libxml2: add multiple security patches
authorGustavo Zacarias <gustavo@zacarias.com.ar>
Fri, 2 Mar 2012 15:00:35 +0000 (12:00 -0300)
committerPeter Korsgaard <jacmet@sunsite.dk>
Sun, 11 Mar 2012 21:54:52 +0000 (22:54 +0100)
Fixes for CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3919,
CVE-2012-0841 and others from upstream.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-error-xpath.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-hardening-xpath.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-hash-randomization.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-reallocation-failures.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-xpath-freeing.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-xpath-freeing2.patch [new file with mode: 0644]
package/libxml2/libxml2-2.7.8-xpath-memory.patch [new file with mode: 0644]
package/libxml2/libxml2.mk

diff --git a/package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch b/package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch
new file mode 100644 (file)
index 0000000..c0d9433
--- /dev/null
@@ -0,0 +1,21 @@
+From 5bd3c061823a8499b27422aee04ea20aae24f03e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 16 Dec 2011 10:53:35 +0000
+Subject: Fix an allocation error when copying entities
+
+---
+diff --git a/parser.c b/parser.c
+index 4e5dcb9..c55e41d 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+               buffer[nbchars++] = '&';
+               if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
+-                  growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++                  growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+               }
+               for (;i > 0;i--)
+                   buffer[nbchars++] = *cur++;
+--
+cgit v0.9.0.2
diff --git a/package/libxml2/libxml2-2.7.8-error-xpath.patch b/package/libxml2/libxml2-2.7.8-error-xpath.patch
new file mode 100644 (file)
index 0000000..a12a050
--- /dev/null
@@ -0,0 +1,62 @@
+From 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 11 Oct 2011 08:34:34 +0000
+Subject: Fix missing error status in XPath evaluation
+
+Started by Chris Evans, I added a few more place where the
+error should have been set in the evaluation context.
+---
+diff --git a/xpath.c b/xpath.c
+index bcee2ea..d9d902c 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value)
+                                              sizeof(ctxt->valueTab[0]));
+         if (tmp == NULL) {
+             xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
++            ctxt->error = XPATH_MEMORY_ERROR;
+             return (0);
+         }
+         ctxt->valueMax *= 2;
+@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+               if ( (ch & 0xc0) != 0xc0 ) {
+                   xmlGenericError(xmlGenericErrorContext,
+                       "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++                    /* not asserting an XPath error is probably better */
+                   break;
+               }
+               /* then skip over remaining bytes for this char */
+@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+                   if ( (*cptr++ & 0xc0) != 0x80 ) {
+                       xmlGenericError(xmlGenericErrorContext,
+                           "xmlXPathTranslateFunction: Invalid UTF8 string\n");
++                        /* not asserting an XPath error is probably better */
+                       break;
+                   }
+               if (ch & 0x80) /* must have had error encountered */
+@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                         xmlGenericError(xmlGenericErrorContext,
+             "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n",
+                                     (char *) op->value4, (char *)op->value5);
++                        ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+                         return (total);
+                     }
+                   val = xmlXPathVariableLookupNS(ctxt->context,
+@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+             "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+                                     (char *)op->value4, (char *)op->value5);
+                             xmlXPathPopFrame(ctxt, frame);
++                            ctxt->error = XPATH_UNDEF_PREFIX_ERROR;
+                             return (total);
+                         }
+                         func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+     }
+     xmlGenericError(xmlGenericErrorContext,
+                     "XPath: unknown precompiled operation %d\n", op->op);
++    ctxt->error = XPATH_INVALID_OPERAND;
+     return (total);
+ }
+--
+cgit v0.9.0.2
diff --git a/package/libxml2/libxml2-2.7.8-hardening-xpath.patch b/package/libxml2/libxml2-2.7.8-hardening-xpath.patch
new file mode 100644 (file)
index 0000000..8e699ec
--- /dev/null
@@ -0,0 +1,224 @@
+From f5048b3e71fc30ad096970b8df6e7af073bae4cb Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 18 Aug 2011 09:10:13 +0000
+Subject: Hardening of XPath evaluation
+
+Add a mechanism of frame for XPath evaluation when entering a function
+or a scoped evaluation, also fix a potential problem in predicate
+evaluation.
