const inputOne = "<!DOCTYPE d [\n"
|
|
+ "<!ENTITY % e ']><d/>'>\n"
|
|
+ "\n"
|
|
+ "%e;";
|
|
+ const char *const inputTwo = "<!DOCTYPE d [\n"
|
|
+ "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
|
|
+ "\n"
|
|
+ "%e2;";
|
|
+ const char *const inputThree = "<!DOCTYPE d [\n"
|
|
+ "<!ENTITY % e ']><d'>\n"
|
|
+ "\n"
|
|
+ "%e;";
|
|
+ const char *const inputIssue317 = "<!DOCTYPE doc [\n"
|
|
+ "<!ENTITY % foo ']>\n"
|
|
+ "<doc>Hell<oc (#PCDATA)*>'>\n"
|
|
+ "%foo;\n"
|
|
+ "]>\n"
|
|
+ "<doc>Hello, world</dVc>";
|
|
+
|
|
+ const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
|
|
+ size_t inputIndex = 0;
|
|
+
|
|
+ for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
|
|
+ XML_Parser parser;
|
|
+ enum XML_Status parseResult;
|
|
+ int setParamEntityResult;
|
|
+ XML_Size lineNumber;
|
|
+ XML_Size columnNumber;
|
|
+ const char *const input = inputs[inputIndex];
|
|
+
|
|
+ parser = XML_ParserCreate(NULL);
|
|
+ setParamEntityResult
|
|
+ = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
|
|
+ if (setParamEntityResult != 1)
|
|
+ fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
|
|
+
|
|
+ parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
|
|
+ if (parseResult != XML_STATUS_ERROR) {
|
|
+ parseResult = XML_Parse(parser, "", 0, 1);
|
|
+ if (parseResult != XML_STATUS_ERROR) {
|
|
+ fail("Parsing was expected to fail but succeeded.");
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
|
|
+ fail("Error code does not match XML_ERROR_INVALID_TOKEN");
|
|
+
|
|
+ lineNumber = XML_GetCurrentLineNumber(parser);
|
|
+ if (lineNumber != 4)
|
|
+ fail("XML_GetCurrentLineNumber does not work as expected.");
|
|
+
|
|
+ columnNumber = XML_GetCurrentColumnNumber(parser);
|
|
+ if (columnNumber != 0)
|
|
+ fail("XML_GetCurrentColumnNumber does not work as expected.");
|
|
+
|
|
+ XML_ParserFree(parser);
|
|
+ }
|
|
+}
|
|
+END_TEST
|
|
+#endif
|
|
+
|
|
static void
|
|
run_ns_tagname_overwrite_test(const char *text, const XML_Char *result)
|
|
{
|
|
@@ -12210,6 +12273,9 @@ make_suite(void)
|
|
tcase_add_test(tc_misc, test_misc_features);
|
|
tcase_add_test(tc_misc, test_misc_attribute_leak);
|
|
tcase_add_test(tc_misc, test_misc_utf16le);
|
|
+#ifdef XML_DTD
|
|
+ tcase_add_test(tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
|
|
+#endif
|
|
|
|
suite_add_tcase(s, tc_alloc);
|
|
tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
|