From aa5d9ba3b86f21be934fdb436525a833bf120305 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Fri, 2 Mar 2012 12:00:35 -0300 Subject: [PATCH] libxml2: add multiple security patches Fixes for CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3919, CVE-2012-0841 and others from upstream. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard --- ....8-allocation-error-copying-entities.patch | 21 ++ .../libxml2/libxml2-2.7.8-error-xpath.patch | 62 ++++ .../libxml2-2.7.8-hardening-xpath.patch | 224 +++++++++++++ .../libxml2-2.7.8-hash-randomization.patch | 297 ++++++++++++++++++ .../libxml2-2.7.8-reallocation-failures.patch | 101 ++++++ .../libxml2/libxml2-2.7.8-xpath-freeing.patch | 32 ++ .../libxml2-2.7.8-xpath-freeing2.patch | 28 ++ .../libxml2/libxml2-2.7.8-xpath-memory.patch | 29 ++ package/libxml2/libxml2.mk | 1 + 9 files changed, 795 insertions(+) create mode 100644 package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch create mode 100644 package/libxml2/libxml2-2.7.8-error-xpath.patch create mode 100644 package/libxml2/libxml2-2.7.8-hardening-xpath.patch create mode 100644 package/libxml2/libxml2-2.7.8-hash-randomization.patch create mode 100644 package/libxml2/libxml2-2.7.8-reallocation-failures.patch create mode 100644 package/libxml2/libxml2-2.7.8-xpath-freeing.patch create mode 100644 package/libxml2/libxml2-2.7.8-xpath-freeing2.patch create mode 100644 package/libxml2/libxml2-2.7.8-xpath-memory.patch diff --git a/package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch b/package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch new file mode 100644 index 0000000000..c0d943311f --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-allocation-error-copying-entities.patch @@ -0,0 +1,21 @@ +From 5bd3c061823a8499b27422aee04ea20aae24f03e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Fri, 16 Dec 2011 10:53:35 +0000 +Subject: Fix an allocation error when copying entities + +--- +diff --git a/parser.c b/parser.c +index 4e5dcb9..c55e41d 100644 +--- a/parser.c ++++ b/parser.c +@@ -2709,7 +2709,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + + buffer[nbchars++] = '&'; + if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) { +- growBuffer(buffer, XML_PARSER_BUFFER_SIZE); ++ growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE); + } + for (;i > 0;i--) + buffer[nbchars++] = *cur++; +-- +cgit v0.9.0.2 diff --git a/package/libxml2/libxml2-2.7.8-error-xpath.patch b/package/libxml2/libxml2-2.7.8-error-xpath.patch new file mode 100644 index 0000000000..a12a050741 --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-error-xpath.patch @@ -0,0 +1,62 @@ +From 1d4526f6f4ec8d18c40e2a09b387652a6c1aa2cd Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 11 Oct 2011 08:34:34 +0000 +Subject: Fix missing error status in XPath evaluation + +Started by Chris Evans, I added a few more place where the +error should have been set in the evaluation context. +--- +diff --git a/xpath.c b/xpath.c +index bcee2ea..d9d902c 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -2485,6 +2485,7 @@ valuePush(xmlXPathParserContextPtr ctxt, xmlXPathObjectPtr value) + sizeof(ctxt->valueTab[0])); + if (tmp == NULL) { + xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); ++ ctxt->error = XPATH_MEMORY_ERROR; + return (0); + } + ctxt->valueMax *= 2; +@@ -9340,6 +9341,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + if ( (ch & 0xc0) != 0xc0 ) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathTranslateFunction: Invalid UTF8 string\n"); ++ /* not asserting an XPath error is probably better */ + break; + } + /* then skip over remaining bytes for this char */ +@@ -9347,6 +9349,7 @@ xmlXPathTranslateFunction(xmlXPathParserContextPtr ctxt, int nargs) { + if ( (*cptr++ & 0xc0) != 0x80 ) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathTranslateFunction: Invalid UTF8 string\n"); ++ /* not asserting an XPath error is probably better */ + break; + } + if (ch & 0x80) /* must have had error encountered */ +@@ -13410,6 +13413,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: variable %s bound to undefined prefix %s\n", + (char *) op->value4, (char *)op->value5); ++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; + return (total); + } + val = xmlXPathVariableLookupNS(ctxt->context, +@@ -13464,6 +13468,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", + (char *)op->value4, (char *)op->value5); + xmlXPathPopFrame(ctxt, frame); ++ ctxt->error = XPATH_UNDEF_PREFIX_ERROR; + return (total); + } + func = xmlXPathFunctionLookupNS(ctxt->context, +@@ -14042,6 +14047,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + } + xmlGenericError(xmlGenericErrorContext, + "XPath: unknown precompiled operation %d\n", op->op); ++ ctxt->error = XPATH_INVALID_OPERAND; + return (total); + } + +-- +cgit v0.9.0.2 diff --git a/package/libxml2/libxml2-2.7.8-hardening-xpath.patch b/package/libxml2/libxml2-2.7.8-hardening-xpath.patch new file mode 100644 index 0000000000..8e699ec8c0 --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-hardening-xpath.patch @@ -0,0 +1,224 @@ +From f5048b3e71fc30ad096970b8df6e7af073bae4cb Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 18 Aug 2011 09:10:13 +0000 +Subject: Hardening of XPath evaluation + +Add a mechanism of frame for XPath evaluation when entering a function +or a scoped evaluation, also fix a potential problem in predicate +evaluation. +--- +diff --git a/include/libxml/xpath.h b/include/libxml/xpath.h +index 1a9e30e..ddd9dd8 100644 +--- a/include/libxml/xpath.h ++++ b/include/libxml/xpath.h +@@ -68,7 +68,8 @@ typedef enum { + XPATH_UNDEF_PREFIX_ERROR, + XPATH_ENCODING_ERROR, + XPATH_INVALID_CHAR_ERROR, +- XPATH_INVALID_CTXT ++ XPATH_INVALID_CTXT, ++ XPATH_STACK_ERROR + } xmlXPathError; + + /* +@@ -380,6 +381,8 @@ struct _xmlXPathParserContext { + xmlXPathCompExprPtr comp; /* the precompiled expression */ + int xptr; /* it this an XPointer expression */ + xmlNodePtr ancestor; /* used for walking preceding axis */ ++ ++ int valueFrame; /* used to limit Pop on the stack */ + }; + + /************************************************************************ +diff --git a/xpath.c b/xpath.c +index b59ac5a..bcee2ea 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -252,6 +252,7 @@ static const char *xmlXPathErrorMessages[] = { + "Encoding error\n", + "Char out of XML range\n", + "Invalid or incomplete context\n", ++ "Stack usage errror\n", + "?? Unknown error ??\n" /* Must be last in the list! */ + }; + #define MAXERRNO ((int)(sizeof(xmlXPathErrorMessages) / \ +@@ -2398,6 +2399,42 @@ xmlXPathCacheConvertNumber(xmlXPathContextPtr ctxt, xmlXPathObjectPtr val) { + ************************************************************************/ + + /** ++ * xmlXPathSetFrame: ++ * @ctxt: an XPath parser context ++ * ++ * Set the callee evaluation frame ++ * ++ * Returns the previous frame value to be restored once done ++ */ ++static int ++xmlXPathSetFrame(xmlXPathParserContextPtr ctxt) { ++ int ret; ++ ++ if (ctxt == NULL) ++ return(0); ++ ret = ctxt->valueFrame; ++ ctxt->valueFrame = ctxt->valueNr; ++ return(ret); ++} ++ ++/** ++ * xmlXPathPopFrame: ++ * @ctxt: an XPath parser context ++ * @frame: the previous frame value ++ * ++ * Remove the callee evaluation frame ++ */ ++static void ++xmlXPathPopFrame(xmlXPathParserContextPtr ctxt, int frame) { ++ if (ctxt == NULL) ++ return; ++ if (ctxt->valueNr < ctxt->valueFrame) { ++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); ++ } ++ ctxt->valueFrame = frame; ++} ++ ++/** + * valuePop: + * @ctxt: an XPath evaluation context + * +@@ -2412,6 +2449,12 @@ valuePop(xmlXPathParserContextPtr ctxt) + + if ((ctxt == NULL) || (ctxt->valueNr <= 0)) + return (NULL); ++ ++ if (ctxt->valueNr <= ctxt->valueFrame) { ++ xmlXPatherror(ctxt, __FILE__, __LINE__, XPATH_STACK_ERROR); ++ return (NULL); ++ } ++ + ctxt->valueNr--; + if (ctxt->valueNr > 0) + ctxt->value = ctxt->valueTab[ctxt->valueNr - 1]; +@@ -6154,6 +6197,7 @@ xmlXPathCompParserContext(xmlXPathCompExprPtr comp, xmlXPathContextPtr ctxt) { + ret->valueNr = 0; + ret->valueMax = 10; + ret->value = NULL; ++ ret->valueFrame = 0; + + ret->context = ctxt; + ret->comp = comp; +@@ -11711,6 +11755,7 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathObjectPtr contextObj = NULL, exprRes = NULL; + xmlNodePtr oldContextNode, contextNode = NULL; + xmlXPathContextPtr xpctxt = ctxt->context; ++ int frame; + + #ifdef LIBXML_XPTR_ENABLED + /* +@@ -11730,6 +11775,8 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + */ + exprOp = &ctxt->comp->steps[op->ch2]; + for (i = 0; i < set->nodeNr; i++) { ++ xmlXPathObjectPtr tmp; ++ + if (set->nodeTab[i] == NULL) + continue; + +@@ -11757,23 +11804,25 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathNodeSetAddUnique(contextObj->nodesetval, + contextNode); + ++ frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); ++ tmp = valuePop(ctxt); ++ xmlXPathPopFrame(ctxt, frame); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { +- xmlXPathObjectPtr tmp; +- /* pop the result if any */ +- tmp = valuePop(ctxt); +- if (tmp != contextObj) { ++ while (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); +- valuePop(ctxt); ++ tmp = valuePop(ctxt); + } + goto evaluation_error; + } ++ /* push the result back onto the stack */ ++ valuePush(ctxt, tmp); + + if (res) + pos++; +@@ -13377,7 +13426,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlXPathFunction func; + const xmlChar *oldFunc, *oldFuncURI; + int i; ++ int frame; + ++ frame = xmlXPathSetFrame(ctxt); + if (op->ch1 != -1) + total += + xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); +@@ -13385,15 +13436,18 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } +- for (i = 0; i < op->value; i++) ++ for (i = 0; i < op->value; i++) { + if (ctxt->valueTab[(ctxt->valueNr - 1) - i] == NULL) { + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: parameter error\n"); + ctxt->error = XPATH_INVALID_OPERAND; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } ++ } + if (op->cache != NULL) + XML_CAST_FPTR(func) = op->cache; + else { +@@ -13409,6 +13463,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + xmlGenericError(xmlGenericErrorContext, + "xmlXPathCompOpEval: function %s bound to undefined prefix %s\n", + (char *)op->value4, (char *)op->value5); ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } + func = xmlXPathFunctionLookupNS(ctxt->context, +@@ -13430,6 +13485,7 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + func(ctxt, op->value); + ctxt->context->function = oldFunc; + ctxt->context->functionURI = oldFuncURI; ++ xmlXPathPopFrame(ctxt, frame); + return (total); + } + case XPATH_OP_ARG: +@@ -14333,6 +14389,7 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; ++ ctxt->valueFrame = 0; + } + #ifdef XPATH_STREAMING + if (ctxt->comp->stream) { +diff --git a/xpointer.c b/xpointer.c +index 7a42d02..37afa3a 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1269,6 +1269,7 @@ xmlXPtrEvalXPointer(xmlXPathParserContextPtr ctxt) { + ctxt->valueNr = 0; + ctxt->valueMax = 10; + ctxt->value = NULL; ++ ctxt->valueFrame = 0; + } + SKIP_BLANKS; + if (CUR == '/') { +-- +cgit v0.9.0.2 diff --git a/package/libxml2/libxml2-2.7.8-hash-randomization.patch b/package/libxml2/libxml2-2.7.8-hash-randomization.patch new file mode 100644 index 0000000000..47db59d076 --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-hash-randomization.patch @@ -0,0 +1,297 @@ +From 8973d58b7498fa5100a876815476b81fd1a2412a Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Sat, 4 Feb 2012 19:07:44 +0800 +Subject: [PATCH] Add hash randomization to hash and dict structures + +Following http://www.ocert.org/advisories/ocert-2011-003.html +it seems that having hash randomization might be a good idea +when using XML with untrusted data +* configure.in: lookup for rand, srand and time +* dict.c: add randomization to dictionaries hash tables +* hash.c: add randomization to normal hash tables +--- + configure.in | 1 + + dict.c | 81 ++++++++++++++++++++++++++++++++++++++++----------------- + hash.c | 38 ++++++++++++++++++++++++++- + 3 files changed, 95 insertions(+), 25 deletions(-) + +diff --git a/configure.in b/configure.in +index fa80375..828b66a 100644 +--- a/configure.in ++++ b/configure.in +@@ -512,6 +512,7 @@ AC_CHECK_FUNCS(strdup strndup strerror) + AC_CHECK_FUNCS(finite isnand fp_class class fpclass) + AC_CHECK_FUNCS(strftime localtime gettimeofday ftime) + AC_CHECK_FUNCS(stat _stat signal) ++AC_CHECK_FUNCS(rand srand time) + + dnl Checking the standard string functions availability + AC_CHECK_FUNCS(printf sprintf fprintf snprintf vfprintf vsprintf vsnprintf sscanf,, +diff --git a/dict.c b/dict.c +index 3eff231..ae4966b 100644 +--- a/dict.c ++++ b/dict.c +@@ -2,7 +2,7 @@ + * dict.c: dictionary of reusable strings, just used to avoid allocation + * and freeing operations. + * +- * Copyright (C) 2003 Daniel Veillard. ++ * Copyright (C) 2003-2012 Daniel Veillard. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -19,6 +19,28 @@ + #define IN_LIBXML + #include "libxml.h" + ++#ifdef HAVE_STDLIB_H ++#include ++#endif ++#ifdef HAVE_TIME_H ++#include ++#endif ++ ++/* ++ * Following http://www.ocert.org/advisories/ocert-2011-003.html ++ * it seems that having hash randomization might be a good idea ++ * when using XML with untrusted data ++ * Note1: that it works correctly only if compiled with WITH_BIG_KEY ++ * which is the default. ++ * Note2: the fast function used for a small dict won't protect very ++ * well but since the attack is based on growing a very big hash ++ * list we will use the BigKey algo as soon as the hash size grows ++ * over MIN_DICT_SIZE so this actually works ++ */ ++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) ++#define DICT_RANDOMIZATION ++#endif ++ + #include + #ifdef HAVE_STDINT_H + #include +@@ -44,23 +66,23 @@ typedef unsigned __int32 uint32_t; + #define WITH_BIG_KEY + + #ifdef WITH_BIG_KEY +-#define xmlDictComputeKey(dict, name, len) \ +- (((dict)->size == MIN_DICT_SIZE) ? \ +- xmlDictComputeFastKey(name, len) : \ +- xmlDictComputeBigKey(name, len)) +- +-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ +- (((prefix) == NULL) ? \ +- (xmlDictComputeKey(dict, name, len)) : \ +- (((dict)->size == MIN_DICT_SIZE) ? \ +- xmlDictComputeFastQKey(prefix, plen, name, len) : \ +- xmlDictComputeBigQKey(prefix, plen, name, len))) ++#define xmlDictComputeKey(dict, name, len) \ ++ (((dict)->size == MIN_DICT_SIZE) ? \ ++ xmlDictComputeFastKey(name, len, (dict)->seed) : \ ++ xmlDictComputeBigKey(name, len, (dict)->seed)) ++ ++#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ ++ (((prefix) == NULL) ? \ ++ (xmlDictComputeKey(dict, name, len)) : \ ++ (((dict)->size == MIN_DICT_SIZE) ? \ ++ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) : \ ++ xmlDictComputeBigQKey(prefix, plen, name, len, (dict)->seed))) + + #else /* !WITH_BIG_KEY */ +-#define xmlDictComputeKey(dict, name, len) \ +- xmlDictComputeFastKey(name, len) +-#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ +- xmlDictComputeFastQKey(prefix, plen, name, len) ++#define xmlDictComputeKey(dict, name, len) \ ++ xmlDictComputeFastKey(name, len, (dict)->seed) ++#define