From f48271abbbd1ae5263d136a812fc16cc41f3073a Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Fri, 30 Dec 2011 18:30:00 +0100 Subject: Fix off by one error. CVE-2011-0216. --- encoding.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/encoding.c b/encoding.c index d1140bf..e150867 100644 --- a/encoding.c +++ b/encoding.c @@ -1928,7 +1928,7 @@ xmlCharEncFirstLineInt(xmlCharEncodingHandler *handler, xmlBufferPtr out, if (in == NULL) return(-1); /* calculate space available */ - written = out->size - out->use; + written = out->size - out->use - 1; /* count '\0' */ toconv = in->use; /* * echo '' | wc -c => 38 @@ -2059,7 +2059,7 @@ xmlCharEncInFunc(xmlCharEncodingHandler * handler, xmlBufferPtr out, toconv = in->use; if (toconv == 0) return (0); - written = out->size - out->use; + written = out->size - out->use - 1; /* count '\0' */ if (toconv * 2 >= written) { xmlBufferGrow(out, out->size + toconv * 2); written = out->size - out->use - 1; -- cgit v1.2.3 From 70ef05d469c29fd87192c4636d33898283fff33c Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Fri, 30 Dec 2011 18:30:01 +0100 Subject: Make sure parser returns when getting a Stop order. CVE-2011-3905. --- parser.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/parser.c b/parser.c index d1c7888..ef00f42 100644 --- a/parser.c +++ b/parser.c @@ -4949,7 +4949,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { (ctxt->sax->processingInstruction != NULL)) ctxt->sax->processingInstruction(ctxt->userData, target, NULL); - ctxt->instate = state; + if (ctxt->instate != XML_PARSER_EOF) + ctxt->instate = state; return; } buf = (xmlChar *) xmlMallocAtomic(size * sizeof(xmlChar)); @@ -5029,7 +5030,8 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { } else { xmlFatalErr(ctxt, XML_ERR_PI_NOT_STARTED, NULL); } - ctxt->instate = state; + if (ctxt->instate != XML_PARSER_EOF) + ctxt->instate = state; } } @@ -9588,6 +9590,8 @@ xmlParseElement(xmlParserCtxtPtr ctxt) { else name = xmlParseStartTag(ctxt); #endif /* LIBXML_SAX1_ENABLED */ + if (ctxt->instate == XML_PARSER_EOF) + return; if (name == NULL) { spacePop(ctxt); return; @@ -10967,6 +10971,8 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { else name = xmlParseStartTag(ctxt); #endif /* LIBXML_SAX1_ENABLED */ + if (ctxt->instate == XML_PARSER_EOF) + goto done; if (name == NULL) { spacePop(ctxt); ctxt->instate = XML_PARSER_EOF; @@ -11153,7 +11159,9 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) { else xmlParseEndTag1(ctxt, 0); #endif /* LIBXML_SAX1_ENABLED */ - if (ctxt->nameNr == 0) { + if (ctxt->instate == XML_PARSER_EOF) { + /* Nothing */ + } else if (ctxt->nameNr == 0) { ctxt->instate = XML_PARSER_EPILOG; } else { ctxt->instate = XML_PARSER_CONTENT; -- cgit v1.2.3 From b4af3ef034e84af1c5d95391d9aa9eab608c43f5 Mon Sep 17 00:00:00 2001 From: Luk Claes Date: Fri, 30 Dec 2011 18:31:31 +0100 Subject: Release 2.7.8.dfsg-5.1 --- debian/changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/debian/changelog b/debian/changelog index 19017e2..ca2c9b8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +libxml2 (2.7.8.dfsg-5.1) unstable; urgency=high + + * Non-maintainer upload. + * encoding.c: Fix off by one error. CVE-2011-0216. + * parser.c: Make sure parser returns when getting a Stop order. + CVE-2011-3905. + * Both closes: #652352. + + -- Luk Claes Fri, 30 Dec 2011 18:31:13 +0100 + libxml2 (2.7.8.dfsg-5) unstable; urgency=low * xpath.c, xpointer.c, include/libxml/xpath.h: Hardening of XPath evaluation. -- cgit v1.2.3