diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-09-10 22:43:30 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-09-10 22:43:30 +0000 |
commit | 1bafa617c0923ab04e102e7e2c74de341c283785 (patch) | |
tree | 90dc49317bb51d78e0c52f262f8c649f5625c677 | |
parent | 0a7191e5c24cc0de593758a7795db6acf26cfd25 (diff) |
Fix heap overflow in libexpat 2.2.7 triggered by XML_GetCurrentLineNumber
(or XML_GetCurrentColumnNumber), and deny internal entities closing
the doctype; CVE-2019-15903
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
OK tb@
-rw-r--r-- | lib/libexpat/lib/xmlparse.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c index 4191824cd34..40f00c6eff4 100644 --- a/lib/libexpat/lib/xmlparse.c +++ b/lib/libexpat/lib/xmlparse.c @@ -357,7 +357,7 @@ initializeEncoding(XML_Parser parser); static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, int tok, const char *next, const char **nextPtr, - XML_Bool haveMore); + XML_Bool haveMore, XML_Bool allowClosingDoctype); static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl); @@ -3985,7 +3985,7 @@ externalParEntProcessor(XML_Parser parser, parser->m_processor = prologProcessor; return doProlog(parser, parser->m_encoding, s, end, tok, next, - nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); + nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); } static enum XML_Error PTRCALL @@ -4035,7 +4035,7 @@ prologProcessor(XML_Parser parser, const char *next = s; int tok = XmlPrologTok(parser->m_encoding, s, end, &next); return doProlog(parser, parser->m_encoding, s, end, tok, next, - nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); + nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); } static enum XML_Error @@ -4046,7 +4046,8 @@ doProlog(XML_Parser parser, int tok, const char *next, const char **nextPtr, - XML_Bool haveMore) + XML_Bool haveMore, + XML_Bool allowClosingDoctype) { #ifdef XML_DTD static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' }; @@ -4225,6 +4226,11 @@ doProlog(XML_Parser parser, } break; case XML_ROLE_DOCTYPE_CLOSE: + if (allowClosingDoctype != XML_TRUE) { + /* Must not close doctype from within expanded parameter entities */ + return XML_ERROR_INVALID_TOKEN; + } + if (parser->m_doctypeName) { parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName, parser->m_doctypeSysid, parser->m_doctypePubid, 0); @@ -5162,7 +5168,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, if (entity->is_param) { int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, - next, &next, XML_FALSE); + next, &next, XML_FALSE, XML_FALSE); } else #endif /* XML_DTD */ @@ -5209,7 +5215,7 @@ internalEntityProcessor(XML_Parser parser, if (entity->is_param) { int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok, - next, &next, XML_FALSE); + next, &next, XML_FALSE, XML_TRUE); } else #endif /* XML_DTD */ @@ -5236,7 +5242,7 @@ internalEntityProcessor(XML_Parser parser, parser->m_processor = prologProcessor; tok = XmlPrologTok(parser->m_encoding, s, end, &next); return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, - (XML_Bool)!parser->m_parsingStatus.finalBuffer); + (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE); } else #endif /* XML_DTD */ |