+---
+diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h
+index 1a9e30e..ddd9dd8 100644
+--- a/include/libxml/xpath.h
++++ b/include/libxml/xpath.h
+@@ -68,7 +68,8 @@ typedef enum {
+     XPATH_UNDEF_PREFIX_ERROR,
+     XPATH_ENCODING_ERROR,
+     XPATH_INVALID_CHAR_ERROR,
+-    XPATH_INVALID_CTXT
++    XPATH_INVALID_CTXT,
++    XPATH_STACK_ERROR
+ } xmlXPathError;
+ /*
+@@ -380,6 +381,8 @@ struct _xmlXPathParserContext {
+     xmlXPathCompExprPtr comp;         /* the precompiled expression */
+     int xptr;                         /* it this an XPointer expression */
+     xmlNodePtr         ancestor;      /* used for walking preceding axis */
++
++    int              valueFrame;        /* used to limit Pop on the stack */
+ };
+ /************************************************************************
+diff --git a/xpath.c b/xpath.c
+index b59ac5a..bcee2ea 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = {
+     "Encoding error\n",
+     "Char out of XML range\n",
+     "Invalid or incomplete context\n",
++    "Stack usage errror\n",
+     "?? Unknown error ??\n"   /* Must be last in the list! */
+ };
+ #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) /       \
+@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) {
+  ************************************************************************/
+ /**
++ * xmlXPathSetFrame:
++ * @ctxt: an XPath parser context
++ *
++ * Set the callee evaluation frame
++ *
++ * Returns the previous frame value to be restored once done
++ */
++static int
++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) {
++    int ret;
++
++    if (ctxt == NULL)
++        return(0);
++    ret = ctxt->valueFrame;
++    ctxt->valueFrame = ctxt->valueNr;
++    return(ret);
++}
++
++/**
++ * xmlXPathPopFrame:
++ * @ctxt: an XPath parser context
++ * @frame: the previous frame value
++ *
++ * Remove the callee evaluation frame
++ */
++static void
++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) {
++    if (ctxt == NULL)
++        return;
++    if (ctxt->valueNr < ctxt->valueFrame) {
++        xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++    }
++    ctxt->valueFrame = frame;
++}
++
++/**
+  * valuePop:
+  * @ctxt: an XPath evaluation context
+  *
+@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt)
+     if ((ctxt == NULL) || (ctxt->valueNr <= 0))
+         return (NULL);
++
++    if (ctxt->valueNr <= ctxt->valueFrame) {
++        xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR);
++        return (NULL);
++    }
++
+     ctxt->valueNr--;
+     if (ctxt->valueNr > 0)
+         ctxt->value = ctxt->valueTab[ctxt->valueNr - 1];
+@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) {
+     ret->valueNr = 0;
+     ret->valueMax = 10;
+     ret->value = NULL;
++    ret->valueFrame = 0;
+     ret->context = ctxt;
+     ret->comp = comp;
+@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+       xmlXPathObjectPtr contextObj = NULL, exprRes = NULL;
+       xmlNodePtr oldContextNode, contextNode = NULL;
+       xmlXPathContextPtr xpctxt = ctxt->context;
++        int frame;
+ #ifdef LIBXML_XPTR_ENABLED
+           /*
+@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+       */
+       exprOp = &ctxt->comp->steps[op->ch2];
+       for (i = 0; i < set->nodeNr; i++) {
++            xmlXPathObjectPtr tmp;
++
+           if (set->nodeTab[i] == NULL)
+               continue;
+@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+               xmlXPathNodeSetAddUnique(contextObj->nodesetval,
+                   contextNode);
++            frame = xmlXPathSetFrame(ctxt);
+           valuePush(ctxt, contextObj);
+           res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
++            tmp = valuePop(ctxt);
++            xmlXPathPopFrame(ctxt, frame);
+           if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+-              xmlXPathObjectPtr tmp;
+-              /* pop the result if any */
+-              tmp = valuePop(ctxt);
+-                if (tmp != contextObj) {
++                while (tmp != contextObj) {
+                     /*
+                      * Free up the result
+                      * then pop off contextObj, which will be freed later
+                      */
+                     xmlXPathReleaseObject(xpctxt, tmp);
+-                    valuePop(ctxt);
++                    tmp = valuePop(ctxt);
+                 }
+               goto evaluation_error;
+           }
++            /* push the result back onto the stack */
