Merge these 4 security patches from upstream:

- Avoid double-free if malloc fails in inputPush - Fix memory leak in xmlLoadEntityContent error path - Fix integer overflow in xmlBufferDump() - Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser Prodded by tj@, thanks
2022-08-10 12:32:35 +00:00 · 2022-08-10 12:32:35 +00:00 · e5d7f3dd3b
commit e5d7f3dd3b
parent ad99cb1a9b
4 changed files with 131 additions and 0 deletions
--- a/textproc/libxml/Makefile
+++ b/textproc/libxml/Makefile
@ -7,6 +7,8 @@ GNOME_PROJECT=		libxml2
 PKGNAME-main=		libxml-${VERSION}
 PKGNAME-python=		py3-libxml-${VERSION}

+REVISION-main=		0
+
 SHARED_LIBS +=  xml2                 17.1     # 11.14

 CATEGORIES=		textproc
--- a/textproc/libxml/patches/patch-parser_c
+++ b/textproc/libxml/patches/patch-parser_c
@ -0,0 +1,31 @@
+From ecba4cbd4335b31aa7a815701971ed09cfffea9b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2022 19:22:31 +0200
+Subject: [PATCH] Avoid double-free if malloc fails in inputPush
+
+From ca2c91f139426f63646292da58a15a1511dccc0f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2022 19:24:14 +0200
+Subject: [PATCH] Fix memory leak in xmlLoadEntityContent error path
+
+Index: parser.c
+--- parser.c.orig
+++ parser.c
+@@ -1761,9 +1761,7 @@ inputPush(xmlParserCtxtPtr ctxt, xmlParserInputPtr val
+                                              sizeof(ctxt->inputTab[0]));
+         if (ctxt->inputTab == NULL) {
+             xmlErrMemory(ctxt, NULL);
+-	    xmlFreeInputStream(value);
+ 	    ctxt->inputMax /= 2;
+-	    value = NULL;
+             return (-1);
+         }
+     }
+@@ -8094,6 +8092,7 @@ xmlLoadEntityContent(xmlParserCtxtPtr ctxt, xmlEntityP
+      */
+     if (xmlPushInput(ctxt, input) < 0) {
+         xmlBufferFree(buf);
+	xmlFreeInputStream(input);
+ 	return(-1);
+     }
+ 
--- a/textproc/libxml/patches/patch-tree_c
+++ b/textproc/libxml/patches/patch-tree_c
@ -0,0 +1,26 @@
+From a6df42e649acacb55be832222d1f3f50c66720ff Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Sat, 28 May 2022 08:08:29 -0700
+Subject: [PATCH] Fix integer overflow in xmlBufferDump()
+
+Index: tree.c
+--- tree.c.orig
+++ tree.c
+@@ -7372,7 +7372,7 @@ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
+  */
+ int
+ xmlBufferDump(FILE *file, xmlBufferPtr buf) {
+-    int ret;
+    size_t ret;
+ 
+     if (buf == NULL) {
+ #ifdef DEBUG_BUFFER
+@@ -7391,7 +7391,7 @@ xmlBufferDump(FILE *file, xmlBufferPtr buf) {
+     if (file == NULL)
+ 	file = stdout;
+     ret = fwrite(buf->content, sizeof(xmlChar), buf->use, file);
+-    return(ret);
+    return(ret > INT_MAX ? INT_MAX : (int)ret);
+ }
+ 
+ /**
--- a/textproc/libxml/patches/patch-xmlreader_c
+++ b/textproc/libxml/patches/patch-xmlreader_c
@ -0,0 +1,72 @@
+From c50196c13d348025a4843305902bb37df64bae36 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Sun, 10 Apr 2022 20:02:47 -0700
+Subject: [PATCH] Fix use-after-free bugs when calling xmlTextReaderClose()
+ before xmlFreeTextReader() on post-validating parser
+
+Index: xmlreader.c
+--- xmlreader.c.orig
+++ xmlreader.c
+@@ -2319,36 +2319,16 @@ xmlFreeTextReader(xmlTextReaderPtr reader) {
+ 	xmlFree(reader->patternTab);
+     }
+ #endif
+-    if (reader->faketext != NULL) {
+-	xmlFreeNode(reader->faketext);
+-    }
+    if (reader->mode != XML_TEXTREADER_MODE_CLOSED)
+        xmlTextReaderClose(reader);
+     if (reader->ctxt != NULL) {
+         if (reader->dict == reader->ctxt->dict)
+ 	    reader->dict = NULL;
+-#ifdef LIBXML_VALID_ENABLED
+-	if ((reader->ctxt->vctxt.vstateTab != NULL) &&
+-	    (reader->ctxt->vctxt.vstateMax > 0)){
+-#ifdef LIBXML_REGEXP_ENABLED
+-            while (reader->ctxt->vctxt.vstateNr > 0)
+-                xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL);
+-#endif /* LIBXML_REGEXP_ENABLED */
+-	    xmlFree(reader->ctxt->vctxt.vstateTab);
+-	    reader->ctxt->vctxt.vstateTab = NULL;
+-	    reader->ctxt->vctxt.vstateMax = 0;
+-	}
+-#endif /* LIBXML_VALID_ENABLED */
+-	if (reader->ctxt->myDoc != NULL) {
+-	    if (reader->preserve == 0)
+-		xmlTextReaderFreeDoc(reader, reader->ctxt->myDoc);
+-	    reader->ctxt->myDoc = NULL;
+-	}
+ 	if (reader->allocs & XML_TEXTREADER_CTXT)
+ 	    xmlFreeParserCtxt(reader->ctxt);
+     }
+     if (reader->sax != NULL)
+ 	xmlFree(reader->sax);
+-    if ((reader->input != NULL)  && (reader->allocs & XML_TEXTREADER_INPUT))
+-	xmlFreeParserInputBuffer(reader->input);
+     if (reader->buffer != NULL)
+         xmlBufFree(reader->buffer);
+     if (reader->entTab != NULL)
+@@ -2379,7 +2359,23 @@ xmlTextReaderClose(xmlTextReaderPtr reader) {
+     reader->node = NULL;
+     reader->curnode = NULL;
+     reader->mode = XML_TEXTREADER_MODE_CLOSED;
+    if (reader->faketext != NULL) {
+        xmlFreeNode(reader->faketext);
+        reader->faketext = NULL;
+    }
+     if (reader->ctxt != NULL) {
+#ifdef LIBXML_VALID_ENABLED
+	if ((reader->ctxt->vctxt.vstateTab != NULL) &&
+	    (reader->ctxt->vctxt.vstateMax > 0)){
+#ifdef LIBXML_REGEXP_ENABLED
+            while (reader->ctxt->vctxt.vstateNr > 0)
+                xmlValidatePopElement(&reader->ctxt->vctxt, NULL, NULL, NULL);
+#endif /* LIBXML_REGEXP_ENABLED */
+	    xmlFree(reader->ctxt->vctxt.vstateTab);
+	    reader->ctxt->vctxt.vstateTab = NULL;
+	    reader->ctxt->vctxt.vstateMax = 0;
+	}
+#endif /* LIBXML_VALID_ENABLED */
+ 	xmlStopParser(reader->ctxt);
+ 	if (reader->ctxt->myDoc != NULL) {
+ 	    if (reader->preserve == 0)