xmlDictComputeQKey(dict, prefix, plen, name, len) \ ++ xmlDictComputeFastQKey(prefix, plen, name, len, (dict)->seed) + #endif /* WITH_BIG_KEY */ + + /* +@@ -98,6 +120,8 @@ struct _xmlDict { + xmlDictStringsPtr strings; + + struct _xmlDict *subdict; ++ /* used for randomization */ ++ int seed; + }; + + /* +@@ -125,6 +149,9 @@ static int xmlInitializeDict(void) { + if ((xmlDictMutex = xmlNewRMutex()) == NULL) + return(0); + ++#ifdef DICT_RANDOMIZATION ++ srand(time(NULL)); ++#endif + xmlDictInitialized = 1; + return(1); + } +@@ -277,13 +304,13 @@ found_pool: + */ + + static uint32_t +-xmlDictComputeBigKey(const xmlChar* data, int namelen) { ++xmlDictComputeBigKey(const xmlChar* data, int namelen, int seed) { + uint32_t hash; + int i; + + if (namelen <= 0 || data == NULL) return(0); + +- hash = 0; ++ hash = seed; + + for (i = 0;i < namelen; i++) { + hash += data[i]; +@@ -310,12 +337,12 @@ xmlDictComputeBigKey(const xmlChar* data, int namelen) { + */ + static unsigned long + xmlDictComputeBigQKey(const xmlChar *prefix, int plen, +- const xmlChar *name, int len) ++ const xmlChar *name, int len, int seed) + { + uint32_t hash; + int i; + +- hash = 0; ++ hash = seed; + + for (i = 0;i < plen; i++) { + hash += prefix[i]; +@@ -346,8 +373,8 @@ xmlDictComputeBigQKey(const xmlChar *prefix, int plen, + * for low hash table fill. + */ + static unsigned long +-xmlDictComputeFastKey(const xmlChar *name, int namelen) { +- unsigned long value = 0L; ++xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { ++ unsigned long value = seed; + + if (name == NULL) return(0); + value = *name; +@@ -381,9 +408,9 @@ xmlDictComputeFastKey(const xmlChar *name, int namelen) { + */ + static unsigned long + xmlDictComputeFastQKey(const xmlChar *prefix, int plen, +- const xmlChar *name, int len) ++ const xmlChar *name, int len, int seed) + { +- unsigned long value = 0L; ++ unsigned long value = (unsigned long) seed; + + if (plen == 0) + value += 30 * (unsigned long) ':'; +@@ -460,6 +487,11 @@ xmlDictCreate(void) { + dict->subdict = NULL; + if (dict->dict) { + memset(dict->dict, 0, MIN_DICT_SIZE * sizeof(xmlDictEntry)); ++#ifdef DICT_RANDOMIZATION ++ dict->seed = rand(); ++#else ++ dict->seed = 0; ++#endif + return(dict); + } + xmlFree(dict); +@@ -486,6 +518,7 @@ xmlDictCreateSub(xmlDictPtr sub) { + #ifdef DICT_DEBUG_PATTERNS + fprintf(stderr, "R"); + #endif ++ dict->seed = sub->seed; + dict->subdict = sub; + xmlDictReference(dict->subdict); + } +diff --git a/hash.c b/hash.c +index b78bc2d..fe1424f 100644 +--- a/hash.c ++++ b/hash.c +@@ -3,7 +3,7 @@ + * + * Reference: Your favorite introductory book on algorithms + * +- * Copyright (C) 2000 Bjorn Reese and Daniel Veillard. ++ * Copyright (C) 2000,2012 Bjorn Reese and Daniel Veillard. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -21,6 +21,22 @@ + #include "libxml.h" + + #include ++#ifdef HAVE_STDLIB_H ++#include ++#endif ++#ifdef HAVE_TIME_H ++#include ++#endif ++ ++/* ++ * Following http://www.ocert.org/advisories/ocert-2011-003.html ++ * it seems that having hash randomization might be a good idea ++ * when using XML with untrusted data ++ */ ++#if defined(HAVE_RAND) && defined(HAVE_SRAND) && defined(HAVE_TIME) ++#define HASH_RANDOMIZATION ++#endif ++ + #include + #include + #include +@@ -31,6 +47,10 @@ + + /* #define DEBUG_GROW */ + ++#ifdef HASH_RANDOMIZATION ++static int hash_initialized = 0; ++#endif ++ + /* + * A single entry in the hash table + */ +@@ -53,6 +73,9 @@ struct _xmlHashTable { + int size; + int nbElems; + xmlDictPtr dict; ++#ifdef HASH_RANDOMIZATION ++ int random_seed; ++#endif + }; + + /* +@@ -65,6 +88,9 @@ xmlHashComputeKey(xmlHashTablePtr table, const xmlChar *name, + unsigned long value = 0L; + char ch; + ++#ifdef HASH_RANDOMIZATION ++ value = table->random_seed; ++#endif + if (name != NULL) { + value += 30 * (*name); + while ((ch = *name++) != 0) { +@@ -92,6 +118,9 @@ xmlHashComputeQKey(xmlHashTablePtr table, + unsigned long value = 0L; + char ch; + ++#ifdef HASH_RANDOMIZATION ++ value = table->random_seed; ++#endif + if (prefix != NULL) + value += 30 * (*prefix); + else +@@ -156,6 +185,13 @@ xmlHashCreate(int size) { + table->table = xmlMalloc(size * sizeof(xmlHashEntry)); + if (table->table) { + memset(table->table, 0, size * sizeof(xmlHashEntry)); ++#ifdef HASH_RANDOMIZATION ++ if (!hash_initialized) { ++ srand(time(NULL)); ++ hash_initialized = 1; ++ } ++ table->random_seed = rand(); ++#endif + return(table); + } + xmlFree(table); +-- +1.7.8.4 + diff --git a/package/libxml2/libxml2-2.7.8-reallocation-failures.patch b/package/libxml2/libxml2-2.7.8-reallocation-failures.patch new file mode 100644 index 0000000000..a18756cb87 --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-reallocation-failures.patch @@ -0,0 +1,101 @@ +From d7958b21e7f8c447a26bb2436f08402b2c308be4 Mon Sep 17 00:00:00 2001 +From: Chris Evans +Date: Wed, 23 Mar 2011 00:13:06 +0000 +Subject: Fix some potential problems on reallocation failures + +The count was incremented before the allocation +and not fixed in case of failure +* xpath.c: corrects a few instances where the available count of some + structure is updated before we know the allocation actually + succeeds +--- +diff --git a/xpath.c b/xpath.c +index 8b56189..608fe00 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3522,13 +3522,13 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, xmlNodePtr node, xmlNsPtr ns) { + } else if (cur->nodeNr == cur->nodeMax) { + xmlNodePtr *temp; + +- cur->nodeMax *= 2; +- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * ++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 * + sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "growing nodeset\n"); + return; + } ++ cur->nodeMax *= 2; + cur->nodeTab = temp; + } + cur->nodeTab[cur->nodeNr++] = xmlXPathNodeSetDupNs(node, ns); +@@ -3627,14 +3627,14 @@ xmlXPathNodeSetAddUnique(xmlNodeSetPtr cur, xmlNodePtr val) { + } else if (cur->nodeNr == cur->nodeMax) { + xmlNodePtr *temp; + +- cur->nodeMax *= 2; +- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * ++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 * + sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "growing nodeset\n"); + return; + } + cur->nodeTab = temp; ++ cur->nodeMax *= 2; + } + if (val->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) val; +@@ -3738,14 +3738,14 @@ xmlXPathNodeSetMerge(xmlNodeSetPtr val1, xmlNodeSetPtr val2) { + } else if (val1->nodeNr == val1->nodeMax) { + xmlNodePtr *temp; + +- val1->nodeMax *= 2; +- temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * ++ temp = (xmlNodePtr *) xmlRealloc(val1->nodeTab, val1->nodeMax * 2 * + sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); + return(NULL); + } + val1->nodeTab = temp; ++ val1->nodeMax *= 2; + } + if (n2->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) n2; +@@ -3907,14 +3907,14 @@ xmlXPathNodeSetMergeAndClear(xmlNodeSetPtr set1, xmlNodeSetPtr set2, + } else if (set1->nodeNr >= set1->nodeMax) { + xmlNodePtr *temp; + +- set1->nodeMax *= 2; + temp = (xmlNodePtr *) xmlRealloc( +- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr)); ++ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); + return(NULL); + } + set1->nodeTab = temp; ++ set1->nodeMax *= 2; + } + if (n2->type == XML_NAMESPACE_DECL) { + xmlNsPtr ns = (xmlNsPtr) n2; +@@ -3991,14 +3991,14 @@ xmlXPathNodeSetMergeAndClearNoDupls(xmlNodeSetPtr set1, xmlNodeSetPtr set2, + } else if (set1->nodeNr >= set1->nodeMax) { + xmlNodePtr *temp; + +- set1->nodeMax *= 2; + temp = (xmlNodePtr *) xmlRealloc( +- set1->nodeTab, set1->nodeMax * sizeof(xmlNodePtr)); ++ set1->nodeTab, set1->nodeMax * 2 * sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "merging nodeset\n"); + return(NULL); + } + set1->nodeTab = temp; ++ set1->nodeMax *= 2; + } + set1->nodeTab[set1->nodeNr++] = n2; + } +-- +cgit v0.9 diff --git a/package/libxml2/libxml2-2.7.8-xpath-freeing.patch b/package/libxml2/libxml2-2.7.8-xpath-freeing.patch new file mode 100644 index 0000000000..3509a48daf --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-xpath-freeing.patch @@ -0,0 +1,32 @@ +From df83c17e5a2646bd923f75e5e507bc80d73c9722 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Wed, 17 Nov 2010 13:12:14 +0000 +Subject: Fix a potential freeing error in XPath + +--- +diff --git a/xpath.c b/xpath.c +index 81e33f6..1447be5 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11763,11 +11763,15 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + xmlXPathObjectPtr tmp; +- /* pop the result */ ++ /* pop the result if any */ + tmp = valuePop(ctxt); +- xmlXPathReleaseObject(xpctxt, tmp); +- /* then pop off contextObj, which will be freed later */ +- valuePop(ctxt); ++ if (tmp != contextObj) ++ /* ++ * Free up the result ++ * then pop off contextObj, which will be freed later ++ */ ++ xmlXPathReleaseObject(xpctxt, tmp); ++ valuePop(ctxt); + goto evaluation_error; + } + +-- +cgit v0.8.3.1 diff --git a/package/libxml2/libxml2-2.7.8-xpath-freeing2.patch b/package/libxml2/libxml2-2.7.8-xpath-freeing2.patch new file mode 100644 index 0000000000..17059418b2 --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-xpath-freeing2.patch @@ -0,0 +1,28 @@ +From fec31bcd452e77c10579467ca87a785b41115de6 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Thu, 18 Nov 2010 10:07:24 +0000 +Subject: Small fix for previous commit + +--- +diff --git a/xpath.c b/xpath.c +index 1447be5..8b56189 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11765,13 +11765,14 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + xmlXPathObjectPtr tmp; + /* pop the result if any */ + tmp = valuePop(ctxt); +- if (tmp != contextObj) ++ if (tmp != contextObj) { + /* + * Free up the result + * then pop off contextObj, which will be freed later + */ + xmlXPathReleaseObject(xpctxt, tmp); + valuePop(ctxt); ++ } + goto evaluation_error; + } + +-- +cgit v0.8.3.1 diff --git a/package/libxml2/libxml2-2.7.8-xpath-memory.patch b/package/libxml2/libxml2-2.7.8-xpath-memory.patch new file mode 100644 index 0000000000..f94350d277 --- /dev/null +++ b/package/libxml2/libxml2-2.7.8-xpath-memory.patch @@ -0,0 +1,29 @@ +From 0cbeb50ee03ce582a0c979c70d8fbf030e270c37 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Mon, 15 Nov 2010 11:06:29 +0000 +Subject: Fix a potential memory access error + +in case of a previus allocation error +--- +diff --git a/xpath.c b/xpath.c +index 4d6826d..81e33f6 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -3575,13 +3575,13 @@ xmlXPathNodeSetAdd(xmlNodeSetPtr cur, xmlNodePtr val) { + } else if (cur->nodeNr == cur->nodeMax) { + xmlNodePtr *temp; + +- cur->nodeMax *= 2; +- temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * ++ temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 * + sizeof(xmlNodePtr)); + if (temp == NULL) { + xmlXPathErrMemory(NULL, "growing nodeset\n"); + return; + } ++ cur->nodeMax *= 2; + cur->nodeTab = temp; + } + if (val->type == XML_NAMESPACE_DECL) { +-- +cgit v0.8.3.1 diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk index 0687137a58..54ad123d1e 100644 --- a/package/libxml2/libxml2.mk +++ b/package/libxml2/libxml2.mk @@ -7,6 +7,7 @@ LIBXML2_VERSION = 2.7.8 LIBXML2_SITE = ftp://xmlsoft.org/libxml2 LIBXML2_INSTALL_STAGING = YES +LIBXML2_AUTORECONF = YES ifneq ($(BR2_LARGEFILE),y) LIBXML2_CONF_ENV = CC="$(TARGET_CC) $(TARGET_CFLAGS) -DNO_LARGEFILE_SOURCE" -- 2.30.2