File expat-CVE-2022-43680.patch of Package expat.35320

Overview Repositories Revisions Requests Users Attributes Meta

File expat-CVE-2022-43680.patch of Package expat.35320

Index: expat-2.1.0/Changes
===================================================================
--- expat-2.1.0.orig/Changes
+++ expat-2.1.0/Changes
@@ -1,3 +1,7 @@
+#616 #649 #650  CVE-2022-43680 -- Fix heap use-after-free after overeager
+                  destruction of a shared DTD in function
+                  XML_ExternalEntityParserCreate in out-of-memory situations
+
 Release 2.1.0 Sat March 24 2012
         - Bug Fixes:
           #1742315: Harmful XML_ParserCreateNS suggestion.
Index: expat-2.1.0/lib/xmlparse.c
===================================================================
--- expat-2.1.0.orig/lib/xmlparse.c
+++ expat-2.1.0/lib/xmlparse.c
@@ -858,6 +858,14 @@ parserCreate(const XML_Char *encodingNam
   parserInit(parser, encodingName);
 
   if (encodingName && !protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
     XML_ParserFree(parser);
     return NULL;
   }
Index: expat-2.1.0/tests/runtests.c
===================================================================
--- expat-2.1.0.orig/tests/runtests.c
+++ expat-2.1.0/tests/runtests.c
@@ -55,6 +55,16 @@
 
 static XML_Parser parser;
 
+static void
+tcase_add_test__ifdef_xml_dtd(TCase *tc, tcase_test_function test) {
+#ifdef XML_DTD
+  tcase_add_test(tc, test);
+#else
+  UNUSED_P(tc);
+  UNUSED_P(test);
+#endif
+}
+
 
 static void
 basic_setup(void)
@@ -1742,12 +1752,64 @@ START_TEST(test_get_buffer_3_overflow) {
 END_TEST
 #endif // defined(XML_CONTEXT_BYTES)
 
+#define ALLOC_ALWAYS_SUCCEED (-1)
+static int allocation_count = ALLOC_ALWAYS_SUCCEED;
+
+
+static int XMLCALL
+external_entity_parser_create_alloc_fail_handler(XML_Parser the_parser,
+                                                 const XML_Char *context,
+                                                 const XML_Char *base,
+                                                 const XML_Char *systemId,
+                                                 const XML_Char *publicId) {
+//   UNUSED_P(base);
+//   UNUSED_P(systemId);
+//   UNUSED_P(publicId);
+
+  if (context != NULL)
+    fail("Unexpected non-NULL context");
+
+  // The following number intends to fail the upcoming allocation in line
+  // "parser->m_protocolEncodingName = copyString(encodingName,
+  // &(parser->m_mem));" in function parserInit.
+  allocation_count = 3;
+
+  const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL
+  const XML_Parser ext_parser
+      = XML_ExternalEntityParserCreate(the_parser, context, encodingName);
+  if (ext_parser != NULL)
+    fail(
+        "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory");
+
+  allocation_count = ALLOC_ALWAYS_SUCCEED;
+  return XML_STATUS_ERROR;
+}
+
+START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
+  const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>";
+
+  XML_SetExternalEntityRefHandler(
+      parser, external_entity_parser_create_alloc_fail_handler);
+  XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
+
+  if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE)
+      != XML_STATUS_ERROR)
+    fail("Call to parse was expected to fail");
+
+  if (XML_GetErrorCode(parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING)
+    fail("Call to parse was expected to fail from the external entity handler");
+
+  XML_ParserReset(parser, NULL);
+}
+END_TEST
+
 static Suite *
 make_suite(void)
 {
     Suite *s = suite_create("basic");
     TCase *tc_basic = tcase_create("basic tests");
     TCase *tc_namespace = tcase_create("XML namespaces");
+    TCase *tc_alloc = tcase_create("allocation tests");
 
     suite_add_tcase(s, tc_basic);
     tcase_add_checked_fixture(tc_basic, basic_setup, basic_teardown);
@@ -1817,6 +1879,8 @@ make_suite(void)
     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element);
     tcase_add_test(tc_namespace, test_ns_separator_in_uri);
 
+    tcase_add_test__ifdef_xml_dtd(tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
+
 #if defined(XML_CONTEXT_BYTES)
     tcase_add_test(tc_basic, test_get_buffer_3_overflow);
 #endif

Places

File expat-CVE-2022-43680.patch of Package expat.35320

Places