diff options
| author | Andrew Shadura <bugzilla@tut.by> | 2012-01-09 11:06:33 +0300 |
|---|---|---|
| committer | Andrew Shadura <bugzilla@tut.by> | 2012-01-09 11:06:33 +0300 |
| commit | a8052e0399d1169ba919f75678a3a7cee733f7d8 (patch) | |
| tree | a71269b4e3eba210ec76f042a6403f00fe9c85b2 | |
| parent | 899ee095d980f49d84de15cdbcfaadb1f65e10ec (diff) | |
| parent | b4af3ef034e84af1c5d95391d9aa9eab608c43f5 (diff) | |
| download | libxml2-a8052e0399d1169ba919f75678a3a7cee733f7d8.tar.gz | |
merge
| -rw-r--r-- | debian/changelog | 10 | ||||
| -rw-r--r-- | encoding.c | 4 | ||||
| -rw-r--r-- | parser.c | 14 |
3 files changed, 23 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog index 19017e2..ca2c9b8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +libxml2 (2.7.8.dfsg-5.1) unstable; urgency=high + + * Non-maintainer upload. + * encoding.c: Fix off by one error. CVE-2011-0216. + * parser.c: Make sure parser returns when getting a Stop order. + CVE-2011-3905. + * Both closes: #652352. + + -- Luk Claes <luk@debian.org> Fri, 30 Dec 2011 18:31:13 +0100 + libxml2 (2.7.8.dfsg-5) unstable; urgency=low * xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation. @@ -1928,7 +1928,7 @@ xmlCharEncFirstLineInt(xmlCharEncodingHandler *handler, xmlBufferPtr out, if (in == NULL) return(-1); /* calculate space available */ - written = out->size - out->use; + written = out->size - out->use - 1; /* count '\0' */ toconv = in->use; /* * echo '<?xml version="1.0" encoding="UCS4"?>' | wc -c => 38 @@ -2059,7 +2059,7 @@ xmlCharEncInFunc(xmlCharEncodingHandler * handler, xmlBufferPtr out, toconv = in->use; if (toconv == 0) return (0); - written = out->size - out->use; + written = out->size - out->use - 1; /* count '\0' */ if (toconv * 2 >= written) { xmlBufferGrow(out, out->size + toconv * 2); written = out->size - out->use - 1; @@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { (ctxt->sax->processingInstruction != NULL)) ctxt->sax->processingInstruction(ctxt->userData, target, NULL); - ctxt->instate = state; + if (ctxt->instate != XML_PARSER_EOF) + ctxt->instate = state; return; } buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar)); @@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { } else { xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL); } - ctxt->instate = state; + if (ctxt->instate != XML_PARSER_EOF) + ctxt->instate = state; } } @@ -9588,6 +9590,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) { else name = xmlParseStartTag(ctxt); #endif /* LIBXML_SAX1_ENABLED */ + if (ctxt->instate == XML_PARSER_EOF) + return; if (name == NULL) { spacePop(ctxt); return; @@ -10967,6 +10971,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { else name = xmlParseStartTag(ctxt); #endif /* LIBXML_SAX1_ENABLED */ + if (ctxt->instate == XML_PARSER_EOF) + goto done; if (name == NULL) { spacePop(ctxt); ctxt->instate = XML_PARSER_EOF; @@ -11153,7 +11159,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { else xmlParseEndTag1(ctxt, 0); #endif /* LIBXML_SAX1_ENABLED */ - if (ctxt->nameNr == 0) { + if (ctxt->instate == XML_PARSER_EOF) { + /* Nothing */ + } else if (ctxt->nameNr == 0) { ctxt->instate = XML_PARSER_EPILOG; } else { ctxt->instate = XML_PARSER_CONTENT; |