++            valuePush(ctxt, tmp);
+           if (res)
+               pos++;
+@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                 xmlXPathFunction func;
+                 const xmlChar *oldFunc, *oldFuncURI;
+               int i;
++                int frame;
++                frame = xmlXPathSetFrame(ctxt);
+                 if (op->ch1 != -1)
+                     total +=
+                         xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
+@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                   xmlGenericError(xmlGenericErrorContext,
+                           "xmlXPathCompOpEval: parameter error\n");
+                   ctxt->error = XPATH_INVALID_OPERAND;
++                    xmlXPathPopFrame(ctxt, frame);
+                   return (total);
+               }
+-              for (i = 0; i < op->value; i++)
++              for (i = 0; i < op->value; i++) {
+                   if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) {
+                       xmlGenericError(xmlGenericErrorContext,
+                               "xmlXPathCompOpEval: parameter error\n");
+                       ctxt->error = XPATH_INVALID_OPERAND;
++                        xmlXPathPopFrame(ctxt, frame);
+                       return (total);
+                   }
++                }
+                 if (op->cache != NULL)
+                     XML_CAST_FPTR(func) = op->cache;
+                 else {
+@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                             xmlGenericError(xmlGenericErrorContext,
+             "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n",
+                                     (char *)op->value4, (char *)op->value5);
++                            xmlXPathPopFrame(ctxt, frame);
+                             return (total);
+                         }
+                         func = xmlXPathFunctionLookupNS(ctxt->context,
+@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                 func(ctxt, op->value);
+                 ctxt->context->function = oldFunc;
+                 ctxt->context->functionURI = oldFuncURI;
++                xmlXPathPopFrame(ctxt, frame);
+                 return (total);
+             }
+         case XPATH_OP_ARG:
+@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+       ctxt->valueNr = 0;
+       ctxt->valueMax = 10;
+       ctxt->value = NULL;
++        ctxt->valueFrame = 0;
+     }
+ #ifdef XPATH_STREAMING
+     if (ctxt->comp->stream) {
+diff --git a/xpointer.c b/xpointer.c
+index 7a42d02..37afa3a 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) {
+       ctxt->valueNr = 0;
+       ctxt->valueMax = 10;
+       ctxt->value = NULL;
++      ctxt->valueFrame = 0;
+     }
+     SKIP_BLANKS;
+     if (CUR == '/') {
+--
+cgit v0.9.0.2
diff --git a/package/libxml2/libxml2-2.7.8-hash-randomization.patch b/package/libxml2/libxml2-2.7.8-hash-randomization.patch
new file mode 100644 (file)
index 0000000..47db59d
--- /dev/null
@@ -0,0 +1,297 @@
+From 8973d58b7498fa5100a876815476b81fd1a2412a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Sat, 4 Feb 2012 19:07:44 +0800
+Subject: [PATCH] Add hash randomization to hash and dict structures
+
+Following http://www.ocert.org/advisories/ocert-2011-003.html
+it seems that having hash randomization might be a good idea
+when using XML with untrusted data
+* configure.in: lookup for rand, srand and time
+* dict.c: add randomization to dictionaries hash tables
+* hash.c: add randomization to normal hash tables
+---
+ configure.in |    1 +
+ dict.c       |   81 ++++++++++++++++++++++++++++++++++++++++-----------------
+ hash.c       |   38 ++++++++++++++++++++++++++-
+ 3 files changed, 95 insertions(+), 25 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index fa80375..828b66a 100644
+--- a/configure.in
++++ b/configure.in
+@@ -512,6 +512,7 @@ AC_CHECK_FUNCS(strdup strndup strerror)
+ AC_CHECK_FUNCS(finite isnand fp_class class fpclass)
+ AC_CHECK_FUNCS(strftime localtime gettimeofday ftime)
+ AC_CHECK_FUNCS(stat _stat signal)
++AC_CHECK_FUNCS(rand srand time)
+ dnl Checking the standard string functions availability
+ AC_CHECK_FUNCS(printf sprintf fprintf snprintf vfprintf vsprintf vsnprintf sscanf,,
+diff --git a/dict.c b/dict.c
+index 3eff231..ae4966b 100644
+--- a/dict.c
++++ b/dict.c
+@@ -2,7 +2,7 @@
+  * dict.c: dictionary of reusable strings, just used to avoid allocation
+  *         and freeing operations.
