diff options
| author | Boris Kolpackov <boris@codesynthesis.com> | 2022-09-14 16:55:13 +0200 |
|---|---|---|
| committer | Boris Kolpackov <boris@codesynthesis.com> | 2022-09-14 16:55:13 +0200 |
| commit | 216a4745f0aa2921d2682fa576f8de77645d2f86 (patch) | |
| tree | 4a343c1ca5763bb826a64c7a805d9dcae5320c56 | |
| parent | b998434099e615ed6222c3c63c050db0e0bd2bd1 (diff) | |
Import more fixes for Expat security vulnerabilities
CVE-2022-25314
CVE-2022-40674
| -rw-r--r-- | libxsde/xsde/c/expat/xmlparse.c | 57 |
1 files changed, 50 insertions, 7 deletions
diff --git a/libxsde/xsde/c/expat/xmlparse.c b/libxsde/xsde/c/expat/xmlparse.c index 45d6803..f97f285 100644 --- a/libxsde/xsde/c/expat/xmlparse.c +++ b/libxsde/xsde/c/expat/xmlparse.c @@ -438,6 +438,9 @@ static ELEMENT_TYPE * getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, const char *end); +static XML_Char *copyString(const XML_Char *s, + const XML_Memory_Handling_Suite *memsuite); + static size_t generate_hash_secret_salt(XML_Parser parser); static XML_Bool startParsing(XML_Parser parser); @@ -761,6 +764,8 @@ parserCreate(const XML_Char *encodingName, parser->m_nsAttsVersion = 0; parser->m_nsAttsPower = 0; + parser->m_protocolEncodingName = NULL; + poolInit(&parser->m_tempPool, &(parser->m_mem)); poolInit(&parser->m_temp2Pool, &(parser->m_mem)); parserInit(parser, encodingName); @@ -787,9 +792,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { parser->m_processor = prologInitProcessor; XmlPrologStateInit(&parser->m_prologState); - parser->m_protocolEncodingName = (encodingName != NULL - ? poolCopyString(&parser->m_tempPool, encodingName) - : NULL); + if (encodingName != NULL) { + parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem)); + } parser->m_curBase = NULL; XmlInitEncoding(&parser->m_initEncoding, &parser->m_encoding, 0); parser->m_userData = NULL; @@ -898,6 +903,8 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName) parser->m_unknownEncodingRelease(parser->m_unknownEncodingData); poolClear(&parser->m_tempPool); poolClear(&parser->m_temp2Pool); + FREE(parser, (void *)parser->m_protocolEncodingName); + parser->m_protocolEncodingName = NULL; parserInit(parser, encodingName); dtdReset(parser->m_dtd, &parser->m_mem); return XML_TRUE; @@ -910,12 +917,19 @@ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName) XXX There's no way for the caller to determine which of the XXX possible error cases caused the XML_STATUS_ERROR return. */ - if (parser->m_parsingStatus.parsing == XML_PARSING || parser->m_parsingStatus.parsing == XML_SUSPENDED) + if (parser->m_parsingStatus.parsing == XML_PARSING + || parser->m_parsingStatus.parsing == XML_SUSPENDED) return XML_STATUS_ERROR; + + /* Get rid of any previous encoding name */ + FREE(parser, (void *)parser->m_protocolEncodingName); + if (encodingName == NULL) + /* No new encoding name */ parser->m_protocolEncodingName = NULL; else { - parser->m_protocolEncodingName = poolCopyString(&parser->m_tempPool, encodingName); + /* Copy the new encoding name into allocated memory */ + parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem)); if (!parser->m_protocolEncodingName) return XML_STATUS_ERROR; } @@ -1106,6 +1120,7 @@ XML_ParserFree(XML_Parser parser) destroyBindings(parser->m_inheritedBindings, parser); poolDestroy(&parser->m_tempPool); poolDestroy(&parser->m_temp2Pool); + FREE(parser, (void *)parser->m_protocolEncodingName); #ifdef XML_DTD /* external parameter entity parsers share the DTD structure parser->m_dtd with the root parser, so we must not destroy it @@ -3614,6 +3629,7 @@ initializeEncoding(XML_Parser parser) const char *s; #ifdef XML_UNICODE char encodingBuf[128]; + /* See comments about `protocolEncodingName` in parserInit() */ if (!parser->m_protocolEncodingName) s = NULL; else { @@ -5161,8 +5177,14 @@ internalEntityProcessor(XML_Parser parser, { parser->m_processor = contentProcessor; /* see externalEntityContentProcessor vs contentProcessor */ - return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, s, end, - nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer); + result = doContent(parser, parser->m_parentParser ? 1 : 0, + parser->m_encoding, s, end, nextPtr, + (XML_Bool)!parser->m_parsingStatus.finalBuffer); + if (result == XML_ERROR_NONE) { + if (! storeRawNames(parser)) + return XML_ERROR_NO_MEMORY; + } + return result; } } @@ -6771,4 +6793,25 @@ getElementType(XML_Parser parser, return ret; } +static XML_Char * +copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + size_t charsRequired = 0; + XML_Char *result; + + /* First determine how long the string is */ + while (s[charsRequired] != 0) { + charsRequired++; + } + /* Include the terminator */ + charsRequired++; + + /* Now allocate space for the copy */ + result = memsuite->malloc_fcn(charsRequired * sizeof(XML_Char)); + if (result == NULL) + return NULL; + /* Copy the original into place */ + memcpy(result, s, charsRequired * sizeof(XML_Char)); + return result; +} + #include <xsde/c/post.h> |