[libxml2] Add missing increments of recursion depth counter to XML parser.

From: Daniel Veillard <veillard src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Add missing increments of recursion depth counter to XML parser.
Date: Sun, 22 May 2016 01:26:39 +0000 (UTC)

commit 8f30bdff69edac9075f4663ce3b56b0c52d48ce6
Author: Peter Simons <psimons suse com>
Date:   Fri Apr 15 11:56:55 2016 +0200

    Add missing increments of recursion depth counter to XML parser.
    
    For https://bugzilla.gnome.org/show_bug.cgi?id=765207
    CVE-2016-3705
    The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used to call
    xmlStringDecodeEntities() in a recursive context without incrementing the
    'depth' counter in the parser context. Because of that omission, the parser
    failed to detect attribute recursions in certain documents before running out
    of stack space.

 parser.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/parser.c b/parser.c
index f5907bf..68e1c90 100644
--- a/parser.c
+++ b/parser.c
@@ -144,8 +144,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
 
        ent->checked = 1;
 
+        ++ctxt->depth;
        rep = xmlStringDecodeEntities(ctxt, ent->content,
                                  XML_SUBSTITUTE_REF, 0, 0, 0);
+        --ctxt->depth;
 
        ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
        if (rep != NULL) {
@@ -3966,8 +3968,10 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
         * an entity declaration, it is bypassed and left as is.
         * so XML_SUBSTITUTE_REF is not set here.
         */
+        ++ctxt->depth;
        ret = xmlStringDecodeEntities(ctxt, buf, XML_SUBSTITUTE_PEREF,
                                      0, 0, 0);
+        --ctxt->depth;
        if (orig != NULL)
            *orig = buf;
        else
@@ -4092,9 +4096,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
                } else if ((ent != NULL) &&
                           (ctxt->replaceEntities != 0)) {
                    if (ent->etype != XML_INTERNAL_PREDEFINED_ENTITY) {
+                       ++ctxt->depth;
                        rep = xmlStringDecodeEntities(ctxt, ent->content,
                                                      XML_SUBSTITUTE_REF,
                                                      0, 0, 0);
+                       --ctxt->depth;
                        if (rep != NULL) {
                            current = rep;
                            while (*current != 0) { /* non input consuming */
@@ -4130,8 +4136,10 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
                        (ent->content != NULL) && (ent->checked == 0)) {
                        unsigned long oldnbent = ctxt->nbentities;
 
+                       ++ctxt->depth;
                        rep = xmlStringDecodeEntities(ctxt, ent->content,
                                                  XML_SUBSTITUTE_REF, 0, 0, 0);
+                       --ctxt->depth;
 
                        ent->checked = (ctxt->nbentities - oldnbent + 1) * 2;
                        if (rep != NULL) {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]