+  *
+- * Copyright (C) 2003 Daniel Veillard.
++ * Copyright (C) 2003-2012 Daniel Veillard.
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -19,6 +19,28 @@
+ #define IN_LIBXML
+ #include "libxml.h"
++#ifdef HAVE_STDLIB_H
++#include <stdlib.h>
++#endif
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
++/*
++ * Following http://www.ocert.org/advisories/ocert-2011-003.html
++ * it seems that having hash randomization might be a good idea
++ * when using XML with untrusted data
++ * Note1: that it works correctly only if compiled with WITH_BIG_KEY
++ *  which is the default.
++ * Note2: the fast function used for a small dict won't protect very
++ *  well but since the attack is based on growing a very big hash
++ *  list we will use the BigKey algo as soon as the hash size grows
++ *  over MIN_DICT_SIZE so this actually works
++ */
++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
++#define DICT_RANDOMIZATION
++#endif
++
+ #include <string.h>
+ #ifdef HAVE_STDINT_H
+ #include <stdint.h>
+@@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t;
+ #define WITH_BIG_KEY
+ #ifdef WITH_BIG_KEY
+-#define xmlDictComputeKey(dict, name, len)                    \
+-    (((dict)->size == MIN_DICT_SIZE) ?                                \
+-     xmlDictComputeFastKey(name, len) :                               \
+-     xmlDictComputeBigKey(name, len))
+-
+-#define xmlDictComputeQKey(dict, prefix, plen, name, len)     \
+-    (((prefix) == NULL) ?                                     \
+-      (xmlDictComputeKey(dict, name, len)) :                  \
+-      (((dict)->size == MIN_DICT_SIZE) ?                      \
+-       xmlDictComputeFastQKey(prefix, plen, name, len) :      \
+-       xmlDictComputeBigQKey(prefix, plen, name, len)))
++#define xmlDictComputeKey(dict, name, len)                              \
++    (((dict)->size == MIN_DICT_SIZE) ?                                  \
++     xmlDictComputeFastKey(name, len, (dict)->seed) :                   \
++     xmlDictComputeBigKey(name, len, (dict)->seed))
++
++#define xmlDictComputeQKey(dict, prefix, plen, name, len)               \
++    (((prefix) == NULL) ?                                               \
++      (xmlDictComputeKey(dict, name, len)) :                             \
++      (((dict)->size == MIN_DICT_SIZE) ?                                \
++       xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) :        \
++       xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed)))
+ #else /* !WITH_BIG_KEY */
+-#define xmlDictComputeKey(dict, name, len)                    \
+-        xmlDictComputeFastKey(name, len)
+-#define xmlDictComputeQKey(dict, prefix, plen, name, len)     \
+-        xmlDictComputeFastQKey(prefix, plen, name, len)
++#define xmlDictComputeKey(dict, name, len)                              \
++        xmlDictComputeFastKey(name, len, (dict)->seed)
++#define xmlDictComputeQKey(dict, prefix, plen, name, len)               \
++        xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed)
+ #endif /* WITH_BIG_KEY */
+ /*
+@@ -98,6 +120,8 @@ struct _xmlDict {
+     xmlDictStringsPtr strings;
+     struct _xmlDict *subdict;
++    /* used for randomization */
++    int seed;
+ };
+ /*
+@@ -125,6 +149,9 @@ static int xmlInitializeDict(void) {
+     if ((xmlDictMutex = xmlNewRMutex()) == NULL)
+         return(0);
++#ifdef DICT_RANDOMIZATION
++    srand(time(NULL));
++#endif
+     xmlDictInitialized = 1;
+     return(1);
+ }
+@@ -277,13 +304,13 @@ found_pool:
+  */
+ static uint32_t
+-xmlDictComputeBigKey(const xmlChar* data, int namelen) {
++xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) {
+     uint32_t hash;
+     int i;
+     if (namelen <= 0 || data == NULL) return(0);
+-    hash = 0;
++    hash = seed;
+     for (i = 0;i < namelen; i++) {
+         hash += data[i];
+@@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen) {
+  */
+ static unsigned long
+ xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
+-                      const xmlChar *name, int len)
++                      const xmlChar *name, int len, int seed)
+ {
+     uint32_t hash;
+     int i;
+-    hash = 0;
++    hash = seed;
+     for (i = 0;i < plen; i++) {
+         hash += prefix[i];
+@@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *prefix, int plen,
+  * for low hash table fill.
