forked from pool/expat
860c603684
- Security fix (CVE-2019-15903, bsc#1149429)
* Crafted XML input results in heap-based buffer over-read by fooling
the parser into changing from DTD parsing to document parsing
* Added patches:
- expat-CVE-2019-15903.patch
- expat-CVE-2019-15903-tests.patch
OBS-URL: https://build.opensuse.org/request/show/730208
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=78
90 lines
3.7 KiB
Diff
90 lines
3.7 KiB
Diff
From c20b758c332d9a13afbbb276d30db1d183a85d43 Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Pipping <sebastian@pipping.org>
|
|
Date: Wed, 28 Aug 2019 00:24:59 +0200
|
|
Subject: [PATCH] xmlparse.c: Deny internal entities closing the doctype
|
|
|
|
---
|
|
expat/lib/xmlparse.c | 20 +++++++++++++-------
|
|
1 file changed, 13 insertions(+), 7 deletions(-)
|
|
|
|
Index: expat-2.2.5/lib/xmlparse.c
|
|
===================================================================
|
|
--- expat-2.2.5.orig/lib/xmlparse.c
|
|
+++ expat-2.2.5/lib/xmlparse.c
|
|
@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser);
|
|
static enum XML_Error
|
|
doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
|
|
const char *end, int tok, const char *next, const char **nextPtr,
|
|
- XML_Bool haveMore);
|
|
+ XML_Bool haveMore, XML_Bool allowClosingDoctype);
|
|
static enum XML_Error
|
|
processInternalEntity(XML_Parser parser, ENTITY *entity,
|
|
XML_Bool betweenDecl);
|
|
@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse
|
|
|
|
parser->m_processor = prologProcessor;
|
|
return doProlog(parser, parser->m_encoding, s, end, tok, next,
|
|
- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
|
|
+ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
|
|
}
|
|
|
|
static enum XML_Error PTRCALL
|
|
@@ -4268,7 +4268,7 @@ prologProcessor(XML_Parser parser,
|
|
const char *next = s;
|
|
int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
|
|
return doProlog(parser, parser->m_encoding, s, end, tok, next,
|
|
- nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
|
|
+ nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
|
|
}
|
|
|
|
static enum XML_Error
|
|
@@ -4279,7 +4279,8 @@ doProlog(XML_Parser parser,
|
|
int tok,
|
|
const char *next,
|
|
const char **nextPtr,
|
|
- XML_Bool haveMore)
|
|
+ XML_Bool haveMore,
|
|
+ XML_Bool allowClosingDoctype)
|
|
{
|
|
#ifdef XML_DTD
|
|
static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
|
|
@@ -4458,6 +4459,11 @@ doProlog(XML_Parser parser,
|
|
}
|
|
break;
|
|
case XML_ROLE_DOCTYPE_CLOSE:
|
|
+ if (allowClosingDoctype != XML_TRUE) {
|
|
+ /* Must not close doctype from within expanded parameter entities */
|
|
+ return XML_ERROR_INVALID_TOKEN;
|
|
+ }
|
|
+
|
|
if (parser->m_doctypeName) {
|
|
parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
|
|
parser->m_doctypeSysid, parser->m_doctypePubid, 0);
|
|
@@ -5395,7 +5401,7 @@ processInternalEntity(XML_Parser parser,
|
|
if (entity->is_param) {
|
|
int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
|
|
result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
|
|
- next, &next, XML_FALSE);
|
|
+ next, &next, XML_FALSE, XML_FALSE);
|
|
}
|
|
else
|
|
#endif /* XML_DTD */
|
|
@@ -5442,7 +5448,7 @@ internalEntityProcessor(XML_Parser parse
|
|
if (entity->is_param) {
|
|
int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
|
|
result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
|
|
- next, &next, XML_FALSE);
|
|
+ next, &next, XML_FALSE, XML_TRUE);
|
|
}
|
|
else
|
|
#endif /* XML_DTD */
|
|
@@ -5469,7 +5475,7 @@ internalEntityProcessor(XML_Parser parse
|
|
parser->m_processor = prologProcessor;
|
|
tok = XmlPrologTok(parser->m_encoding, s, end, &next);
|
|
return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
|
|
- (XML_Bool)!parser->m_parsingStatus.finalBuffer);
|
|
+ (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
|
|
}
|
|
else
|
|
#endif /* XML_DTD */
|