summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Nick Wellnhofer [Wed, 31 Aug 2022 20:11:25 +0000 (22:11 +0200)]
[CVE-2022-40304] Fix dict corruption caused by entity reference cycles
When an entity reference cycle is detected, the entity content is
cleared by setting its first byte to zero. But the entity content might
be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.
Stop storing entity content, orig, ExternalID and SystemID in a dict.
These values are unlikely to occur multiple times in a document, so they
shouldn't have been stored in a dict in the first place.
Thanks to Ned Williamson and Nathan Wachholz working with Google Project
Zero for the report!
Change-Id: Ic72980e9951365347f484203817b37fa41e65d52
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Nick Wellnhofer [Thu, 25 Aug 2022 15:43:08 +0000 (17:43 +0200)]
[CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
XML_MAX_HUGE_LENGTH (1 billion bytes).
Move some the length checks to the end of the respective loop to make
them strict.
xmlParseEntityValue didn't have a length limitation at all. But without
XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
Thanks to Maddie Stone working with Google Project Zero for the report!
Change-Id: I863cb7ab00bf304f623084fb2ba97bf036166606
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Nick Wellnhofer [Tue, 8 Feb 2022 02:29:24 +0000 (03:29 +0100)]
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
If a document is parsed with XML_PARSE_DTDVALID and without
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
potentially expanding entities in xmlRemoveID. Otherwise, later calls
to xmlGetID can return a pointer to previously freed memory.
ID attributes which are empty or contain only whitespace after
entity expansion are affected in a similar way. This is fixed by
not storing such attributes in the ID table.
The test to detect streaming mode when validating against a DTD was
broken. In connection with the defects above, this could result in a
use-after-free when using the xmlReader interface with validation.
Fix detection of streaming mode to avoid similar issues. (This changes
the expected result of a test case. But as far as I can tell, using the
XML reader with XIncludes referencing the root document never worked
properly, anyway.)
All of these issues can result in denial of service. Using xmlReader
with validation could result in disclosure of memory via the error
channel, typically stderr. The security impact of xmlGetID returning
a pointer to freed memory depends on the application. The typical use
case of calling xmlGetID on an unmodified document is not affected.
Change-Id: Iee3c796c5c163a35fe61fc449adf7182331be627
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 29 Jun 2021 05:58:00 +0000 (14:58 +0900)]
Bump to libxml2 2.9.12
Change-Id: I4c0631eb040d2a87101f0988cd531580335f7433
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 29 Jun 2021 03:26:53 +0000 (12:26 +0900)]
Imported Upstream version 2.9.12
DongHun Kwak [Tue, 29 Jun 2021 03:26:30 +0000 (12:26 +0900)]
Imported Upstream version 2.9.11
Hyunjee Kim [Thu, 28 Nov 2019 00:41:20 +0000 (09:41 +0900)]
Imported Upstream version 2.9.10
DongHun Kwak [Thu, 10 Oct 2019 05:47:48 +0000 (14:47 +0900)]
Imported Upstream version 2.9.9
DongHun Kwak [Thu, 10 Oct 2019 05:47:39 +0000 (14:47 +0900)]
Imported Upstream version 2.9.8
DongHun Kwak [Thu, 23 Nov 2017 02:22:54 +0000 (11:22 +0900)]
Imported Upstream version 2.9.7
Change-Id: I9ae5434978bd98bb49d072dc066e149cbac06842
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:43:14 +0000 (14:43 +0900)]
Imported Upstream version 2.9.6
Change-Id: I5c98bedf617f60e9e5c5883c0a028c2733b361d0
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:42:37 +0000 (14:42 +0900)]
Imported Upstream version 2.9.6_rc1
Change-Id: I5dcb0df63b566606727a5902d819550ce253f54c
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:42:10 +0000 (14:42 +0900)]
Imported Upstream version 2.9.5
Change-Id: I26aba6b2cafb1d9429b90886c5270887df23ef57
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:41:39 +0000 (14:41 +0900)]
Imported Upstream version 2.9.5_rc2
Change-Id: I1713fddeb3c21d510a0194abdf5d37d5674780c2
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:41:01 +0000 (14:41 +0900)]
Imported Upstream version 2.9.5_rc1
Change-Id: I8601bce726b46c3afa400a74689dfa004cae0501
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Wed, 15 Jun 2016 05:06:40 +0000 (14:06 +0900)]
Imported Upstream version 2.9.4
Change-Id: Ia77571980e4b0410bb3314b12af5a9e5bf732a38
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Mon, 23 Nov 2015 11:28:27 +0000 (20:28 +0900)]
Imported Upstream version 2.9.2
Change-Id: I82eaee9a90ae71ea3d3c6151e275ad34ed6ea919
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
xroche [Fri, 7 Nov 2014 16:26:44 +0000 (17:26 +0100)]
Imported Upstream version 2.9.1
Anas Nashif [Wed, 7 Nov 2012 16:49:28 +0000 (08:49 -0800)]
Imported Upstream version 2.8.0
projects / platform / upstream / libxml2.git / log