add patches from upstream to fix integer overflows which can cause

DOS or possibly other corruption (CVE-2012-2807) bump PKGREV
author: drochner <drochner@pkgsrc.org> 2012-08-01 14:51:37 +0000
committer: drochner <drochner@pkgsrc.org> 2012-08-01 14:51:37 +0000
commit: 5b74424c11e780901cfb7dc0662120ac5c4e5e6c (patch)
tree: f3bb3bace229057e12cf2eac0d2415362b3ae839
parent: 25e351dd440b090f1cd74694ba3e17a8501c0c2b (diff)
download: pkgsrc-5b74424c11e780901cfb7dc0662120ac5c4e5e6c.tar.gz
4 files changed, 353 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index 2f267c3504b..cc8610b0fcf 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.118 2012/06/14 07:39:36 sbd Exp $
+# $NetBSD: Makefile,v 1.119 2012/08/01 14:51:37 drochner Exp $
 
 DISTNAME=	libxml2-2.8.0
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index d039617c2a4..c5fd38e2a16 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.93 2012/06/03 22:18:33 wiz Exp $
+$NetBSD: distinfo,v 1.94 2012/08/01 14:51:37 drochner Exp $
 
 SHA1 (libxml2-2.8.0.tar.gz) = a0c553bd51ba79ab6fff26dc700004c6a41f5250
 RMD160 (libxml2-2.8.0.tar.gz) = 45820c9f4939f642a87be9259c55fd081ea6759a
@@ -11,5 +11,7 @@ SHA1 (patch-ae) = b8d8e0275cab3caafd98275ac22b63951fc4b5fd
 SHA1 (patch-ag) = 30ec5c8daece4aba75a02bbc13db5373542dea7b
 SHA1 (patch-aj) = faa126261b388aeed3a83c4d9c0b127629dd93ab
 SHA1 (patch-am) = ae7ab69b7bba2271d2d996161cc8b9956d0b06fa
+SHA1 (patch-ba) = 0866f7a4f9639b2b9c50b4c4cb30d5445f453adc
+SHA1 (patch-bb) = 1a5d07c618db2ad56b3b4f39f54bd3d0d4a37403
 SHA1 (patch-testapi.c) = 63a0a34c8ca98d9214c4d3391e97d9a9ca4569f8
 SHA1 (patch-threads.c) = 38bf7d702c21057795eec88d4e239b5df598382d
diff --git a/textproc/libxml2/patches/patch-ba b/textproc/libxml2/patches/patch-ba
new file mode 100644
index 00000000000..243ecf69859
--- /dev/null
+++ b/textproc/libxml2/patches/patch-ba
@@ -0,0 +1,255 @@
+$NetBSD: patch-ba,v 1.1 2012/08/01 14:51:37 drochner Exp $
+
+upstream commit 459eeb9dc752d5185f57ff6b135027f11981a626
+for CVE-2012-2807
+
+--- parser.c.orig	2012-05-18 07:30:30.000000000 +0000
++++ parser.c
+@@ -40,6 +40,7 @@
+ #endif
+ 
+ #include <stdlib.h>
++#include <limits.h>
+ #include <string.h>
+ #include <stdarg.h>
+ #include <libxml/xmlmemory.h>
+@@ -117,10 +118,10 @@ xmlCreateEntityParserCtxtInternal(const 
+  * parser option.
+  */
+ static int
+-xmlParserEntityCheck(xmlParserCtxtPtr ctxt, unsigned long size,
++xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent)
+ {
+-    unsigned long consumed = 0;
++    size_t consumed = 0;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -2589,15 +2590,17 @@ xmlParserHandlePEReference(xmlParserCtxt
+ 
+ /*
+  * Macro used to grow the current buffer.
