From 2e27ccb52beeb29d51aa5ae1cab7eae9e27f712b Mon Sep 17 00:00:00 2001 From: fuanan <2385803914@qq.com> Date: Fri, 11 Feb 2022 14:48:53 +0800 Subject: [PATCH] use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild --- ...in-xmlAddNextSibling-and-xmlAddChild.patch | 31 ------ libxml2.spec | 10 +- ...xmlAddNextSibling-may-not-attach-the.patch | 104 ++++++++++++++++++ 3 files changed, 112 insertions(+), 33 deletions(-) delete mode 100644 Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch create mode 100644 xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch diff --git a/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch b/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch deleted file mode 100644 index c41cbc8..0000000 --- a/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ace5aece17b5ecaafee286fc943616fdee03d885 Mon Sep 17 00:00:00 2001 -From: panxiaohe -Date: Thu, 11 Nov 2021 16:45:04 +0800 -Subject: [PATCH] Fix heap-use-after-free in xmlAddNextSibling and xmlAddChild - ---- - xinclude.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index b2e6ea1..d39ff7d 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - } - if (tmp != NULL) { - if (level == lastLevel) -- xmlAddNextSibling(last, tmp); -+ last = xmlAddNextSibling(last, tmp); - else { -- xmlAddChild(last, tmp); -+ last = xmlAddChild(last, tmp); - lastLevel = level; - } -- last = tmp; - } - } - /* --- -1.8.3.1 - diff --git a/libxml2.spec b/libxml2.spec index 86b1183..20a7b3b 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.10 -Release: 22 +Release: 23 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -102,7 +102,7 @@ Patch89: Hardcode-maximum-XPath-recursion-depth.patch Patch90: Fix-XPath-recursion-limit.patch Patch91: Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch Patch92: Fix-memleaks-in-xmlXIncludeProcessFlags.patch -Patch93: Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch +Patch93: xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch Patch94: Fix-unsigned-integer-overflow-in-htmlParseTryOrFinis.patch Patch95: Fix-undefined-behavior-in-UTF16LEToUTF8.patch Patch96: Fix-SEGV-in-xmlSAXParseFileWithData.patch @@ -309,6 +309,12 @@ rm -fr %{buildroot} %changelog +* Fri Feb 11 2022 fuanan - 2.9.10-23 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild + * Thu Dec 2 2021 panxiaohe - 2.9.10-22 - Type:bugfix - ID:NA diff --git a/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch b/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch new file mode 100644 index 0000000..fe5cfc8 --- /dev/null +++ b/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch @@ -0,0 +1,104 @@ +From 8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Wed, 7 Jul 2021 19:24:36 -0700 +Subject: [PATCH] xmlAddChild() and xmlAddNextSibling() may not attach their + second argument + +Use the return value of xmlAddChild() and xmlAddNextSibling() +instead of the second argument directly. + +Found by OSS-Fuzz. + +Fixes #316 +--- + xinclude.c | 14 ++++++-------- + xpointer.c | 13 ++++++------- + 2 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index b2e6ea1..2a0614d 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1014,15 +1014,15 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + if (list == NULL) { + list = tmp; + listParent = cur->parent; ++ last = tmp; + } else { + if (level == lastLevel) +- xmlAddNextSibling(last, tmp); ++ last = xmlAddNextSibling(last, tmp); + else { +- xmlAddChild(last, tmp); ++ last = xmlAddChild(last, tmp); + lastLevel = level; + } + } +- last = tmp; + + if (index2 > 1) { + end = xmlXIncludeGetNthChild(cur, index2 - 1); +@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + } + if (tmp != NULL) { + if (level == lastLevel) +- xmlAddNextSibling(last, tmp); ++ last = xmlAddNextSibling(last, tmp); + else { +- xmlAddChild(last, tmp); ++ last = xmlAddChild(last, tmp); + lastLevel = level; + } +- last = tmp; + } + } + /* +@@ -1186,8 +1185,7 @@ xmlXIncludeCopyXPointer(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + if (last == NULL) { + list = last = tmp; + } else { +- xmlAddNextSibling(last, tmp); +- last = tmp; ++ last = xmlAddNextSibling(last, tmp); + } + cur = cur->next; + continue; +diff --git a/xpointer.c b/xpointer.c +index 27a6a8c..fe2fca5 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1483,16 +1483,16 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) { + return(list); + } else { + tmp = xmlCopyNode(cur, 0); +- if (list == NULL) ++ if (list == NULL) { + list = tmp; +- else { ++ parent = tmp; ++ } else { + if (last != NULL) +- xmlAddNextSibling(last, tmp); ++ parent = xmlAddNextSibling(last, tmp); + else +- xmlAddChild(parent, tmp); ++ parent = xmlAddChild(parent, tmp); + } + last = NULL; +- parent = tmp; + + if (index2 > 1) { + end = xmlXPtrGetNthChild(cur, index2 - 1); +@@ -1574,8 +1574,7 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) { + if (last != NULL) + xmlAddNextSibling(last, tmp); + else { +- xmlAddChild(parent, tmp); +- last = tmp; ++ last = xmlAddChild(parent, tmp); + } + } + } +-- +1.8.3.1 + -- Gitee