Fix CVE-2020-24977
This commit is contained in:
yang_zhuang_zhuang
parent
c401eaa4b5
commit
ad2a15576c
41
Fix-integer-overflow-when-comparing-schema-dates.patch
Normal file
41
Fix-integer-overflow-when-comparing-schema-dates.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Mon, 3 Aug 2020 17:30:41 +0200
|
||||
Subject: Fix integer overflow when comparing schema dates
|
||||
|
||||
Found by OSS-Fuzz.
|
||||
---
|
||||
xmlschemastypes.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
|
||||
index 4249d70..d6b9f92 100644
|
||||
--- a/xmlschemastypes.c
|
||||
+++ b/xmlschemastypes.c
|
||||
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
|
||||
minday = 0;
|
||||
maxday = 0;
|
||||
} else {
|
||||
+ if (myear > LONG_MAX / 366)
|
||||
+ return -2;
|
||||
/* FIXME: This doesn't take leap year exceptions every 100/400 years
|
||||
into account. */
|
||||
maxday = 365 * myear + (myear + 3) / 4;
|
||||
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
|
||||
if ((x == NULL) || (y == NULL))
|
||||
return -2;
|
||||
|
||||
+ if ((x->value.date.year > LONG_MAX / 366) ||
|
||||
+ (x->value.date.year < LONG_MIN / 366) ||
|
||||
+ (y->value.date.year > LONG_MAX / 366) ||
|
||||
+ (y->value.date.year < LONG_MIN / 366)) {
|
||||
+ /* Possible overflow when converting to days. */
|
||||
+ return -2;
|
||||
+ }
|
||||
+
|
||||
if (x->value.date.tz_flag) {
|
||||
|
||||
if (!y->value.date.tz_flag) {
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: Library providing XML and HTML support
|
||||
Name: libxml2
|
||||
Version: 2.9.10
|
||||
Release: 6
|
||||
Release: 7
|
||||
License: MIT
|
||||
Group: Development/Libraries
|
||||
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
|
||||
@ -33,6 +33,7 @@ Patch23: Limit-regexp-nesting-depth.patch
|
||||
Patch24: Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch
|
||||
Patch25: Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch
|
||||
Patch26: Reset-HTML-parser-input-before-reporting-error.patch
|
||||
Patch27: Fix-integer-overflow-when-comparing-schema-dates.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||
BuildRequires: python2-devel
|
||||
@ -224,6 +225,9 @@ rm -fr %{buildroot}
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Oct 15 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.9.10-7
|
||||
- Fix CVE-2020-24977
|
||||
|
||||
* Fri Aug 28 2020 zoulin <zoulin13@huawei.com> - 2.9.10-6
|
||||
- Fix more quadratic runtime issues in HTML push parse
|
||||
- Fix reset HTML parser input before reporting error
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user