-
-
Notifications
You must be signed in to change notification settings - Fork 903
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
to address CVE-2017-5029 and CVE-2016-4738. see #1634 for more information.
- Loading branch information
1 parent
2797f39
commit 4afcbbf
Showing
4 changed files
with
120 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
patches/libxslt/0001-Fix-heap-overread-in-xsltFormatNumberConversion.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001 | ||
| From: Nick Wellnhofer <[email protected]> | ||
| Date: Fri, 10 Jun 2016 14:23:58 +0200 | ||
| Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion | ||
|
|
||
| An empty decimal-separator could cause a heap overread. This can be | ||
| exploited to leak a couple of bytes after the buffer that holds the | ||
| pattern string. | ||
|
|
||
| Found with afl-fuzz and ASan. | ||
| --- | ||
| libxslt/numbers.c | 3 ++- | ||
| 1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/libxslt/numbers.c b/libxslt/numbers.c | ||
| index d1549b4..e78c46b 100644 | ||
| --- a/libxslt/numbers.c | ||
| +++ b/libxslt/numbers.c | ||
| @@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self, | ||
| } | ||
|
|
||
| /* We have finished the integer part, now work on fraction */ | ||
| - if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) { | ||
| + if ( (*the_format != 0) && | ||
| + (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) { | ||
| format_info.add_decimal = TRUE; | ||
| the_format += xsltUTF8Size(the_format); /* Skip over the decimal */ | ||
| } | ||
| -- | ||
| 2.9.3 | ||
|
|
74 changes: 74 additions & 0 deletions
74
patches/libxslt/0002-Check-for-integer-overflow-in-xsltAddTextString.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001 | ||
| From: Nick Wellnhofer <[email protected]> | ||
| Date: Thu, 12 Jan 2017 15:39:52 +0100 | ||
| Subject: [PATCH] Check for integer overflow in xsltAddTextString | ||
|
|
||
| Limit buffer size in xsltAddTextString to INT_MAX. The issue can be | ||
| exploited to trigger an out of bounds write on 64-bit systems. | ||
|
|
||
| Originally reported to Chromium: | ||
|
|
||
| https://crbug.com/676623 | ||
| --- | ||
| libxslt/transform.c | 25 ++++++++++++++++++++++--- | ||
| libxslt/xsltInternals.h | 4 ++-- | ||
| 2 files changed, 24 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/libxslt/transform.c b/libxslt/transform.c | ||
| index 519133f..02bff34 100644 | ||
| --- a/libxslt/transform.c | ||
| +++ b/libxslt/transform.c | ||
| @@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target, | ||
| return(target); | ||
|
|
||
| if (ctxt->lasttext == target->content) { | ||
| + int minSize; | ||
|
|
||
| - if (ctxt->lasttuse + len >= ctxt->lasttsize) { | ||
| + /* Check for integer overflow accounting for NUL terminator. */ | ||
| + if (len >= INT_MAX - ctxt->lasttuse) { | ||
| + xsltTransformError(ctxt, NULL, target, | ||
| + "xsltCopyText: text allocation failed\n"); | ||
| + return(NULL); | ||
| + } | ||
| + minSize = ctxt->lasttuse + len + 1; | ||
| + | ||
| + if (ctxt->lasttsize < minSize) { | ||
| xmlChar *newbuf; | ||
| int size; | ||
| + int extra; | ||
| + | ||
| + /* Double buffer size but increase by at least 100 bytes. */ | ||
| + extra = minSize < 100 ? 100 : minSize; | ||
| + | ||
| + /* Check for integer overflow. */ | ||
| + if (extra > INT_MAX - ctxt->lasttsize) { | ||
| + size = INT_MAX; | ||
| + } | ||
| + else { | ||
| + size = ctxt->lasttsize + extra; | ||
| + } | ||
|
|
||
| - size = ctxt->lasttsize + len + 100; | ||
| - size *= 2; | ||
| newbuf = (xmlChar *) xmlRealloc(target->content,size); | ||
| if (newbuf == NULL) { | ||
| xsltTransformError(ctxt, NULL, target, | ||
| diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h | ||
| index 060b178..5ad1771 100644 | ||
| --- a/libxslt/xsltInternals.h | ||
| +++ b/libxslt/xsltInternals.h | ||
| @@ -1754,8 +1754,8 @@ struct _xsltTransformContext { | ||
| * Speed optimization when coalescing text nodes | ||
| */ | ||
| const xmlChar *lasttext; /* last text node content */ | ||
| - unsigned int lasttsize; /* last text node size */ | ||
| - unsigned int lasttuse; /* last text node use */ | ||
| + int lasttsize; /* last text node size */ | ||
| + int lasttuse; /* last text node use */ | ||
| /* | ||
| * Per Context Debugging | ||
| */ | ||
| -- | ||
| 2.9.3 | ||
|
|