+  */
+ static unsigned long
+-xmlDictComputeFastKey(const xmlChar *name, int namelen) {
+-    unsigned long value = 0L;
++xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
++    unsigned long value = seed;
+     if (name == NULL) return(0);
+     value = *name;
+@@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *name, int namelen) {
+  */
+ static unsigned long
+ xmlDictComputeFastQKey(const xmlChar *prefix, int plen,
+-                       const xmlChar *name, int len)
++                       const xmlChar *name, int len, int seed)
+ {
+-    unsigned long value = 0L;
++    unsigned long value = (unsigned long) seed;
+     if (plen == 0)
+       value += 30 * (unsigned long) ':';
+@@ -460,6 +487,11 @@ xmlDictCreate(void) {
+       dict->subdict = NULL;
+         if (dict->dict) {
+           memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry));
++#ifdef DICT_RANDOMIZATION
++            dict->seed = rand();
++#else
++            dict->seed = 0;
++#endif
+           return(dict);
+         }
+         xmlFree(dict);
+@@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) {
+ #ifdef DICT_DEBUG_PATTERNS
+         fprintf(stderr, "R");
+ #endif
++        dict->seed = sub->seed;
+         dict->subdict = sub;
+       xmlDictReference(dict->subdict);
+     }
+diff --git a/hash.c b/hash.c
+index b78bc2d..fe1424f 100644
+--- a/hash.c
++++ b/hash.c
+@@ -3,7 +3,7 @@
+  *
+  * Reference: Your favorite introductory book on algorithms
+  *
+- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard.
++ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard.
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -21,6 +21,22 @@
+ #include "libxml.h"
+ #include <string.h>
++#ifdef HAVE_STDLIB_H
++#include <stdlib.h>
++#endif
++#ifdef HAVE_TIME_H
++#include <time.h>
++#endif
++
++/*
++ * Following http://www.ocert.org/advisories/ocert-2011-003.html
++ * it seems that having hash randomization might be a good idea
++ * when using XML with untrusted data
++ */
++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME)
++#define HASH_RANDOMIZATION
++#endif
++
+ #include <libxml/parser.h>
+ #include <libxml/hash.h>
+ #include <libxml/xmlmemory.h>
+@@ -31,6 +47,10 @@
+ /* #define DEBUG_GROW */
++#ifdef HASH_RANDOMIZATION
++static int hash_initialized = 0;
++#endif
++
+ /*
+  * A single entry in the hash table
+  */
+@@ -53,6 +73,9 @@ struct _xmlHashTable {
+     int size;
+     int nbElems;
+     xmlDictPtr dict;
++#ifdef HASH_RANDOMIZATION
++    int random_seed;
++#endif
+ };
+ /*
+@@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, const xmlChar *name,
+     unsigned long value = 0L;
+     char ch;
+     
++#ifdef HASH_RANDOMIZATION
++    value = table->random_seed;
++#endif
+     if (name != NULL) {
+       value += 30 * (*name);
+       while ((ch = *name++) != 0) {
+@@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table,
+     unsigned long value = 0L;
+     char ch;
+     
++#ifdef HASH_RANDOMIZATION
++    value = table->random_seed;
++#endif
+     if (prefix != NULL)
+       value += 30 * (*prefix);
+     else
+@@ -156,6 +185,13 @@ xmlHashCreate(int size) {
+         table->table = xmlMalloc(size * sizeof(xmlHashEntry));
+         if (table->table) {
+           memset(table->table, 0, size * sizeof(xmlHashEntry));
++#ifdef HASH_RANDOMIZATION
++            if (!hash_initialized) {
++                srand(time(NULL));
++                hash_initialized = 1;
++            }
++            table->random_seed = rand();
++#endif
+           return(table);
+         }
+         xmlFree(table);
+-- 
+1.7.8.4
+
diff --git a/package/libxml2/libxml2-2.7.8-reallocation-failures.patch b/package/libxml2/libxml2-2.7.8-reallocation-failures.patch
new file mode 100644 (file)
index 0000000..a18756c
--- /dev/null
@@ -0,0 +1,101 @@
+From d7958b21e7f8c447a26bb2436f08402b2c308be4 Mon Sep 17 00:00:00 2001
