summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
JinWang An [Tue, 20 Jun 2023 07:57:03 +0000 (16:57 +0900)]
[CVE-2020-7595] Fix infinite loop in xmlStringLenDecodeEntities
When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
return NULL which cause a infinite loop in xmlStringLenDecodeEntities
Found with libFuzzer.
From
0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Thu, 12 Dec 2019 17:30:55 +0800
Change-Id: Icf48083013a7e949a591eac94dc6def067a49459
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
Signed-off-by: JinWang An <jinwang.an@samsung.com>
JinWang An [Mon, 19 Jun 2023 06:19:44 +0000 (15:19 +0900)]
[PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and xmlBuffer
From
6c283d83eccd940bcde15634ac8c7f100e3caefd Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 8 Mar 2022 20:10:02 +0100
In several places, the code handling string buffers didn't check for
integer overflow or used wrong types for buffer sizes. This could
result in out-of-bounds writes or other memory errors when working on
large, multi-gigabyte buffers.
Thanks to Felix Wilhelm for the report.
Change-Id: If3a2ec6b91d5ddcbea476ad674d85476a37d2c07
Signed-off-by: JinWang An <jinwang.an@samsung.com>
Nick Wellnhofer [Wed, 31 Aug 2022 20:11:25 +0000 (22:11 +0200)]
[CVE-2022-40304] Fix dict corruption caused by entity reference cycles
When an entity reference cycle is detected, the entity content is
cleared by setting its first byte to zero. But the entity content might
be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.
Stop storing entity content, orig, ExternalID and SystemID in a dict.
These values are unlikely to occur multiple times in a document, so they
shouldn't have been stored in a dict in the first place.
Thanks to Ned Williamson and Nathan Wachholz working with Google Project
Zero for the report!
Change-Id: I885a9da0cce3dd3e8c62f5d9c309deb2ca5c1d85
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Nick Wellnhofer [Thu, 25 Aug 2022 15:43:08 +0000 (17:43 +0200)]
[CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
XML_MAX_HUGE_LENGTH (1 billion bytes).
Move some the length checks to the end of the respective loop to make
them strict.
xmlParseEntityValue didn't have a length limitation at all. But without
XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
Thanks to Maddie Stone working with Google Project Zero for the report!
Change-Id: If70b028a02c1ffce193baa26182b829f944c5d7a
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Nick Wellnhofer [Thu, 22 Apr 2021 17:26:28 +0000 (19:26 +0200)]
[CVE-2021-3518] Fix user-after-free with `xmllint --xinclude --dropdtd`
The --dropdtd option can leave dangling pointers in entity reference
nodes. Make sure to skip these nodes when processing XIncludes.
This also avoids scanning entity declarations and even modifying
them inadvertently during XInclude processing.
Move from a block list to an allow list approach to avoid descending
into other node types that can't contain elements.
Fixes #237.
Change-Id: Ifd6eee2ade87d55469e234066186921b83fe4dd6
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Joel Hockey [Mon, 17 Aug 2020 00:19:35 +0000 (17:19 -0700)]
[CVE-2021-3517] Validate UTF8 in xmlEncodeEntities
Code is currently assuming UTF-8 without validating. Truncated UTF-8
input can cause out-of-bounds array access.
Adds further checks to partial fix in
50f06b3e.
Fixes #178
Change-Id: Ie12b322068d4550475a04fc5976a79e8a38231f9
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Zhipeng Xie [Tue, 20 Aug 2019 08:33:06 +0000 (16:33 +0800)]
[CVE-2019-20388] Fix memory leak in xmlSchemaValidateStream
When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
vctxt->xsiAssemble to 0 again which cause the alloced schema
can not be freed anymore.
Found with libFuzzer.
Change-Id: I19755ffa6ff031a6d5ba2b7daa82ad1b8a3b9362
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Nick Wellnhofer [Tue, 8 Feb 2022 02:29:24 +0000 (03:29 +0100)]
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
If a document is parsed with XML_PARSE_DTDVALID and without
XML_PARSE_NOENT, the value of ID attributes has to be normalized after
potentially expanding entities in xmlRemoveID. Otherwise, later calls
to xmlGetID can return a pointer to previously freed memory.
ID attributes which are empty or contain only whitespace after
entity expansion are affected in a similar way. This is fixed by
not storing such attributes in the ID table.
The test to detect streaming mode when validating against a DTD was
broken. In connection with the defects above, this could result in a
use-after-free when using the xmlReader interface with validation.
