summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPranjal Jumde <pjumde@apple.com>2016-03-07 14:04:08 -0800
committerDaniel Veillard <veillard@redhat.com>2016-05-23 15:01:07 +0800
commit38eae571111db3b43ffdeb05487c9f60551906fb (patch)
tree6c8c49c25884830f08d6118227d3dedb1e3ce1ce
parent11ed4a7a90d5ce156a18980a4ad4e53e77384852 (diff)
downloadlibxml2-38eae571111db3b43ffdeb05487c9f60551906fb.tar.gz
Heap use-after-free in xmlSAX2AttributeNsCVE-2016-1835
For https://bugzilla.gnome.org/show_bug.cgi?id=759020 * parser.c: (xmlParseStartTag2): Attribute strings are only valid if the base does not change, so add another check where the base may change. Make sure to set 'attvalue' to NULL after freeing it. * result/errors/759020.xml: Added. * result/errors/759020.xml.err: Added. * result/errors/759020.xml.str: Added. * test/errors/759020.xml: Added test case.
Diffstat
-rw-r--r--parser.c12
-rw-r--r--result/errors/759020.xml0
-rw-r--r--result/errors/759020.xml.err6
-rw-r--r--result/errors/759020.xml.str7
-rw-r--r--test/errors/759020.xml46
5 files changed, 69 insertions, 2 deletions
diff --git a/parser.c b/parser.c
index 15c606f0..7aba6a9b 100644
--- a/parser.c
+++ b/parser.c
@@ -9488,7 +9488,10 @@ reparse:
else
if (nsPush(ctxt, NULL, URL) > 0) nbNs++;
skip_default_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
if (!IS_BLANK_CH(RAW)) {
@@ -9497,6 +9500,8 @@ skip_default_ns:
break;
}
SKIP_BLANKS;
+ if ((ctxt->input->base != base) || (inputNr != ctxt->inputNr))
+ goto base_changed;
continue;
}
if (aprefix == ctxt->str_xmlns) {
@@ -9568,7 +9573,10 @@ skip_default_ns:
else
if (nsPush(ctxt, attname, URL) > 0) nbNs++;
skip_ns:
- if (alloc != 0) xmlFree(attvalue);
+ if ((attvalue != NULL) && (alloc != 0)) {
+ xmlFree(attvalue);
+ attvalue = NULL;
+ }
if ((RAW == '>') || (((RAW == '/') && (NXT(1) == '>'))))
break;
if (!IS_BLANK_CH(RAW)) {
diff --git a/result/errors/759020.xml b/result/errors/759020.xml
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/result/errors/759020.xml
diff --git a/result/errors/759020.xml.err b/result/errors/759020.xml.err
new file mode 100644
index 00000000..a0d30517
--- /dev/null
+++ b/result/errors/759020.xml.err
@@ -0,0 +1,6 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00 line 2
+
+ ^
diff --git a/result/errors/759020.xml.str b/result/errors/759020.xml.str
new file mode 100644
index 00000000..998d6d2f
--- /dev/null
+++ b/result/errors/759020.xml.str
@@ -0,0 +1,7 @@
+./test/errors/759020.xml:3: namespace warning : xmlns: URI 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 is not absolute
+0000000000000000000000000000000000000000000000000000000000000000000000000000000'
+ ^
+./test/errors/759020.xml:46: parser error : Couldn't find end of Start Tag s00
+
+ ^
+./test/errors/759020.xml : failed to parse
diff --git a/test/errors/759020.xml b/test/errors/759020.xml
new file mode 100644
index 00000000..db232756
--- /dev/null
+++ b/test/errors/759020.xml
@@ -0,0 +1,46 @@
+<?l 00000000000000000000000000000?>
+<s00 w0000="000" h00000="000"
+ xmlns = '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ \ No newline at end of file
View Lorry Controller Status