SECURITY FIX for http://secunia.com/advisories/28444/

Libxml2 UTF-8 Parsing Denial of Service Vulnerability Patch taken from upstream author. testing and ok simon@ sthen@
2008-04-01 11:34:16 +00:00 · 2008-04-01 11:34:16 +00:00 · 7585a37f8e
commit 7585a37f8e
parent 0a278895dd
2 changed files with 61 additions and 3 deletions
--- a/textproc/libxml/Makefile
+++ b/textproc/libxml/Makefile
@ -1,12 +1,12 @@
-# $OpenBSD: Makefile,v 1.110 2008/01/04 18:38:52 espie Exp $
+# $OpenBSD: Makefile,v 1.111 2008/04/01 11:34:16 jasper Exp $

 COMMENT-main=		XML parsing library
 COMMENT-python=		Python bindings for libxml

 VERSION=		2.6.30
 DISTNAME=		libxml2-${VERSION}
-PKGNAME-main=		libxml-${VERSION}
-PKGNAME-python=		py-libxml-${VERSION}p0
+PKGNAME-main=		libxml-${VERSION}p0
+PKGNAME-python=		py-libxml-${VERSION}p1
 SHARED_LIBS=		xml2	9.7
 CATEGORIES=		textproc
 MASTER_SITES=		ftp://xmlsoft.org/libxml/ \
--- a/textproc/libxml/patches/patch-parserInternals_c
+++ b/textproc/libxml/patches/patch-parserInternals_c
@ -0,0 +1,58 @@
+$OpenBSD: patch-parserInternals_c,v 1.1 2008/04/01 11:34:16 jasper Exp $
+--- parserInternals.c.orig	Tue Jun 12 15:33:54 2007
+++ parserInternals.c	Tue Apr  1 10:36:06 2008
+@@ -638,14 +638,13 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
+ 
+ 	c = *cur;
+ 	if (c & 0x80) {
+-	    if (c == 0xC0)
+	    if (((c & 0x40) == 0) || (c == 0xC0))
+ 		goto encoding_error;
+ 	    if (cur[1] == 0)
+ 		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ 	    if ((cur[1] & 0xc0) != 0x80)
+ 		goto encoding_error;
+ 	    if ((c & 0xe0) == 0xe0) {
+-
+ 		if (cur[2] == 0)
+ 		    xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+ 		if ((cur[2] & 0xc0) != 0x80)
+@@ -662,18 +661,24 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
+ 		    val |= (cur[1] & 0x3f) << 12;
+ 		    val |= (cur[2] & 0x3f) << 6;
+ 		    val |= cur[3] & 0x3f;
+		    if (val < 0x10000)
+			goto encoding_error;
+ 		} else {
+ 		  /* 3-byte code */
+ 		    *len = 3;
+ 		    val = (cur[0] & 0xf) << 12;
+ 		    val |= (cur[1] & 0x3f) << 6;
+ 		    val |= cur[2] & 0x3f;
+		    if (val < 0x800)
+			goto encoding_error;
+ 		}
+ 	    } else {
+ 	      /* 2-byte code */
+ 		*len = 2;
+ 		val = (cur[0] & 0x1f) << 6;
+ 		val |= cur[1] & 0x3f;
+		if (val < 0x80)
+		    goto encoding_error;
+ 	    }
+ 	    if (!IS_CHAR(val)) {
+ 	        xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+@@ -683,6 +688,13 @@ xmlCurrentChar(xmlParserCtxtPtr ctxt, int *len) {
+ 	} else {
+ 	    /* 1-byte code */
+ 	    *len = 1;
+	    if (*ctxt->input->cur == 0)
+		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+	    if ((*ctxt->input->cur == 0) &&
+	        (ctxt->input->end > ctxt->input->cur)) {
+	        xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+				  "Char 0x%X out of allowed range\n", val);
+	    }
+ 	    if (*ctxt->input->cur == 0xD) {
+ 		if (ctxt->input->cur[1] == 0xA) {
+ 		    ctxt->nbChars++;