+From: Chris Evans <scarybeasts@gmail.com>
+Date: Wed, 23 Mar 2011 00:13:06 +0000
+Subject: Fix some potential problems on reallocation failures
+
+The count was incremented before the allocation
+and not fixed in case of failure
+* xpath.c: corrects a few instances where the available count of some
+           structure is updated before we know the allocation actually
+           succeeds
+---
+diff --git a/xpath.c b/xpath.c
+index 8b56189..608fe00 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3522,13 +3522,13 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) {
+     } else if (cur->nodeNr == cur->nodeMax) {
+         xmlNodePtr *temp;
+-        cur->nodeMax *= 2;
+-      temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++      temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+                                     sizeof(xmlNodePtr));
+       if (temp == NULL) {
+           xmlXPathErrMemory(NULL, "growing nodeset\n");
+           return;
+       }
++        cur->nodeMax *= 2;
+       cur->nodeTab = temp;
+     }
+     cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns);
+@@ -3627,14 +3627,14 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) {
+     } else if (cur->nodeNr == cur->nodeMax) {
+         xmlNodePtr *temp;
+-        cur->nodeMax *= 2;
+-      temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++      temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+                                     sizeof(xmlNodePtr));
+       if (temp == NULL) {
+           xmlXPathErrMemory(NULL, "growing nodeset\n");
+           return;
+       }
+       cur->nodeTab = temp;
++        cur->nodeMax *= 2;
+     }
+     if (val->type == XML_NAMESPACE_DECL) {
+       xmlNsPtr ns = (xmlNsPtr) val;
+@@ -3738,14 +3738,14 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) {
+       } else if (val1->nodeNr == val1->nodeMax) {
+           xmlNodePtr *temp;
+-          val1->nodeMax *= 2;
+-          temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax *
++          temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 *
+                                            sizeof(xmlNodePtr));
+           if (temp == NULL) {
+               xmlXPathErrMemory(NULL, "merging nodeset\n");
+               return(NULL);
+           }
+           val1->nodeTab = temp;
++          val1->nodeMax *= 2;
+       }
+       if (n2->type == XML_NAMESPACE_DECL) {
+           xmlNsPtr ns = (xmlNsPtr) n2;
+@@ -3907,14 +3907,14 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2,
+           } else if (set1->nodeNr >= set1->nodeMax) {
+               xmlNodePtr *temp;
+-              set1->nodeMax *= 2;
+               temp = (xmlNodePtr *) xmlRealloc(
+-                  set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
++                  set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
+               if (temp == NULL) {
+                   xmlXPathErrMemory(NULL, "merging nodeset\n");
+                   return(NULL);
+               }
+               set1->nodeTab = temp;
++              set1->nodeMax *= 2;
+           }
+           if (n2->type == XML_NAMESPACE_DECL) {
+               xmlNsPtr ns = (xmlNsPtr) n2;
+@@ -3991,14 +3991,14 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2,
+           } else if (set1->nodeNr >= set1->nodeMax) {
+               xmlNodePtr *temp;
+-              set1->nodeMax *= 2;
+               temp = (xmlNodePtr *) xmlRealloc(
+-                  set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr));
++                  set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr));
+               if (temp == NULL) {
+                   xmlXPathErrMemory(NULL, "merging nodeset\n");
+                   return(NULL);
+               }
+               set1->nodeTab = temp;
++              set1->nodeMax *= 2;
+           }
