diff options
Diffstat (limited to 'textproc/libxml/patches/patch-parser.c')
-rw-r--r-- | textproc/libxml/patches/patch-parser.c | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/textproc/libxml/patches/patch-parser.c b/textproc/libxml/patches/patch-parser.c new file mode 100644 index 00000000000..59d8af39228 --- /dev/null +++ b/textproc/libxml/patches/patch-parser.c @@ -0,0 +1,81 @@ +$NetBSD: patch-parser.c,v 1.1 2011/09/01 14:29:05 obache Exp $ + +* fixes CVE-2009-2414 and CVE-2009-2616. + +--- parser.c.orig 2001-09-14 14:09:41.000000000 +0000 ++++ parser.c +@@ -5164,11 +5164,15 @@ xmlParseNotationType(xmlParserCtxtPtr ct + "Name expected in NOTATION declaration\n"); + ctxt->wellFormed = 0; + ctxt->disableSAX = 1; +- return(ret); ++ xmlFreeEnumeration(ret); ++ return(NULL); + } + cur = xmlCreateEnumeration(name); + xmlFree(name); +- if (cur == NULL) return(ret); ++ if (cur == NULL) { ++ xmlFreeEnumeration(ret); ++ return(NULL); ++ } + if (last == NULL) ret = last = cur; + else { + last->next = cur; +@@ -5183,9 +5187,8 @@ xmlParseNotationType(xmlParserCtxtPtr ct + "')' required to finish NOTATION declaration\n"); + ctxt->wellFormed = 0; + ctxt->disableSAX = 1; +- if ((last != NULL) && (last != ret)) +- xmlFreeEnumeration(last); +- return(ret); ++ xmlFreeEnumeration(ret); ++ return(NULL); + } + NEXT; + return(ret); +@@ -5236,7 +5239,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr + } + cur = xmlCreateEnumeration(name); + xmlFree(name); +- if (cur == NULL) return(ret); ++ if (cur == NULL) { ++ xmlFreeEnumeration(ret); ++ return(NULL); ++ } + if (last == NULL) ret = last = cur; + else { + last->next = cur; +@@ -5715,13 +5721,22 @@ xmlParseElementChildrenContentDecl + xmlChar *elem; + xmlChar type = 0; + ++ if (ctxt->depth > 128) { ++ ctxt->sax->error(ctxt->userData, ++ "xmlParseElementChildrenContentDecl : depth %d too deep\n", ++ ctxt->depth); ++ return(NULL); ++ } ++ + SKIP_BLANKS; + GROW; + if (RAW == '(') { + /* Recurse on first child */ + NEXT; + SKIP_BLANKS; ++ ctxt->depth++; + cur = ret = xmlParseElementChildrenContentDecl(ctxt); ++ ctxt->depth--; + SKIP_BLANKS; + GROW; + } else { +@@ -5865,7 +5880,9 @@ xmlParseElementChildrenContentDecl + /* Recurse on second child */ + NEXT; + SKIP_BLANKS; ++ ctxt->depth++; + last = xmlParseElementChildrenContentDecl(ctxt); ++ ctxt->depth--; + SKIP_BLANKS; + } else { + elem = xmlParseNameComplex(ctxt); |