Wed Aug 1 14:51:37 2012 UTC ()
add patches from upstream to fix integer overflows which can cause
DOS or possibly other corruption (CVE-2012-2807)
bump PKGREV
(drochner)
diff -r1.118 -r1.119 pkgsrc/textproc/libxml2/Makefile
diff -r1.93 -r1.94 pkgsrc/textproc/libxml2/distinfo
diff -r0 -r1.1 pkgsrc/textproc/libxml2/patches/patch-ba
diff -r0 -r1.1 pkgsrc/textproc/libxml2/patches/patch-bb
--- pkgsrc/textproc/libxml2/Makefile 2012/06/14 07:39:36 1.118
+++ pkgsrc/textproc/libxml2/Makefile 2012/08/01 14:51:37 1.119
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.118 2012/06/14 07:39:36 sbd Exp $ | | 1 | # $NetBSD: Makefile,v 1.119 2012/08/01 14:51:37 drochner Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= libxml2-2.8.0 | | 3 | DISTNAME= libxml2-2.8.0 |
| 4 | PKGREVISION= 2 | | 4 | PKGREVISION= 3 |
| 5 | CATEGORIES= textproc | | 5 | CATEGORIES= textproc |
| 6 | MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ | | 6 | MASTER_SITES= ftp://xmlsoft.org/libxml2/ \ |
| 7 | http://xmlsoft.org/sources/ | | 7 | http://xmlsoft.org/sources/ |
| 8 | #MASTER_SITES= ${MASTER_SITE_GNOME:=sources/libxml2/2.7/} | | 8 | #MASTER_SITES= ${MASTER_SITE_GNOME:=sources/libxml2/2.7/} |
| 9 | | | 9 | |
| 10 | MAINTAINER= pkgsrc-users@NetBSD.org | | 10 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 11 | HOMEPAGE= http://xmlsoft.org/ | | 11 | HOMEPAGE= http://xmlsoft.org/ |
| 12 | COMMENT= XML parser library from the GNOME project | | 12 | COMMENT= XML parser library from the GNOME project |
| 13 | LICENSE= modified-bsd | | 13 | LICENSE= modified-bsd |
| 14 | | | 14 | |
| 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews | | 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews |
| 16 | PKG_DESTDIR_SUPPORT= user-destdir | | 16 | PKG_DESTDIR_SUPPORT= user-destdir |
| 17 | | | 17 | |
--- pkgsrc/textproc/libxml2/distinfo 2012/06/03 22:18:33 1.93
+++ pkgsrc/textproc/libxml2/distinfo 2012/08/01 14:51:37 1.94
| @@ -1,15 +1,17 @@ | | | @@ -1,15 +1,17 @@ |
| 1 | $NetBSD: distinfo,v 1.93 2012/06/03 22:18:33 wiz Exp $ | | 1 | $NetBSD: distinfo,v 1.94 2012/08/01 14:51:37 drochner Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (libxml2-2.8.0.tar.gz) = a0c553bd51ba79ab6fff26dc700004c6a41f5250 | | 3 | SHA1 (libxml2-2.8.0.tar.gz) = a0c553bd51ba79ab6fff26dc700004c6a41f5250 |
| 4 | RMD160 (libxml2-2.8.0.tar.gz) = 45820c9f4939f642a87be9259c55fd081ea6759a | | 4 | RMD160 (libxml2-2.8.0.tar.gz) = 45820c9f4939f642a87be9259c55fd081ea6759a |
| 5 | Size (libxml2-2.8.0.tar.gz) = 4915203 bytes | | 5 | Size (libxml2-2.8.0.tar.gz) = 4915203 bytes |
| 6 | SHA1 (patch-aa) = 9e19e9218d2e209bf49e9491842c8097005eba65 | | 6 | SHA1 (patch-aa) = 9e19e9218d2e209bf49e9491842c8097005eba65 |
| 7 | SHA1 (patch-ab) = df6ced03469ca56bc9e1e4227557163c94cfb014 | | 7 | SHA1 (patch-ab) = df6ced03469ca56bc9e1e4227557163c94cfb014 |
| 8 | SHA1 (patch-ac) = 264c75cf9fff5319105b971c122cdf5fc103c04e | | 8 | SHA1 (patch-ac) = 264c75cf9fff5319105b971c122cdf5fc103c04e |
| 9 | SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 | | 9 | SHA1 (patch-ad) = cd45da492b02cce9983c46762839f68b8b1e0177 |
| 10 | SHA1 (patch-ae) = b8d8e0275cab3caafd98275ac22b63951fc4b5fd | | 10 | SHA1 (patch-ae) = b8d8e0275cab3caafd98275ac22b63951fc4b5fd |
| 11 | SHA1 (patch-ag) = 30ec5c8daece4aba75a02bbc13db5373542dea7b | | 11 | SHA1 (patch-ag) = 30ec5c8daece4aba75a02bbc13db5373542dea7b |
| 12 | SHA1 (patch-aj) = faa126261b388aeed3a83c4d9c0b127629dd93ab | | 12 | SHA1 (patch-aj) = faa126261b388aeed3a83c4d9c0b127629dd93ab |
| 13 | SHA1 (patch-am) = ae7ab69b7bba2271d2d996161cc8b9956d0b06fa | | 13 | SHA1 (patch-am) = ae7ab69b7bba2271d2d996161cc8b9956d0b06fa |
| | | 14 | SHA1 (patch-ba) = 0866f7a4f9639b2b9c50b4c4cb30d5445f453adc |
| | | 15 | SHA1 (patch-bb) = 1a5d07c618db2ad56b3b4f39f54bd3d0d4a37403 |
