File expat-CVE-2024-45490.patch of Package expat.35528

Overview Repositories Revisions Requests Users Attributes Meta

File expat-CVE-2024-45490.patch of Package expat.35528

From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Aug 2024 22:26:07 +0200
Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer

Reported by TaiYou
---
 expat/lib/xmlparse.c | 6 ++++++
 1 file changed, 6 insertions(+)

Index: expat-2.1.0/lib/xmlparse.c
===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c
+++ expat-2.1.0/lib/xmlparse.c
@@ -1715,6 +1715,14 @@ XML_ParseBuffer(XML_Parser parser, int l
   const char *start;
   enum XML_Status result = XML_STATUS_OK;
 
+  if (parser == NULL)
+    return XML_STATUS_ERROR;
+
+  if (len < 0) {
+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
+    return XML_STATUS_ERROR;
+  }
+
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;
@@ -2080,7 +2088,8 @@ XML_ErrorString(enum XML_Error code)
     XML_L("cannot suspend in external parameter entity"),
     XML_L("reserved prefix (xml) must not be undeclared or bound to another namespace name"),
     XML_L("reserved prefix (xmlns) must not be declared or undeclared"),
-    XML_L("prefix must not be bound to one of the reserved namespace names")
+    XML_L("prefix must not be bound to one of the reserved namespace names"),
+    XML_L("invalid argument")
   };
   if (code > 0 && code < sizeof(message)/sizeof(message[0]))
     return message[code];
Index: expat-2.1.0/doc/reference.html
===================================================================
--- expat-2.1.0.orig/doc/reference.html
+++ expat-2.1.0/doc/reference.html
@@ -1048,7 +1048,9 @@ containing part (or perhaps all) of the
 that are part of the document is indicated by <code>len</code>. This means
 that <code>s</code> doesn't have to be null terminated. It also means that
 if <code>len</code> is larger than the number of bytes in the block of
-memory that <code>s</code> points at, then a memory fault is likely. The
+memory that <code>s</code> points at, then a memory fault is likely.
+Negative values for <code>len</code> are rejected since Expat 2.2.1.
+The
 <code>isFinal</code> parameter informs the parser that this is the last
 piece of the document. Frequently, the last piece is empty (i.e.
 <code>len</code> is zero.)
@@ -1063,11 +1065,17 @@ XML_ParseBuffer(XML_Parser p,
                 int isFinal);
 </pre>
 <div class="fcndef">
+<p>
 This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
 except in this case Expat provides the buffer.  By obtaining the
 buffer from Expat with the <code><a href= "#XML_GetBuffer"
 >XML_GetBuffer</a></code> function, the application can avoid double
 copying of the input.
+</p>
+
+<p>
+Negative values for <code>len</code> are rejected since Expat 2.6.3.
+</p>
 </div>
 
 <pre class="fcndec" id="XML_GetBuffer">
Index: expat-2.1.0/lib/expat.h
===================================================================
--- expat-2.1.0.orig/lib/expat.h
+++ expat-2.1.0/lib/expat.h
@@ -95,7 +95,8 @@ enum XML_Error {
   /* Added in 2.0. */
   XML_ERROR_RESERVED_PREFIX_XML,
   XML_ERROR_RESERVED_PREFIX_XMLNS,
-  XML_ERROR_RESERVED_NAMESPACE_URI
+  XML_ERROR_RESERVED_NAMESPACE_URI,
+  XML_ERROR_INVALID_ARGUMENT
 };
 
 enum XML_Content_Type {

Places

File expat-CVE-2024-45490.patch of Package expat.35528

Places