From a84f77647bf9bede8d6361f5762021ca052c5cc3 Mon Sep 17 00:00:00 2001 From: fuanan <2385803914@qq.com> Date: Sat, 12 Feb 2022 10:53:18 +0800 Subject: [PATCH] use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild --- ...in-xmlAddNextSibling-and-xmlAddChild.patch | 31 ------ libxml2.spec | 10 +- ...xmlAddNextSibling-may-not-attach-the.patch | 104 ++++++++++++++++++ 3 files changed, 112 insertions(+), 33 deletions(-) delete mode 100644 Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch create mode 100644 xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch diff --git a/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch b/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch deleted file mode 100644 index c41cbc8..0000000 --- a/Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ace5aece17b5ecaafee286fc943616fdee03d885 Mon Sep 17 00:00:00 2001 -From: panxiaohe -Date: Thu, 11 Nov 2021 16:45:04 +0800 -Subject: [PATCH] Fix heap-use-after-free in xmlAddNextSibling and xmlAddChild - ---- - xinclude.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/xinclude.c b/xinclude.c -index b2e6ea1..d39ff7d 100644 ---- a/xinclude.c -+++ b/xinclude.c -@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, - } - if (tmp != NULL) { - if (level == lastLevel) -- xmlAddNextSibling(last, tmp); -+ last = xmlAddNextSibling(last, tmp); - else { -- xmlAddChild(last, tmp); -+ last = xmlAddChild(last, tmp); - lastLevel = level; - } -- last = tmp; - } - } - /* --- -1.8.3.1 - diff --git a/libxml2.spec b/libxml2.spec index f4aa441..a2328c1 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.12 -Release: 3 +Release: 4 License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz @@ -10,7 +10,7 @@ Patch0: libxml2-multilib.patch Patch1: Fix-XPath-recursion-limit.patch Patch2: Fix-Null-deref-in-xmlSchemaGetComponentTargetNs.patch Patch3: Fix-memleaks-in-xmlXIncludeProcessFlags.patch -Patch4: Fix-heap-use-after-free-in-xmlAddNextSibling-and-xmlAddChild.patch +Patch4: xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch Patch5: Work-around-lxml-API-abuse.patch Patch6: Fix-regression-in-xmlNodeDumpOutputInternal.patch Patch7: Fix-whitespace-when-serializing-empty-HTML-documents.patch @@ -176,6 +176,12 @@ rm -fr %{buildroot} %changelog +* Sat Feb 12 2022 fuanan - 2.9.12-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:use upstream patch refix heap-use-after-free in xmlAddNextSibling and xmlAddChild + * Fri Nov 12 2021 panxiaohe - 2.9.12-3 - Type:bugfix - ID:NA diff --git a/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch b/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch new file mode 100644 index 0000000..fe5cfc8 --- /dev/null +++ b/xmlAddChild-and-xmlAddNextSibling-may-not-attach-the.patch @@ -0,0 +1,104 @@ +From 8f5ccada05ddd4a1ff8e399ad39fc7cd4bd33325 Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Wed, 7 Jul 2021 19:24:36 -0700 +Subject: [PATCH] xmlAddChild() and xmlAddNextSibling() may not attach their + second argument + +Use the return value of xmlAddChild() and xmlAddNextSibling() +instead of the second argument directly. + +Found by OSS-Fuzz. + +Fixes #316 +--- + xinclude.c | 14 ++++++-------- + xpointer.c | 13 ++++++------- + 2 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/xinclude.c b/xinclude.c +index b2e6ea1..2a0614d 100644 +--- a/xinclude.c ++++ b/xinclude.c +@@ -1014,15 +1014,15 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + if (list == NULL) { + list = tmp; + listParent = cur->parent; ++ last = tmp; + } else { + if (level == lastLevel) +- xmlAddNextSibling(last, tmp); ++ last = xmlAddNextSibling(last, tmp); + else { +- xmlAddChild(last, tmp); ++ last = xmlAddChild(last, tmp); + lastLevel = level; + } + } +- last = tmp; + + if (index2 > 1) { + end = xmlXIncludeGetNthChild(cur, index2 - 1); +@@ -1103,12 +1103,11 @@ xmlXIncludeCopyRange(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + } + if (tmp != NULL) { + if (level == lastLevel) +- xmlAddNextSibling(last, tmp); ++ last = xmlAddNextSibling(last, tmp); + else { +- xmlAddChild(last, tmp); ++ last = xmlAddChild(last, tmp); + lastLevel = level; + } +- last = tmp; + } + } + /* +@@ -1186,8 +1185,7 @@ xmlXIncludeCopyXPointer(xmlXIncludeCtxtPtr ctxt, xmlDocPtr target, + if (last == NULL) { + list = last = tmp; + } else { +- xmlAddNextSibling(last, tmp); +- last = tmp; ++ last = xmlAddNextSibling(last, tmp); + } + cur = cur->next; + continue; +diff --git a/xpointer.c b/xpointer.c +index 27a6a8c..fe2fca5 100644 +--- a/xpointer.c ++++ b/xpointer.c +@@ -1483,16 +1483,16 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) { + return(list); + } else { + tmp = xmlCopyNode(cur, 0); +- if (list == NULL) ++ if (list == NULL) { + list = tmp; +- else { ++ parent = tmp; ++ } else { + if (last != NULL) +- xmlAddNextSibling(last, tmp); ++ parent = xmlAddNextSibling(last, tmp); + else +- xmlAddChild(parent, tmp); ++ parent = xmlAddChild(parent, tmp); + } + last = NULL; +- parent = tmp; + + if (index2 > 1) { + end = xmlXPtrGetNthChild(cur, index2 - 1); +@@ -1574,8 +1574,7 @@ xmlXPtrBuildRangeNodeList(xmlXPathObjectPtr range) { + if (last != NULL) + xmlAddNextSibling(last, tmp); + else { +- xmlAddChild(parent, tmp); +- last = tmp; ++ last = xmlAddChild(parent, tmp); + } + } + } +-- +1.8.3.1 + -- Gitee