From 86a01ff28cbe9bc4bb5f567544c9c3bc2d32169c Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Fri, 11 Jan 2008 21:10:20 +0000 Subject: * Fix CVE-2007-6284 --- autogen.sh | 0 config.sub | 14 +++----------- debian/changelog | 6 ++++++ debian/rules | 0 parserInternals.c | 16 ++++++++++++++-- 5 files changed, 23 insertions(+), 13 deletions(-) mode change 100755 => 100644 autogen.sh mode change 100755 => 100644 debian/rules diff --git a/autogen.sh b/autogen.sh old mode 100755 new mode 100644 diff --git a/config.sub b/config.sub index fab0aa3..387c18d 100755 --- a/config.sub +++ b/config.sub @@ -4,7 +4,7 @@ # 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, # Inc. -timestamp='2006-09-20' +timestamp='2006-07-02' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -276,7 +276,6 @@ case $basic_machine in | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | score \ | sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ @@ -285,7 +284,7 @@ case $basic_machine in | tahoe | thumb | tic4x | tic80 | tron \ | v850 | v850e \ | we32k \ - | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \ | z8k) basic_machine=$basic_machine-unknown ;; @@ -368,7 +367,7 @@ case $basic_machine in | tron-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \ | xstormy16-* | xtensa-* \ | ymp-* \ | z8k-*) @@ -910,10 +909,6 @@ case $basic_machine in sb1el) basic_machine=mipsisa64sb1el-unknown ;; - sde) - basic_machine=mipsisa32-sde - os=-elf - ;; sei) basic_machine=mips-sei os=-seiux @@ -1371,9 +1366,6 @@ else # system, and we'll never get to this point. case $basic_machine in - score-*) - os=-elf - ;; spu-*) os=-elf ;; diff --git a/debian/changelog b/debian/changelog index 7c98787..40beca2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libxml2 (2.6.27.dfsg-2) stable-security; urgency=high + + * Fix CVE-2007-6284 + + -- Moritz Muehlenhoff Fri, 11 Jan 2008 21:10:20 +0000 + libxml2 (2.6.27.dfsg-1) unstable; urgency=low * New "huge bug fixes list" upstream release. diff --git a/debian/rules b/debian/rules old mode 100755 new mode 100644 diff --git a/parserInternals.c b/parserInternals.c index f4da58d..3560f50 100644 --- a/parserInternals.c +++ b/parserInternals.c @@ -638,14 +638,13 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) { c = *cur; if (c & 0x80) { - if (c == 0xC0) + if (((c & 0x40) == 0) || (c == 0xC0)) goto encoding_error; if (cur[1] == 0) xmlParserInputGrow(ctxt->input, INPUT_CHUNK); if ((cur[1] & 0xc0) != 0x80) goto encoding_error; if ((c & 0xe0) == 0xe0) { - if (cur[2] == 0) xmlParserInputGrow(ctxt->input, INPUT_CHUNK); if ((cur[2] & 0xc0) != 0x80) @@ -662,18 +661,24 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) { val |= (cur[1] & 0x3f) << 12; val |= (cur[2] & 0x3f) << 6; val |= cur[3] & 0x3f; + if (val < 0x10000) + goto encoding_error; } else { /* 3-byte code */ *len = 3; val = (cur[0] & 0xf) << 12; val |= (cur[1] & 0x3f) << 6; val |= cur[2] & 0x3f; + if (val < 0x800) + goto encoding_error; } } else { /* 2-byte code */ *len = 2; val = (cur[0] & 0x1f) << 6; val |= cur[1] & 0x3f; + if (val < 0x80) + goto encoding_error; } if (!IS_CHAR(val)) { xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, @@ -683,6 +688,13 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) { } else { /* 1-byte code */ *len = 1; + if (*ctxt->input->cur == 0) + xmlParserInputGrow(ctxt->input, INPUT_CHUNK); + if ((*ctxt->input->cur == 0) && + (ctxt->input->end > ctxt->input->cur)) { + xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR, + "Char 0x%X out of allowed range\n", val); + } if (*ctxt->input->cur == 0xD) { if (ctxt->input->cur[1] == 0xA) { ctxt->nbChars++; -- cgit v1.2.3