+           set1->nodeTab[set1->nodeNr++] = n2;
+       }
+--
+cgit v0.9
diff --git a/package/libxml2/libxml2-2.7.8-xpath-freeing.patch b/package/libxml2/libxml2-2.7.8-xpath-freeing.patch
new file mode 100644 (file)
index 0000000..3509a48
--- /dev/null
@@ -0,0 +1,32 @@
+From df83c17e5a2646bd923f75e5e507bc80d73c9722 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Wed, 17 Nov 2010 13:12:14 +0000
+Subject: Fix a potential freeing error in XPath
+
+---
+diff --git a/xpath.c b/xpath.c
+index 81e33f6..1447be5 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+           if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+               xmlXPathObjectPtr tmp;
+-              /* pop the result */
++              /* pop the result if any */
+               tmp = valuePop(ctxt);
+-              xmlXPathReleaseObject(xpctxt, tmp);
+-              /* then pop off contextObj, which will be freed later */
+-              valuePop(ctxt);
++                if (tmp != contextObj)
++                    /*
++                     * Free up the result
++                     * then pop off contextObj, which will be freed later
++                     */
++                    xmlXPathReleaseObject(xpctxt, tmp);
++                    valuePop(ctxt);
+               goto evaluation_error;
+           }
+--
+cgit v0.8.3.1
diff --git a/package/libxml2/libxml2-2.7.8-xpath-freeing2.patch b/package/libxml2/libxml2-2.7.8-xpath-freeing2.patch
new file mode 100644 (file)
index 0000000..1705941
--- /dev/null
@@ -0,0 +1,28 @@
+From fec31bcd452e77c10579467ca87a785b41115de6 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 18 Nov 2010 10:07:24 +0000
+Subject: Small fix for previous commit
+
+---
+diff --git a/xpath.c b/xpath.c
+index 1447be5..8b56189 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+               xmlXPathObjectPtr tmp;
+               /* pop the result if any */
+               tmp = valuePop(ctxt);
+-                if (tmp != contextObj)
++                if (tmp != contextObj) {
+                     /*
+                      * Free up the result
+                      * then pop off contextObj, which will be freed later
+                      */
+                     xmlXPathReleaseObject(xpctxt, tmp);
+                     valuePop(ctxt);
++                }
+               goto evaluation_error;
+           }
+--
+cgit v0.8.3.1
diff --git a/package/libxml2/libxml2-2.7.8-xpath-memory.patch b/package/libxml2/libxml2-2.7.8-xpath-memory.patch
new file mode 100644 (file)
index 0000000..f94350d
--- /dev/null
@@ -0,0 +1,29 @@
+From 0cbeb50ee03ce582a0c979c70d8fbf030e270c37 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 15 Nov 2010 11:06:29 +0000
+Subject: Fix a potential memory access error
+
+in case of a previus allocation error
+---
+diff --git a/xpath.c b/xpath.c
+index 4d6826d..81e33f6 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3575,13 +3575,13 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) {
+     } else if (cur->nodeNr == cur->nodeMax) {
+         xmlNodePtr *temp;
+-        cur->nodeMax *= 2;
+-      temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++      temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+                                     sizeof(xmlNodePtr));
+       if (temp == NULL) {
+           xmlXPathErrMemory(NULL, "growing nodeset\n");
+           return;
+       }
++        cur->nodeMax *= 2;
+       cur->nodeTab = temp;
+     }
+     if (val->type == XML_NAMESPACE_DECL) {
+--
+cgit v0.8.3.1
index 0687137a58a721998d38bf5c3918894013bc311d..54ad123d1e09991f84bbaf5f9ec2807a3b8309df 100644 (file)
@@ -7,6 +7,7 @@
 LIBXML2_VERSION = 2.7.8
 LIBXML2_SITE = ftp://xmlsoft.org/libxml2
 LIBXML2_INSTALL_STAGING = YES
+LIBXML2_AUTORECONF = YES
 
 ifneq ($(BR2_LARGEFILE),y)
 LIBXML2_CONF_ENV = CC="$(TARGET_CC) $(TARGET_CFLAGS) -DNO_LARGEFILE_SOURCE"