++ * buffer##_size is expected to be a size_t
++ * mem_error: is expected to handle memory allocation failures
+  */
+ #define growBuffer(buffer, n) {						\
+     xmlChar *tmp;							\
+-    buffer##_size *= 2;							\
+-    buffer##_size += n;							\
+-    tmp = (xmlChar *)							\
+-		xmlRealloc(buffer, buffer##_size * sizeof(xmlChar));	\
++    size_t new_size = buffer##_size * 2 + n;                            \
++    if (new_size < buffer##_size) goto mem_error;                       \
++    tmp = (xmlChar *) xmlRealloc(buffer, new_size);                     \
+     if (tmp == NULL) goto mem_error;					\
+     buffer = tmp;							\
++    buffer##_size = new_size;                                           \
+ }
+ 
+ /**
+@@ -2623,14 +2626,14 @@ xmlChar *
+ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+ 		      int what, xmlChar end, xmlChar  end2, xmlChar end3) {
+     xmlChar *buffer = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
++    size_t nbchars = 0;
+ 
+     xmlChar *current = NULL;
+     xmlChar *rep = NULL;
+     const xmlChar *last;
+     xmlEntityPtr ent;
+     int c,l;
+-    int nbchars = 0;
+ 
+     if ((ctxt == NULL) || (str == NULL) || (len < 0))
+ 	return(NULL);
+@@ -2647,7 +2650,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+      * allocate a translation buffer.
+      */
+     buffer_size = XML_PARSER_BIG_BUFFER_SIZE;
+-    buffer = (xmlChar *) xmlMallocAtomic(buffer_size * sizeof(xmlChar));
++    buffer = (xmlChar *) xmlMallocAtomic(buffer_size);
+     if (buffer == NULL) goto mem_error;
+ 
+     /*
+@@ -2667,7 +2670,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 	    if (val != 0) {
+ 		COPY_BUF(0,buffer,nbchars,val);
+ 	    }
+-	    if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++	    if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 	        growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 	    }
+ 	} else if ((c == '&') && (what & XML_SUBSTITUTE_REF)) {
+@@ -2685,7 +2688,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 		(ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+ 		if (ent->content != NULL) {
+ 		    COPY_BUF(0,buffer,nbchars,ent->content[0]);
+-		    if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
++		    if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 			growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 		    }
+ 		} else {
+@@ -2702,8 +2705,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+-			if (nbchars >
+-		            buffer_size - XML_PARSER_BUFFER_SIZE) {
++			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ 				goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+@@ -2717,7 +2719,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 		const xmlChar *cur = ent->name;
+ 
+ 		buffer[nbchars++] = '&';
+-		if (nbchars > buffer_size - i - XML_PARSER_BUFFER_SIZE) {
++		if (nbchars + i + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 		    growBuffer(buffer, i + XML_PARSER_BUFFER_SIZE);
+ 		}
+ 		for (;i > 0;i--)
+@@ -2745,8 +2747,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 		    current = rep;
+ 		    while (*current != 0) { /* non input consuming loop */
+ 			buffer[nbchars++] = *current++;
+-			if (nbchars >
+-		            buffer_size - XML_PARSER_BUFFER_SIZE) {
++			if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
+ 			    if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ 			        goto int_error;
+ 			    growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+@@ -2759,8 +2760,8 @@ xmlStringLenDecodeEntities(xmlParserCtxt
+ 	} else {
+ 	    COPY_BUF(l,buffer,nbchars,c);
+ 	    str += l;
+-	    if (nbchars > buffer_size - XML_PARSER_BUFFER_SIZE) {
+-	      growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
++	    if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
++	        growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
+ 	    }
+ 	}
+ 	if (str < last)
+@@ -3764,8 +3765,8 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+     xmlChar limit = 0;
+     xmlChar *buf = NULL;
+     xmlChar *rep = NULL;
+-    int len = 0;
+-    int buf_size = 0;
++    size_t len = 0;
++    size_t buf_size = 0;
+     int c, l, in_space = 0;
+     xmlChar *current = NULL;
+     xmlEntityPtr ent;
+@@ -3787,7 +3788,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+      * allocate a translation buffer.
