120 lines
5.6 KiB
Diff
120 lines
5.6 KiB
Diff
From 60959f2b491876199879d97c8ed956eabb0c2e73 Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Pipping <sebastian@pipping.org>
|
|
Date: Fri, 14 May 2021 20:09:22 +0200
|
|
Subject: [PATCH] lib: Fix accounting of CDATA sections inside of general
|
|
entities
|
|
|
|
---
|
|
Changes | 9 +++++----
|
|
lib/xmlparse.c | 20 ++++++++++++--------
|
|
2 files changed, 17 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/Changes b/Changes
|
|
index a435999..e62814b 100644
|
|
--- a/Changes
|
|
+++ b/Changes
|
|
@@ -4,7 +4,7 @@ NOTE: We are looking for help with a few things:
|
|
|
|
Release 2.2.9 Wed Septemper 25 2019
|
|
Security fixes:
|
|
- #34 #466 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
|
|
+ #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
|
|
(denial-of-service; flavors targeting CPU time or RAM or both,
|
|
leveraging general entities or parameter entities or both)
|
|
by tracking and limiting the input amplification factor
|
|
@@ -20,18 +20,18 @@ Release 2.2.9 Wed Septemper 25 2019
|
|
-DXML_UNICODE that was introduced with Expat 2.0.1
|
|
|
|
New features:
|
|
- #34 #466 Add two new API functions to further tighten billion laughs
|
|
+ #34 #466 #484 Add two new API functions to further tighten billion laughs
|
|
protection parameters when desired.
|
|
- XML_SetBillionLaughsAttackProtectionMaximumAmplification
|
|
- XML_SetBillionLaughsAttackProtectionActivationThreshold
|
|
Please see file "doc/reference.html" for more details.
|
|
If you ever need to increase the defaults for non-attack XML
|
|
payload, please file a bug report with libexpat.
|
|
- #34 #466 Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
|
|
+ #34 #466 #484 Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
|
|
and EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting
|
|
and entity processing; specific behavior of these values may
|
|
change in the future.
|
|
- #34 #466 xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
|
|
+ #34 #466 #484 xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
|
|
billion laughs protection parameters when desired.
|
|
If you ever need to increase the defaults for non-attack XML
|
|
payload, please file a bug report with libexpat.
|
|
@@ -54,6 +54,7 @@ Release 2.2.9 Wed Septemper 25 2019
|
|
and
|
|
Clang LeakSan
|
|
JetBrains
|
|
+ OSS-Fuzz
|
|
|
|
Release 2.2.8 Fri Septemper 13 2019
|
|
Security fixes:
|
|
diff --git a/lib/xmlparse.c b/lib/xmlparse.c
|
|
index 3870dfa..64d5dc3 100644
|
|
--- a/lib/xmlparse.c
|
|
+++ b/lib/xmlparse.c
|
|
@@ -448,7 +448,8 @@ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
|
|
XML_Bool haveMore, enum XML_Account account);
|
|
static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
|
|
const char **startPtr, const char *end,
|
|
- const char **nextPtr, XML_Bool haveMore);
|
|
+ const char **nextPtr, XML_Bool haveMore,
|
|
+ enum XML_Account account);
|
|
#ifdef XML_DTD
|
|
static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
|
|
const char **startPtr, const char *end,
|
|
@@ -3062,7 +3063,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
|
|
/* END disabled code */
|
|
else if (parser->m_defaultHandler)
|
|
reportDefault(parser, enc, s, next);
|
|
- result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
|
|
+ result
|
|
+ = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
|
|
if (result != XML_ERROR_NONE)
|
|
return result;
|
|
else if (! next) {
|
|
@@ -3691,9 +3693,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
|
static enum XML_Error PTRCALL
|
|
cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
|
|
const char **endPtr) {
|
|
- enum XML_Error result
|
|
- = doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
|
|
- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
|
|
+ enum XML_Error result = doCdataSection(
|
|
+ parser, parser->m_encoding, &start, end, endPtr,
|
|
+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
|
|
if (result != XML_ERROR_NONE)
|
|
return result;
|
|
if (start) {
|
|
@@ -3713,7 +3715,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
|
|
*/
|
|
static enum XML_Error
|
|
doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
|
|
- const char *end, const char **nextPtr, XML_Bool haveMore) {
|
|
+ const char *end, const char **nextPtr, XML_Bool haveMore,
|
|
+ enum XML_Account account) {
|
|
const char *s = *startPtr;
|
|
const char **eventPP;
|
|
const char **eventEndPP;
|
|
@@ -3732,11 +3735,12 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
|
|
const char *next;
|
|
int tok = XmlCdataSectionTok(enc, s, end, &next);
|
|
#ifdef XML_DTD
|
|
- if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
|
|
- XML_ACCOUNT_DIRECT)) {
|
|
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
|
|
accountingOnAbort(parser);
|
|
return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
|
|
}
|
|
+#else
|
|
+ UNUSED_P(account);
|
|
#endif
|
|
*eventEndPP = next;
|
|
switch (tok) {
|
|
--
|
|
1.8.3.1
|
|
|