Fix detection of streaming mode to avoid similar issues. (This changes
the expected result of a test case. But as far as I can tell, using the
XML reader with XIncludes referencing the root document never worked
properly, anyway.)
All of these issues can result in denial of service. Using xmlReader
with validation could result in disclosure of memory via the error
channel, typically stderr. The security impact of xmlGetID returning
a pointer to freed memory depends on the application. The typical use
case of calling xmlGetID on an unmodified document is not affected.
Change-Id: I2698142478b614c9b4636528c20aa30e2bbae31c
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Hyunjee Kim [Thu, 28 May 2020 01:32:22 +0000 (10:32 +0900)]
Separate python-libxml2 from libxml2
* python-libxml2: https://review.tizen.org/gerrit/233663
* python3-libxml2: https://review.tizen.org/gerrit/233789
Change-Id: Ifff4ffd3d16f3a3a22d9d681b483266b263d55eb
Signed-off-by: Hyunjee Kim <hj0426.kim@samsung.com>
DongHun Kwak [Tue, 17 Mar 2020 01:10:24 +0000 (10:10 +0900)]
Merge branch 'sandbox/dh0128.kwak/libxml2_2.9.10_20200316' into tizen_base
Change-Id: I54bcae8ad21f42a8f978e03ebe05cf4816e33dae
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Mar 2020 01:06:33 +0000 (10:06 +0900)]
Bump to libxml 2.9.10
Change-Id: Iba9ff0b8e9994c5a805764b04679c3f4d95d0063
Zhipeng Xie [Wed, 7 Aug 2019 09:39:17 +0000 (17:39 +0800)]
[CVE-2019-19956] Fix memory leak in xmlParseBalancedChunkMemoryRecover
When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
NULL and free newDoc will cause a memory leak.
Found with libFuzzer.
Closes #82.
Change-Id: I9de145cc666e3791a81bfacb3930d21e624c4a7a
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
Hyunjee Kim [Thu, 28 Nov 2019 00:41:20 +0000 (09:41 +0900)]
Imported Upstream version 2.9.10
Hyunjee Kim [Fri, 18 Oct 2019 04:48:05 +0000 (13:48 +0900)]
Bump to libxml2 2.9.9
Change-Id: Ib452868b90532148d42059317894a883e3fb42e5
Signed-off-by: Hyunjee Kim <hj0426.kim@samsung.com>
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Thu, 10 Oct 2019 05:47:48 +0000 (14:47 +0900)]
Imported Upstream version 2.9.9
DongHun Kwak [Thu, 10 Oct 2019 05:47:39 +0000 (14:47 +0900)]
Imported Upstream version 2.9.8
DongHun Kwak [Thu, 23 Nov 2017 02:22:54 +0000 (11:22 +0900)]
Imported Upstream version 2.9.7
Change-Id: I9ae5434978bd98bb49d072dc066e149cbac06842
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:43:14 +0000 (14:43 +0900)]
Imported Upstream version 2.9.6
Change-Id: I5c98bedf617f60e9e5c5883c0a028c2733b361d0
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:42:37 +0000 (14:42 +0900)]
Imported Upstream version 2.9.6_rc1
Change-Id: I5dcb0df63b566606727a5902d819550ce253f54c
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:42:10 +0000 (14:42 +0900)]
Imported Upstream version 2.9.5
Change-Id: I26aba6b2cafb1d9429b90886c5270887df23ef57
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:41:39 +0000 (14:41 +0900)]
Imported Upstream version 2.9.5_rc2
Change-Id: I1713fddeb3c21d510a0194abdf5d37d5674780c2
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Tue, 17 Oct 2017 05:41:01 +0000 (14:41 +0900)]
Imported Upstream version 2.9.5_rc1
Change-Id: I8601bce726b46c3afa400a74689dfa004cae0501
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Wed, 15 Jun 2016 05:06:40 +0000 (14:06 +0900)]
Imported Upstream version 2.9.4
Change-Id: Ia77571980e4b0410bb3314b12af5a9e5bf732a38
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
DongHun Kwak [Mon, 23 Nov 2015 11:28:27 +0000 (20:28 +0900)]
Imported Upstream version 2.9.2
Change-Id: I82eaee9a90ae71ea3d3c6151e275ad34ed6ea919
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
xroche [Fri, 7 Nov 2014 16:26:44 +0000 (17:26 +0100)]
Imported Upstream version 2.9.1
Anas Nashif [Wed, 7 Nov 2012 16:49:28 +0000 (08:49 -0800)]
Imported Upstream version 2.8.0
projects / platform / upstream / libxml2.git / log