packages/libxml2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!26 fix CVE-2020-24977

Browse Source 
From: @yang_zhuang_zhuang
Reviewed-by: @xiezhipeng1
Signed-off-by: @xiezhipeng1
This commit is contained in:
openeuler-ci-bot 2020-10-15 16:36:07 +08:00 committed by Gitee
commit 4c5b2cc8ed
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Fix-integer-overflow-when-comparing-schema-dates.patch Normal file
View File

@ -0,0 +1,41 @@
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 3 Aug 2020 17:30:41 +0200
Subject: Fix integer overflow when comparing schema dates
Found by OSS-Fuzz.
---
xmlschemastypes.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index 4249d70..d6b9f92 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
minday = 0;
maxday = 0;
} else {
+ if (myear > LONG_MAX / 366)
+ return -2;
/* FIXME: This doesn't take leap year exceptions every 100/400 years
into account. */
maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
if ((x == NULL) || (y == NULL))
return -2;
+ if ((x->value.date.year > LONG_MAX / 366) ||
+ (x->value.date.year < LONG_MIN / 366) ||
+ (y->value.date.year > LONG_MAX / 366) ||
+ (y->value.date.year < LONG_MIN / 366)) {
+ /* Possible overflow when converting to days. */
+ return -2;
+ }
+
if (x->value.date.tz_flag) {
if (!y->value.date.tz_flag) {
--
1.8.3.1

6
libxml2.spec
View File

@ -1,7 +1,7 @@
Summary: Library providing XML and HTML support Summary: Library providing XML and HTML support
Name: libxml2 Name: libxml2
Version: 2.9.10 Version: 2.9.10
Release: 6 Release: 7
License: MIT License: MIT
Group: Development/Libraries Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -33,6 +33,7 @@ Patch23: Limit-regexp-nesting-depth.patch
Patch24: Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch Patch24: Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch
Patch25: Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch Patch25: Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch
Patch26: Reset-HTML-parser-input-before-reporting-error.patch Patch26: Reset-HTML-parser-input-before-reporting-error.patch
Patch27: Fix-integer-overflow-when-comparing-schema-dates.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python2-devel BuildRequires: python2-devel
@ -224,6 +225,9 @@ rm -fr %{buildroot}
%changelog %changelog
* Thu Oct 15 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.9.10-7
- Fix CVE-2020-24977
* Fri Aug 28 2020 zoulin <zoulin13@huawei.com> - 2.9.10-6 * Fri Aug 28 2020 zoulin <zoulin13@huawei.com> - 2.9.10-6
- Fix more quadratic runtime issues in HTML push parse - Fix more quadratic runtime issues in HTML push parse
- Fix reset HTML parser input before reporting error - Fix reset HTML parser input before reporting error