Projects
Mega:23.03
libxml2
_service:tar_scm:backport-CVE-2022-40304-Fix-di...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2022-40304-Fix-dict-corruption-caused-by-entity-.patch of Package libxml2
From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnhofer@aevum.de> Date: Wed, 31 Aug 2022 22:11:25 +0200 Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity reference cycles When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees. Stop storing entity content, orig, ExternalID and SystemID in a dict. These values are unlikely to occur multiple times in a document, so they shouldn't have been stored in a dict in the first place. Thanks to Ned Williamson and Nathan Wachholz working with Google Project Zero for the report! --- entities.c | 55 ++++++++++++++++-------------------------------------- 1 file changed, 16 insertions(+), 39 deletions(-) diff --git a/entities.c b/entities.c index 84435515..d4e5412e 100644 --- a/entities.c +++ b/entities.c @@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) if ((entity->children) && (entity->owner == 1) && (entity == (xmlEntityPtr) entity->children->parent)) xmlFreeNodeList(entity->children); - if (dict != NULL) { - if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) - xmlFree((char *) entity->name); - if ((entity->ExternalID != NULL) && - (!xmlDictOwns(dict, entity->ExternalID))) - xmlFree((char *) entity->ExternalID); - if ((entity->SystemID != NULL) && - (!xmlDictOwns(dict, entity->SystemID))) - xmlFree((char *) entity->SystemID); - if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) - xmlFree((char *) entity->URI); - if ((entity->content != NULL) - && (!xmlDictOwns(dict, entity->content))) - xmlFree((char *) entity->content); - if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) - xmlFree((char *) entity->orig); - } else { - if (entity->name != NULL) - xmlFree((char *) entity->name); - if (entity->ExternalID != NULL) - xmlFree((char *) entity->ExternalID); - if (entity->SystemID != NULL) - xmlFree((char *) entity->SystemID); - if (entity->URI != NULL) - xmlFree((char *) entity->URI); - if (entity->content != NULL) - xmlFree((char *) entity->content); - if (entity->orig != NULL) - xmlFree((char *) entity->orig); - } + if ((entity->name != NULL) && + ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) + xmlFree((char *) entity->name); + if (entity->ExternalID != NULL) + xmlFree((char *) entity->ExternalID); + if (entity->SystemID != NULL) + xmlFree((char *) entity->SystemID); + if (entity->URI != NULL) + xmlFree((char *) entity->URI); + if (entity->content != NULL) + xmlFree((char *) entity->content); + if (entity->orig != NULL) + xmlFree((char *) entity->orig); xmlFree(entity); } @@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, ret->SystemID = xmlStrdup(SystemID); } else { ret->name = xmlDictLookup(dict, name, -1); - if (ExternalID != NULL) - ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); - if (SystemID != NULL) - ret->SystemID = xmlDictLookup(dict, SystemID, -1); + ret->ExternalID = xmlStrdup(ExternalID); + ret->SystemID = xmlStrdup(SystemID); } if (content != NULL) { ret->length = xmlStrlen(content); - if ((dict != NULL) && (ret->length < 5)) - ret->content = (xmlChar *) - xmlDictLookup(dict, content, ret->length); - else - ret->content = xmlStrndup(content, ret->length); + ret->content = xmlStrndup(content, ret->length); } else { ret->length = 0; ret->content = NULL; -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2