+      */
+     buf_size = XML_PARSER_BUFFER_SIZE;
+-    buf = (xmlChar *) xmlMallocAtomic(buf_size * sizeof(xmlChar));
++    buf = (xmlChar *) xmlMallocAtomic(buf_size);
+     if (buf == NULL) goto mem_error;
+ 
+     /*
+@@ -3804,7 +3805,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 
+ 		if (val == '&') {
+ 		    if (ctxt->replaceEntities) {
+-			if (len > buf_size - 10) {
++			if (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 			buf[len++] = '&';
+@@ -3813,7 +3814,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 			 * The reparsing will be done in xmlStringGetNodeList()
+ 			 * called by the attribute() function in SAX.c
+ 			 */
+-			if (len > buf_size - 10) {
++			if (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 			buf[len++] = '&';
+@@ -3823,7 +3824,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 			buf[len++] = ';';
+ 		    }
+ 		} else if (val != 0) {
+-		    if (len > buf_size - 10) {
++		    if (len + 10 > buf_size) {
+ 			growBuffer(buf, 10);
+ 		    }
+ 		    len += xmlCopyChar(0, &buf[len], val);
+@@ -3835,7 +3836,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 		    ctxt->nbentities += ent->owner;
+ 		if ((ent != NULL) &&
+ 		    (ent->etype == XML_INTERNAL_PREDEFINED_ENTITY)) {
+-		    if (len > buf_size - 10) {
++		    if (len + 10 > buf_size) {
+ 			growBuffer(buf, 10);
+ 		    }
+ 		    if ((ctxt->replaceEntities == 0) &&
+@@ -3863,7 +3864,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+                                     current++;
+                                 } else
+                                     buf[len++] = *current++;
+-				if (len > buf_size - 10) {
++				if (len + 10 > buf_size) {
+ 				    growBuffer(buf, 10);
+ 				}
+ 			    }
+@@ -3871,7 +3872,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 			    rep = NULL;
+ 			}
+ 		    } else {
+-			if (len > buf_size - 10) {
++			if (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 			if (ent->content != NULL)
+@@ -3899,7 +3900,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 		     * Just output the reference
+ 		     */
+ 		    buf[len++] = '&';
+-		    while (len > buf_size - i - 10) {
++		    while (len + i + 10 > buf_size) {
+ 			growBuffer(buf, i + 10);
+ 		    }
+ 		    for (;i > 0;i--)
+@@ -3912,7 +3913,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 	        if ((len != 0) || (!normalize)) {
+ 		    if ((!normalize) || (!in_space)) {
+ 			COPY_BUF(l,buf,len,0x20);
+-			while (len > buf_size - 10) {
++			while (len + 10 > buf_size) {
+ 			    growBuffer(buf, 10);
+ 			}
+ 		    }
+@@ -3921,7 +3922,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+ 	    } else {
+ 	        in_space = 0;
+ 		COPY_BUF(l,buf,len,c);
+-		if (len > buf_size - 10) {
++		if (len + 10 > buf_size) {
+ 		    growBuffer(buf, 10);
+ 		}
+ 	    }
+@@ -3946,7 +3947,18 @@ xmlParseAttValueComplex(xmlParserCtxtPtr
+         }
+     } else
+ 	NEXT;
+-    if (attlen != NULL) *attlen = len;
++
++    /*
++     * There we potentially risk an overflow, don't allow attribute value of
++     * lenght more than INT_MAX it is a very reasonnable assumption !
++     */
++    if (len >= INT_MAX) {
++        xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
++                       "AttValue lenght too long\n");
++        goto mem_error;
++    }
++
++    if (attlen != NULL) *attlen = (int) len;
+     return(buf);
+ 
+ mem_error:
diff --git a/textproc/libxml2/patches/patch-bb b/textproc/libxml2/patches/patch-bb
new file mode 100644
index 00000000000..d513e563611
--- /dev/null
+++ b/textproc/libxml2/patches/patch-bb
@@ -0,0 +1,93 @@
+$NetBSD: patch-bb,v 1.1 2012/08/01 14:51:37 drochner Exp $
+
+upstream commits 4f9fdc709c4861c390cd84e2ed1fd878b3442e28
+and baaf03f80f817bb34c421421e6cb4d68c353ac9a
+related to CVE-2012-2807
+
+--- entities.c.orig	2010-02-15 10:58:14.000000000 +0000
++++ entities.c
+@@ -528,13 +528,13 @@ xmlGetDocEntity(xmlDocPtr doc, const xml
+  * Macro used to grow the current buffer.
+  */
+ #define growBufferReentrant() {						\
+-    buffer_size *= 2;							\
+-    buffer = (xmlChar *)						\
+-    		xmlRealloc(buffer, buffer_size * sizeof(xmlChar));	\
+-    if (buffer == NULL) {						\
+-        xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");\
+-	return(NULL);							\
+-    }									\
++    xmlChar *tmp;                                                       \
++    size_t new_size = buffer_size * 2;                                  \
++    if (new_size < buffer_size) goto mem_error;                         \
++    tmp = (xmlChar *) xmlRealloc(buffer, new_size);	                \
++    if (tmp == NULL) goto mem_error;                                    \
++    buffer = tmp;							\
++    buffer_size = new_size;						\
+ }
+ 
+ 
+@@ -555,7 +555,7 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
+     const xmlChar *cur = input;
+     xmlChar *buffer = NULL;
+     xmlChar *out = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
+     int html = 0;
+ 
+     if (input == NULL) return(NULL);
+@@ -574,8 +574,8 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
+     out = buffer;
+ 
+     while (*cur != '\0') {
+-        if (out - buffer > buffer_size - 100) {
+-	    int indx = out - buffer;
++        size_t indx = out - buffer;
++        if (indx + 100 > buffer_size) {
+ 
+ 	    growBufferReentrant();
+ 	    out = &buffer[indx];
+@@ -692,6 +692,11 @@ xmlEncodeEntitiesReentrant(xmlDocPtr doc
+     }
+     *out = 0;
+     return(buffer);
++
++mem_error:
++    xmlEntitiesErrMemory("xmlEncodeEntitiesReentrant: realloc failed");
++    xmlFree(buffer);
++    return(NULL);
+ }
+ 
+ /**
+@@ -709,7 +714,7 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
+     const xmlChar *cur = input;
+     xmlChar *buffer = NULL;
+     xmlChar *out = NULL;
+-    int buffer_size = 0;
++    size_t buffer_size = 0;
+     if (input == NULL) return(NULL);
+ 
+     /*
+@@ -724,8 +729,8 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
+     out = buffer;
+ 
+     while (*cur != '\0') {
+-        if (out - buffer > buffer_size - 10) {
+-	    int indx = out - buffer;
++        size_t indx = out - buffer;
++        if (indx + 10 > buffer_size) {
+ 
+ 	    growBufferReentrant();
+ 	    out = &buffer[indx];
+@@ -774,6 +779,11 @@ xmlEncodeSpecialChars(xmlDocPtr doc ATTR
+     }
+     *out = 0;
+     return(buffer);
++
++mem_error:
++    xmlEntitiesErrMemory("xmlEncodeSpecialChars: realloc failed");
++    xmlFree(buffer);
++    return(NULL);
+ }
+ 
+ /**
author	drochner <drochner@pkgsrc.org>	2012-08-01 14:51:37 +0000
committer	drochner <drochner@pkgsrc.org>	2012-08-01 14:51:37 +0000
commit	5b74424c11e780901cfb7dc0662120ac5c4e5e6c (patch)
tree	f3bb3bace229057e12cf2eac0d2415362b3ae839
parent	25e351dd440b090f1cd74694ba3e17a8501c0c2b (diff)
download	pkgsrc-5b74424c11e780901cfb7dc0662120ac5c4e5e6c.tar.gz