File libxml2-CVE-2017-16932.patch of Package libxml2

Overview Repositories Revisions Requests Users Attributes Meta

File libxml2-CVE-2017-16932.patch of Package libxml2

From 899a5d9f0ed13b8e32449a08a361e0de127dd961 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 25 Jul 2017 14:59:49 +0200
Subject: [PATCH] Detect infinite recursion in parameter entities

When expanding a parameter entity in a DTD, infinite recursion could
lead to an infinite loop or memory exhaustion.

Thanks to Wei Lei for the first of many reports.

Fixes bug 759579.
---
 parser.c                     | 11 ++++++++++-
 result/errors/759579.xml     |  0
 result/errors/759579.xml.err |  6 ++++++
 result/errors/759579.xml.str |  7 +++++++
 test/errors/759579.xml       | 11 +++++++++++
 5 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 result/errors/759579.xml
 create mode 100644 result/errors/759579.xml.err
 create mode 100644 result/errors/759579.xml.str
 create mode 100644 test/errors/759579.xml

Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -2267,6 +2267,13 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlP
 	xmlGenericError(xmlGenericErrorContext,
 		"Pushing input %d : %.30s\n", ctxt->inputNr+1, input->cur);
     }
+    if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
+        (ctxt->inputNr > 1024)) {
+        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+        while (ctxt->inputNr > 1)
+            xmlFreeInputStream(inputPop(ctxt));
+	return(-1);
+    }
     ret = inputPush(ctxt, input);
     if (ctxt->instate == XML_PARSER_EOF)
         return(-1);
@@ -8199,8 +8206,10 @@ xmlParsePEReference(xmlParserCtxtPtr ctx
 	     * c.f. http://www.w3.org/TR/REC-xml#as-PE
 	     */
 	    input = xmlNewEntityInputStream(ctxt, entity);
-	    if (xmlPushInput(ctxt, input) < 0)
-		return;
+	    if (xmlPushInput(ctxt, input) < 0) {
+                xmlFreeInputStream(input);
+ 		return;
+            }
 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
 		(CMP5(CUR_PTR, '<', '?', 'x', 'm', 'l')) &&
 		(IS_BLANK_CH(NXT(5)))) {

Places

File libxml2-CVE-2017-16932.patch of Package libxml2

Places