diff options
| author | Mark H Weaver <mhw@netris.org> | 2015-11-15 14:16:57 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2015-11-18 17:47:40 -0500 |
| commit | ee6bb0cc763507b165674dbe03c6ae5d26c8da5c (patch) | |
| tree | 34c4d1d29b5428f83113af81bc4464b432669c85 /gnu/packages/patches/libxml2-bug-754946.patch | |
| parent | 328a14e869c01ae4e33120a08a5d60c719263684 (diff) | |
gnu: libxml2: Add fixes for CVE-2015-{1819,7941,7942,8035} and other bugs.
* gnu/packages/patches/libxml2-CVE-2015-1819.patch,
gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch,
gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch,
gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch,
gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch,
gnu/packages/patches/libxml2-CVE-2015-8035.patch,
gnu/packages/patches/libxml2-bug-737840.patch,
gnu/packages/patches/libxml2-bug-738805.patch,
gnu/packages/patches/libxml2-bug-746048.patch,
gnu/packages/patches/libxml2-bug-747437.patch,
gnu/packages/patches/libxml2-bug-751603.patch,
gnu/packages/patches/libxml2-bug-751631.patch,
gnu/packages/patches/libxml2-bug-754946.patch,
gnu/packages/patches/libxml2-bug-754947.patch,
gnu/packages/patches/libxml2-bug-755857.patch,
gnu/packages/patches/libxml2-fix-catalog-corruption.patch,
gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch,
gnu/packages/patches/libxml2-node-sort-order-pt1.patch,
gnu/packages/patches/libxml2-node-sort-order-pt2.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/libxml2-bug-754946.patch')
| -rw-r--r-- | gnu/packages/patches/libxml2-bug-754946.patch | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/gnu/packages/patches/libxml2-bug-754946.patch b/gnu/packages/patches/libxml2-bug-754946.patch new file mode 100644 index 0000000000..3b9223efe5 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-754946.patch @@ -0,0 +1,132 @@ +From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 15 Sep 2015 16:50:32 +0800 +Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer + +For https://bugzilla.gnome.org/show_bug.cgi?id=754946 + +When hitting the end of the current input buffer while parsing +a name we could end up loosing the beginning of the name, which +led to various issues. +--- + parser.c | 29 ++++++++++++++++++++--------- + result/errors/754946.xml | 0 + result/errors/754946.xml.err | 16 ++++++++++++++++ + result/errors/754946.xml.str | 4 ++++ + test/errors/754946.xml | 1 + + 5 files changed, 41 insertions(+), 9 deletions(-) + create mode 100644 result/errors/754946.xml + create mode 100644 result/errors/754946.xml.err + create mode 100644 result/errors/754946.xml.str + create mode 100644 test/errors/754946.xml + +diff --git a/parser.c b/parser.c +index 0edd53b..fd29a39 100644 +--- a/parser.c ++++ b/parser.c +@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + if (c == 0) { + count = 0; ++ /* ++ * when shrinking to extend the buffer we really need to preserve ++ * the part of the name we already parsed. Hence rolling back ++ * by current lenght. ++ */ ++ ctxt->input->cur -= l; + GROW; ++ ctxt->input->cur += l; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + end = ctxt->input->cur; +@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + + static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { +- const xmlChar *in; ++ const xmlChar *in, *e; + const xmlChar *ret; + int count = 0; + +@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + * Accelerator for simple ASCII names + */ + in = ctxt->input->cur; +- if (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- (*in == '_')) { ++ e = ctxt->input->end; ++ if ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ (*in == '_')) && (in < e)) { + in++; +- while (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- ((*in >= 0x30) && (*in <= 0x39)) || +- (*in == '_') || (*in == '-') || +- (*in == '.')) ++ while ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ ((*in >= 0x30) && (*in <= 0x39)) || ++ (*in == '_') || (*in == '-') || ++ (*in == '.')) && (in < e)) + in++; ++ if (in >= e) ++ goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + if ((count > XML_MAX_NAME_LENGTH) && +@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + return(ret); + } + } ++complex: + return(xmlParseNCNameComplex(ctxt)); + } + +diff --git a/result/errors/754946.xml b/result/errors/754946.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err +new file mode 100644 +index 0000000..423dff5 +--- /dev/null ++++ b/result/errors/754946.xml.err +@@ -0,0 +1,16 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A<lbbbbbbbbbbbbbbbbbbb_ ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A<lbbbbbbbbbbbbbbbbbbb_ ++^ ++./test/errors/754946.xml:1: parser error : Extra content at the end of the document ++<!DOCTYPEA[<!ENTITY % ++ ^ +diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str +new file mode 100644 +index 0000000..3b748cc +--- /dev/null ++++ b/result/errors/754946.xml.str +@@ -0,0 +1,4 @@ ++./test/errors/754946.xml:1: parser error : Extra content at the end of the document ++<!DOCTYPEA[<!ENTITY % ++ ^ ++./test/errors/754946.xml : failed to parse +diff --git a/test/errors/754946.xml b/test/errors/754946.xml +new file mode 100644 +index 0000000..6b5f9b0 +--- /dev/null ++++ b/test/errors/754946.xml +@@ -0,0 +1 @@ ++<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![ +\ No newline at end of file +-- +2.6.3 + |