File Fix-for-CVE-2021-26221-ezxml-bug-21.patch of Package netcdf.21642

Overview Repositories Revisions Requests Users Attributes Meta

File Fix-for-CVE-2021-26221-ezxml-bug-21.patch of Package netcdf.21642

From: Egbert Eich <eich@suse.com>
Date: Mon Oct 25 15:44:54 2021 +0200
Subject: Fix for CVE-2021-26221 / ezxml bug 21
Patch-mainline: Not yet
Git-commit: 9c8180f466dc672dc5fd7ce8513bb4994ad84364
References:

Make sure malloc() succeeds.

This fixes
 https://sourceforge.net/p/ezxml/bugs/21/

Signed-off-by: Egbert Eich <eich@suse.com>
---
 libdap4/ezxml.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libdap4/ezxml.c b/libdap4/ezxml.c
index 17b2eb8..fb470df 100644
--- a/libdap4/ezxml.c
+++ b/libdap4/ezxml.c
@@ -485,6 +485,7 @@ ezxml_t ezxml_parse_str(char *s, size_t len)
     char q, e, *d, **attr, **a = NULL; /* initialize a to avoid compile warning*/
     int l, i, j;
 
+    if (!root) return NULL; // bug#21 / CVE-2021-26221
     root->m = s;
     if (! len) return ezxml_err(root, NULL, "root tag missing");
     root->u = ezxml_str2utf8(&s, &len); /* convert utf-16 to utf-8*/
@@ -806,8 +807,9 @@ ezxml_t ezxml_new(const char *name)
 {
     static char *ent[] = { "lt;", "&#60;", "gt;", "&#62;", "quot;", "&#34;",
                            "apos;", "&#39;", "amp;", "&#38;", NULL };
-    ezxml_root_t root = (ezxml_root_t)memset(malloc(sizeof(struct ezxml_root)), 
-                                             '\0', sizeof(struct ezxml_root));
+    ezxml_root_t root;
+    if (!(root  = malloc(sizeof(struct ezxml_root)))) return NULL;  // bug#21
+    root = (ezxml_root_t)memset(root, '\0', sizeof(struct ezxml_root));
     root->xml.name = (char *)name;
     root->cur = &root->xml;
     strcpy(root->err, root->xml.txt = "");

Places

File Fix-for-CVE-2021-26221-ezxml-bug-21.patch of Package netcdf.21642

Places