| 14 | SHA1 (patch-testapi.c) = 63a0a34c8ca98d9214c4d3391e97d9a9ca4569f8 | | 16 | SHA1 (patch-testapi.c) = 63a0a34c8ca98d9214c4d3391e97d9a9ca4569f8 |
| 15 | SHA1 (patch-threads.c) = 38bf7d702c21057795eec88d4e239b5df598382d | | 17 | SHA1 (patch-threads.c) = 38bf7d702c21057795eec88d4e239b5df598382d |
$NetBSD: patch-ba,v 1.1 2012/08/01 14:51:37 drochner Exp $
upstream commit 459eeb9dc752d5185f57ff6b135027f11981a626
for CVE-2012-2807
--- parser.c.orig 2012-05-18 07:30:30.000000000 +0000
+++ parser.c
@@ -40,6 +40,7 @@
#endif
#include <stdlib.h>
+#include <limits.h>
#include <string.h>
#include <stdarg.h>
#include <libxml/xmlmemory.h>
@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const
* parser option.
*/
static int
-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
+xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
xmlEntityPtr ent)
{
- unsigned long consumed = 0;
+ size_t consumed = 0;
if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
return (0);
@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxt
/*
* Macro used to grow the current buffer.
+ * buffer##_size is expected to be a size_t
+ * mem_error: is expected to handle memory allocation failures
*/
#define growBuffer(buffer, n) { \
xmlChar *tmp; \
- buffer##_size *= 2; \
- buffer##_size += n; \
- tmp = (xmlChar *) \
- xmlRealloc(buffer, buffer##_size * sizeof(xmlChar)); \
+ size_t new_size = buffer##_size * 2 + n; \
+ if (new_size < buffer##_size) goto mem_error; \
+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
if (tmp == NULL) goto mem_error; \
buffer = tmp; \
+ buffer##_size = new_size; \
}
/**
@@ -2623,14 +2626,14 @@ xmlChar *
xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
int what, xmlChar end, xmlChar end2, xmlChar end3) {
xmlChar *buffer = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
+ size_t nbchars = 0;
xmlChar *current = NULL;
xmlChar *rep = NULL;
const xmlChar *last;
xmlEntityPtr ent;
int c,l;
- int nbchars = 0;
if ((ctxt == NULL) || (str == NULL) || (len < 0))
return(NULL);
@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
* allocate a translation buffer.
*/
buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
- buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
+ buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
if (buffer == NULL) goto mem_error;
/*
@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
if (val != 0) {
COPY_BUF(0,buffer,nbchars,val);
}
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
} else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
if (ent->content != NULL) {
COPY_BUF(0,buffer,nbchars,ent->content[0]);
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
} else {
@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
- if (nbchars >
- buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
if (xmlParserEntityCheck(ctxt, nbchars, ent))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
const xmlChar *cur = ent->name;
buffer[nbchars++] = '&';
- if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
}
for (;i > 0;i--)
@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
current = rep;
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
- if (nbchars >
- buffer_size - XML_PARSER_BUFFER_SIZE) {
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
if (xmlParserEntityCheck(ctxt, nbchars, ent))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt
} else {
COPY_BUF(l,buffer,nbchars,c);
str += l;
- if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
- growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
}
if (str < last)
@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
xmlChar limit = 0;
xmlChar *buf = NULL;
xmlChar *rep = NULL;
- int len = 0;
- int buf_size = 0;
+ size_t len = 0;
+ size_t buf_size = 0;
int c, l, in_space = 0;
xmlChar *current = NULL;
xmlEntityPtr ent;
@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
* allocate a translation buffer.
