diff options
Diffstat (limited to 'textproc/libxml2/patches/patch-buf.c')
-rw-r--r-- | textproc/libxml2/patches/patch-buf.c | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/textproc/libxml2/patches/patch-buf.c b/textproc/libxml2/patches/patch-buf.c new file mode 100644 index 00000000000..3f7cf8fb2bd --- /dev/null +++ b/textproc/libxml2/patches/patch-buf.c @@ -0,0 +1,94 @@ +$NetBSD: patch-buf.c,v 1.1 2015/04/24 11:32:29 spz Exp $ + +patch for CVE-2015-1819 Enforce the reader to run in constant memory +from https://git.gnome.org/browse/libxml2/commit/?id=213f1fe0d76d30eaed6e5853057defc43e6df2c9 +part 1 + +--- buf.c.orig 2014-10-13 08:01:31.000000000 +0000 ++++ buf.c +@@ -27,6 +27,7 @@ + #include <libxml/tree.h> + #include <libxml/globals.h> + #include <libxml/tree.h> ++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -738,7 +752,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + return(0); + CHECK_COMPAT(buf) + +- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +889,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar * + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +969,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlCh + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; |