From d5022182afc2158086810bab995e5914c8ed328d Mon Sep 17 00:00:00 2001 From: vanhofen Date: Wed, 6 May 2020 00:36:57 +0200 Subject: [PATCH] - libxml2: add patches from buildroot --- make/target-libs.mk | 1 + ...e-loop-in-xmlStringLenDecodeEntities.patch | 36 +++++++++++++++++++ ...mory-leak-in-xmlSchemaValidateStream.patch | 35 ++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 patches/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch create mode 100644 patches/libxml2/0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch diff --git a/make/target-libs.mk b/make/target-libs.mk index 2a256563..951c2f55 100644 --- a/make/target-libs.mk +++ b/make/target-libs.mk @@ -877,6 +877,7 @@ libxml2: $(ARCHIVE)/$(LIBXML2_SOURCE) | $(TARGET_DIR) $(REMOVE)/$(LIBXML2_TMP) $(UNTAR)/$(LIBXML2_SOURCE) $(CHDIR)/$(LIBXML2_TMP); \ + $(APPLY_PATCHES); \ $(CONFIGURE) \ --prefix= \ --enable-shared \ diff --git a/patches/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch b/patches/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch new file mode 100644 index 00000000..a79adc3f --- /dev/null +++ b/patches/libxml2/0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch @@ -0,0 +1,36 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Fixes CVE-2020-7595: xmlStringLenDecodeEntities in parser.c in libxml2 +2.9.10 has an infinite loop in a certain end-of-file situation. + +Signed-off-by: Zhipeng Xie +Signed-off-by: Peter Korsgaard +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.20.1 + diff --git a/patches/libxml2/0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch b/patches/libxml2/0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch new file mode 100644 index 00000000..2aeddf67 --- /dev/null +++ b/patches/libxml2/0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch @@ -0,0 +1,35 @@ +From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +[import into Buildroot] +Signed-off-by: Thomas De Schampheleire +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 +