*/
buf_size = XML_PARSER_BUFFER_SIZE;
- buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
+ buf = (xmlChar *) xmlMallocAtomic(buf_size);
if (buf == NULL) goto mem_error;
/*
@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
if (val == '&') {
if (ctxt->replaceEntities) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
buf[len++] = '&';
@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
* The reparsing will be done in xmlStringGetNodeList()
* called by the attribute() function in SAX.c
*/
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
buf[len++] = '&';
@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
buf[len++] = ';';
}
} else if (val != 0) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
len += xmlCopyChar(0, &buf[len], val);
@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
ctxt->nbentities += ent->owner;
if ((ent != NULL) &&
(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
if ((ctxt->replaceEntities == 0) &&
@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
current++;
} else
buf[len++] = *current++;
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
rep = NULL;
}
} else {
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
if (ent->content != NULL)
@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
* Just output the reference
*/
buf[len++] = '&';
- while (len > buf_size - i - 10) {
+ while (len + i + 10 > buf_size) {
growBuffer(buf, i + 10);
}
for (;i > 0;i--)
@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
if ((len != 0) || (!normalize)) {
if ((!normalize) || (!in_space)) {
COPY_BUF(l,buf,len,0x20);
- while (len > buf_size - 10) {
+ while (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
} else {
in_space = 0;
COPY_BUF(l,buf,len,c);
- if (len > buf_size - 10) {
+ if (len + 10 > buf_size) {
growBuffer(buf, 10);
}
}
@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
}
} else
NEXT;
- if (attlen != NULL) *attlen = len;
+
+ /*
+ * There we potentially risk an overflow, don't allow attribute value of
+ * lenght more than INT_MAX it is a very reasonnable assumption !
+ */
+ if (len >= INT_MAX) {
+ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+ "AttValue lenght too long\n");
+ goto mem_error;
+ }
+
+ if (attlen != NULL) *attlen = (int) len;
return(buf);
mem_error:
$NetBSD: patch-bb,v 1.1 2012/08/01 14:51:37 drochner Exp $
upstream commits 4f9fdc709c4861c390cd84e2ed1fd878b3442e28
and baaf03f80f817bb34c421421e6cb4d68c353ac9a
related to CVE-2012-2807
--- entities.c.orig 2010-02-15 10:58:14.000000000 +0000
+++ entities.c
@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xml
* Macro used to grow the current buffer.
*/
#define growBufferReentrant() { \
- buffer_size *= 2; \
- buffer = (xmlChar *) \
- xmlRealloc(buffer, buffer_size * sizeof(xmlChar)); \
- if (buffer == NULL) { \
- xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
- return(NULL); \
- } \
+ xmlChar *tmp; \
+ size_t new_size = buffer_size * 2; \
+ if (new_size < buffer_size) goto mem_error; \
+ tmp = (xmlChar *) xmlRealloc(buffer, new_size); \
+ if (tmp == NULL) goto mem_error; \
+ buffer = tmp; \
+ buffer_size = new_size; \
}
@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
const xmlChar *cur = input;
xmlChar *buffer = NULL;
xmlChar *out = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
int html = 0;
if (input == NULL) return(NULL);
@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
out = buffer;
while (*cur != '\0') {
- if (out - buffer > buffer_size - 100) {
- int indx = out - buffer;
+ size_t indx = out - buffer;
+ if (indx + 100 > buffer_size) {
growBufferReentrant();
out = &buffer[indx];
@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
}
*out = 0;
return(buffer);
+
+mem_error:
+ xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
+ xmlFree(buffer);
+ return(NULL);
}
/**
@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
const xmlChar *cur = input;
xmlChar *buffer = NULL;
xmlChar *out = NULL;
- int buffer_size = 0;
+ size_t buffer_size = 0;
if (input == NULL) return(NULL);
/*
@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
out = buffer;
while (*cur != '\0') {
- if (out - buffer > buffer_size - 10) {
- int indx = out - buffer;
+ size_t indx = out - buffer;
+ if (indx + 10 > buffer_size) {
growBufferReentrant();
out = &buffer[indx];
@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
}
*out = 0;
return(buffer);
+
+mem_error:
+ xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
+ xmlFree(buffer);
+ return(NULL);
}
/**