Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
libxml2.4858
libxml2-2.9.1-CVE-2016-1835.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libxml2-2.9.1-CVE-2016-1835.patch of Package libxml2.4858
From 38eae571111db3b43ffdeb05487c9f60551906fb Mon Sep 17 00:00:00 2001 From: Pranjal Jumde <pjumde@apple.com> Date: Mon, 7 Mar 2016 14:04:08 -0800 Subject: Heap use-after-free in xmlSAX2AttributeNs For https://bugzilla.gnome.org/show_bug.cgi?id=759020 * parser.c: (xmlParseStartTag2): Attribute strings are only valid if the base does not change, so add another check where the base may change. Make sure to set 'attvalue' to NULL after freeing it. * result/errors/759020.xml: Added. * result/errors/759020.xml.err: Added. * result/errors/759020.xml.str: Added. * test/errors/759020.xml: Added test case. --- parser.c | 12 ++++++++++-- result/errors/759020.xml | 0 result/errors/759020.xml.err | 6 ++++++ result/errors/759020.xml.str | 7 +++++++ test/errors/759020.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 result/errors/759020.xml create mode 100644 result/errors/759020.xml.err create mode 100644 result/errors/759020.xml.str create mode 100644 test/errors/759020.xml Index: libxml2-2.9.1/parser.c =================================================================== --- libxml2-2.9.1.orig/parser.c +++ libxml2-2.9.1/parser.c @@ -9410,8 +9410,13 @@ reparse: else if (nsPush(ctxt, NULL, URL) > 0) nbNs++; skip_default_ns: - if (alloc != 0) xmlFree(attvalue); + if ((attvalue != NULL) && (alloc != 0)) { + xmlFree(attvalue); + attvalue = NULL; + } SKIP_BLANKS; + if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) + goto base_changed; continue; } if (aprefix == ctxt->str_xmlns) { @@ -9483,7 +9488,10 @@ skip_default_ns: else if (nsPush(ctxt, attname, URL) > 0) nbNs++; skip_ns: - if (alloc != 0) xmlFree(attvalue); + if ((attvalue != NULL) && (alloc != 0)) { + xmlFree(attvalue); + attvalue = NULL; + } SKIP_BLANKS; if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr)) goto base_changed; Index: libxml2-2.9.1/result/errors/759020.xml.err =================================================================== --- /dev/null +++ libxml2-2.9.1/result/errors/759020.xml.err @@ -0,0 +1,6 @@ +./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute +0000000000000000000000000000000000000000000000000000000000000000000000000000000' + ^ +./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2 + + ^ Index: libxml2-2.9.1/result/errors/759020.xml.str =================================================================== --- /dev/null +++ libxml2-2.9.1/result/errors/759020.xml.str @@ -0,0 +1,7 @@ +./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute +0000000000000000000000000000000000000000000000000000000000000000000000000000000' + ^ +./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 + + ^ +./test/errors/759020.xml : failed to parse Index: libxml2-2.9.1/test/errors/759020.xml =================================================================== --- /dev/null +++ libxml2-2.9.1/test/errors/759020.xml @@ -0,0 +1,46 @@ +<?l 00000000000000000000000000000?> +<s00 w0000="000" h00000="000" + xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor