Apply the patch for arbitrary-memory-access vulnerability as reported

in https://bugzilla.gnome.org/show_bug.cgi?id=746048. Bump PKGREVISION.
author: he <he@pkgsrc.org> 2015-07-03 18:55:46 +0000
committer: he <he@pkgsrc.org> 2015-07-03 18:55:46 +0000
commit: 76073c28f6c52635e35f5a50391458bceaf7a9f5 (patch)
tree: 5aa3c3127543bb630601c0d00a0be6bfbfe92848 /textproc
parent: 4a5dbca4ba81c6822ea1f88b2bd7efa1520d54b3 (diff)
download: pkgsrc-76073c28f6c52635e35f5a50391458bceaf7a9f5.tar.gz
3 files changed, 94 insertions, 3 deletions
diff --git a/textproc/libxml2/Makefile b/textproc/libxml2/Makefile
index cf738dd7b97..608e261538f 100644
--- a/textproc/libxml2/Makefile
+++ b/textproc/libxml2/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.137 2015/04/24 11:32:29 spz Exp $
+# $NetBSD: Makefile,v 1.138 2015/07/03 18:55:46 he Exp $
 
 DISTNAME=	libxml2-2.9.2
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://xmlsoft.org/libxml2/ \
 		http://xmlsoft.org/sources/
diff --git a/textproc/libxml2/distinfo b/textproc/libxml2/distinfo
index 6c166d1787f..eefc57bee35 100644
--- a/textproc/libxml2/distinfo
+++ b/textproc/libxml2/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.106 2015/04/24 11:32:29 spz Exp $
+$NetBSD: distinfo,v 1.107 2015/07/03 18:55:46 he Exp $
 
 SHA1 (libxml2-2.9.2.tar.gz) = f46a37ea6d869f702e03f393c376760f3cbee673
 RMD160 (libxml2-2.9.2.tar.gz) = 969b4ed8782f455fd4a6ca1c1b4ffa7651090070
 Size (libxml2-2.9.2.tar.gz) = 5444991 bytes
+SHA1 (patch-HTMLparser.c) = 46e062001d8c7688f9c938741dbd53e917169d1f
 SHA1 (patch-aa) = 7d1213079cc78c9a28476c49f1283ab1c6af3b34
 SHA1 (patch-ab) = bf8983fcde35edf0e450209bf07f0fa628f7bd9e
 SHA1 (patch-ac) = 015a5903a86793bd770f16f251b94e5b2562b3f7
diff --git a/textproc/libxml2/patches/patch-HTMLparser.c b/textproc/libxml2/patches/patch-HTMLparser.c
new file mode 100644
index 00000000000..7ca54520837
--- /dev/null
+++ b/textproc/libxml2/patches/patch-HTMLparser.c
@@ -0,0 +1,90 @@
+$NetBSD: patch-HTMLparser.c,v 1.1 2015/07/03 18:55:46 he Exp $
+
+Suggested patch for arbitrary-memory-access vulnerability, from
+https://bugzilla.gnome.org/show_bug.cgi?id=746048
+
+--- HTMLparser.c.orig	2014-10-06 10:48:11.000000000 +0000
++++ HTMLparser.c
+@@ -3245,13 +3245,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ 	ctxt->instate = state;
+ 	return;
+     }
++    if ((ctxt->input->end - ctxt->input->cur) < 3) {
++        ctxt->instate = XML_PARSER_EOF;
++        htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++                     "Comment not terminated\n", NULL, NULL);
++        xmlFree(buf);
++        return;
++    }
+     q = CUR_CHAR(ql);
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+     len = 0;
+-    while (IS_CHAR(cur) &&
++    while (((ctxt->input->end - ctxt->input->cur) > 0) && IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
+ 	if (len + 5 >= size) {
+@@ -3281,7 +3288,7 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ 	}
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
++    if (!(ctxt->input->end - ctxt->input->cur) || !IS_CHAR(cur)) {
+ 	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+ 	             "Comment not terminated \n<!--%.50s\n", buf, NULL);
+ 	xmlFree(buf);
+@@ -4465,6 +4472,7 @@ htmlParseContentInternal(htmlParserCtxtP
+     depth = ctxt->nameNr;
+     while (1) {
+ 	long cons = ctxt->nbChars;
++    long rem = ctxt->input->end - ctxt->input->cur;
+ 
+         GROW;
+ 
+@@ -4540,7 +4548,7 @@ htmlParseContentInternal(htmlParserCtxtP
+ 	    /*
+ 	     * Sometimes DOCTYPE arrives in the middle of the document
+ 	     */
+-	    if ((CUR == '<') && (NXT(1) == '!') &&
++	    if ((rem >= 9) && (CUR == '<') && (NXT(1) == '!') &&
+ 		(UPP(2) == 'D') && (UPP(3) == 'O') &&
+ 		(UPP(4) == 'C') && (UPP(5) == 'T') &&
+ 		(UPP(6) == 'Y') && (UPP(7) == 'P') &&
+@@ -4554,7 +4562,7 @@ htmlParseContentInternal(htmlParserCtxtP
+ 	    /*
+ 	     * First case :  a comment
+ 	     */
+-	    if ((CUR == '<') && (NXT(1) == '!') &&
++	    if ((rem >= 4) && (CUR == '<') && (NXT(1) == '!') &&
+ 		(NXT(2) == '-') && (NXT(3) == '-')) {
+ 		htmlParseComment(ctxt);
+ 	    }
+@@ -4562,14 +4570,14 @@ htmlParseContentInternal(htmlParserCtxtP
+ 	    /*
+ 	     * Second case : a Processing Instruction.
+ 	     */
+-	    else if ((CUR == '<') && (NXT(1) == '?')) {
++	    else if ((rem >= 2) && (CUR == '<') && (NXT(1) == '?')) {
+ 		htmlParsePI(ctxt);
+ 	    }
+ 
+ 	    /*
+ 	     * Third case :  a sub-element.
+ 	     */
+-	    else if (CUR == '<') {
++	    else if ((rem >= 1) && (CUR == '<')) {
+ 		htmlParseElementInternal(ctxt);
+ 		if (currentNode != NULL) xmlFree(currentNode);
+ 
+@@ -4581,7 +4589,7 @@ htmlParseContentInternal(htmlParserCtxtP
+ 	     * Fourth case : a reference. If if has not been resolved,
+ 	     *    parsing returns it's Name, create the node
+ 	     */
+-	    else if (CUR == '&') {
++	    else if ((rem >= 1) && (CUR == '&')) {
+ 		htmlParseReference(ctxt);
+ 	    }
+
author	he <he@pkgsrc.org>	2015-07-03 18:55:46 +0000
committer	he <he@pkgsrc.org>	2015-07-03 18:55:46 +0000
commit	76073c28f6c52635e35f5a50391458bceaf7a9f5 (patch)
tree	5aa3c3127543bb630601c0d00a0be6bfbfe92848 /textproc
parent	4a5dbca4ba81c6822ea1f88b2bd7efa1520d54b3 (diff)
download	pkgsrc-76073c28f6c52635e35f5a50391458bceaf7a9f5.tar.gz