[xml/sgml-commit] r1218 - in /packages/libxml2: ./ trunk/debian/changelog trunk/parserInternals.c

Sat Sep 13 07:33:00 UTC 2008

Author: glandium
Date: Sat Sep 13 07:33:00 2008
New Revision: 1218

URL: http://svn.debian.org/wsvn/debian-xml-sgml/?sc=1&rev=1218
Log:
 r1320 at jigen:  mh | 2008-01-19 16:34:52 +0100
 * Non-maintainer upload by security team.
 * This update addresses the following security issue:
   - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
     attackers to cause a denial of service (infinite loop) via XML
     containing invalid UTF-8 sequences (Closes: #460292).

Modified:
    packages/libxml2/   (props changed)
    packages/libxml2/trunk/debian/changelog
    packages/libxml2/trunk/parserInternals.c

Propchange: packages/libxml2/
------------------------------------------------------------------------------

--- svk:merge (original)
+++ svk:merge Sat Sep 13 07:33:00 2008
@@ -1,2 +1,2 @@
 85a06573-1206-0410-a182-ce9117885d71:/local/libxml2:296
-a066b643-3b0a-0410-a6ba-ed4cca522822:/local/libxml2:1312
+a066b643-3b0a-0410-a6ba-ed4cca522822:/local/libxml2:1320

Modified: packages/libxml2/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/libxml2/trunk/debian/changelog?rev=1218&op=diff
==============================================================================
--- packages/libxml2/trunk/debian/changelog (original)
+++ packages/libxml2/trunk/debian/changelog Sat Sep 13 07:33:00 2008
@@ -1,3 +1,13 @@
+libxml2 (2.6.30.dfsg-3.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issue:
+    - CVE-2007-6284: The xmlCurrentChar function allows context-dependent
+      attackers to cause a denial of service (infinite loop) via XML
+      containing invalid UTF-8 sequences (Closes: #460292).
+
+ -- Nico Golde <nion at debian.org>  Sun, 13 Jan 2008 15:15:04 +0100
+
 libxml2 (2.6.30.dfsg-3) unstable; urgency=low
 
   * debian/libxml2.symbols: Add a symbols file to benefit from the new

Modified: packages/libxml2/trunk/parserInternals.c
URL: http://svn.debian.org/wsvn/debian-xml-sgml/packages/libxml2/trunk/parserInternals.c?rev=1218&op=diff
==============================================================================
--- packages/libxml2/trunk/parserInternals.c (original)
+++ packages/libxml2/trunk/parserInternals.c Sat Sep 13 07:33:00 2008
@@ -638,14 +638,13 @@
 
 	c = *cur;
 	if (c & 0x80) {
-	    if (c == 0xC0)
+	    if (((c & 0x40) == 0) || (c == 0xC0))
 		goto encoding_error;
 	    if (cur[1] == 0)
 		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
 	    if ((cur[1] & 0xc0) != 0x80)
 		goto encoding_error;
 	    if ((c & 0xe0) == 0xe0) {
-
 		if (cur[2] == 0)
 		    xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
 		if ((cur[2] & 0xc0) != 0x80)
@@ -662,18 +661,24 @@
 		    val |= (cur[1] & 0x3f) << 12;
 		    val |= (cur[2] & 0x3f) << 6;
 		    val |= cur[3] & 0x3f;
+		    if (val < 0x10000)
+			goto encoding_error;
 		} else {
 		  /* 3-byte code */
 		    *len = 3;
 		    val = (cur[0] & 0xf) << 12;
 		    val |= (cur[1] & 0x3f) << 6;
 		    val |= cur[2] & 0x3f;
+		    if (val < 0x800)
+			goto encoding_error;
 		}
 	    } else {
 	      /* 2-byte code */
 		*len = 2;
 		val = (cur[0] & 0x1f) << 6;
 		val |= cur[1] & 0x3f;
+		if (val < 0x80)
+		    goto encoding_error;
 	    }
 	    if (!IS_CHAR(val)) {
 	        xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
@@ -683,6 +688,13 @@
 	} else {
 	    /* 1-byte code */
 	    *len = 1;
+	    if (*ctxt->input->cur == 0)
+		xmlParserInputGrow(ctxt->input, INPUT_CHUNK);
+	    if ((*ctxt->input->cur == 0) &&
+	        (ctxt->input->end > ctxt->input->cur)) {
+	        xmlErrEncodingInt(ctxt, XML_ERR_INVALID_CHAR,
+				  "Char 0x%X out of allowed range\n", val);
+	    }
 	    if (*ctxt->input->cur == 0xD) {
 		if (ctxt->input->cur[1] == 0xA) {
 		    ctxt->nbChars++;


