[Reproducible-commits] [libxslt] 01/01: Fix for CVE-2008-1767: buffer overflow in pattern.c.
Mattia Rizzolo
mattia at debian.org
Fri May 20 12:49:07 UTC 2016
This is an automated email from the git hooks/post-receive script.
mattia pushed a commit to annotated tag debian/1.1.19-2
in repository libxslt.
commit 6db6320aa07ac13450e4ed74a1dd6fc49e86b2e6
Author: Mike Hommey <glandium at debian.org>
Date: Sun May 25 16:56:56 2008 +0200
Fix for CVE-2008-1767: buffer overflow in pattern.c.
---
config.sub | 14 ++----
debian/changelog | 8 ++++
libxslt/pattern.c | 86 +++++++++++++++++++++++++++++------
libxslt/{pattern.c => pattern.c.orig} | 0
4 files changed, 82 insertions(+), 26 deletions(-)
diff --git a/config.sub b/config.sub
index fab0aa3..387c18d 100755
--- a/config.sub
+++ b/config.sub
@@ -4,7 +4,7 @@
# 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
# Inc.
-timestamp='2006-09-20'
+timestamp='2006-07-02'
# This file is (in principle) common to ALL GNU software.
# The presence of a machine in this file suggests that SOME GNU software
@@ -276,7 +276,6 @@ case $basic_machine in
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
| pyramid \
- | score \
| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
@@ -285,7 +284,7 @@ case $basic_machine in
| tahoe | thumb | tic4x | tic80 | tron \
| v850 | v850e \
| we32k \
- | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
+ | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
| z8k)
basic_machine=$basic_machine-unknown
;;
@@ -368,7 +367,7 @@ case $basic_machine in
| tron-* \
| v850-* | v850e-* | vax-* \
| we32k-* \
- | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
+ | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
| xstormy16-* | xtensa-* \
| ymp-* \
| z8k-*)
@@ -910,10 +909,6 @@ case $basic_machine in
sb1el)
basic_machine=mipsisa64sb1el-unknown
;;
- sde)
- basic_machine=mipsisa32-sde
- os=-elf
- ;;
sei)
basic_machine=mips-sei
os=-seiux
@@ -1371,9 +1366,6 @@ else
# system, and we'll never get to this point.
case $basic_machine in
- score-*)
- os=-elf
- ;;
spu-*)
os=-elf
;;
diff --git a/debian/changelog b/debian/changelog
index 658274c..cf9e92c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libxslt (1.1.19-2) stable-security; urgency=high
+
+ * Non-maintainer upload by The Security Team.
+ * Updated pattern.c to prevent buffer overflow via long transformation
+ match. [CVE-2008-1767]
+
+ -- Steve Kemp <skx at debian.org> Mon, 26 May 2008 14:33:41 +0000
+
libxslt (1.1.19-1) unstable; urgency=low
* New upstream release
diff --git a/libxslt/pattern.c b/libxslt/pattern.c
index c3433c9..9ae95b7 100644
--- a/libxslt/pattern.c
+++ b/libxslt/pattern.c
@@ -106,7 +106,7 @@ struct _xsltCompMatch {
int maxStep;
xmlNsPtr *nsList; /* the namespaces in scope */
int nsNr; /* the number of namespaces in scope */
- xsltStepOp steps[40]; /* ops for computation */
+ xsltStepOpPtr steps; /* ops for computation */
};
typedef struct _xsltParserContext xsltParserContext;
@@ -146,7 +146,16 @@ xsltNewCompMatch(void) {
return(NULL);
}
memset(cur, 0, sizeof(xsltCompMatch));
- cur->maxStep = 40;
+ cur->maxStep = 10;
+ cur->nbStep = 0;
+ cur-> steps = (xsltStepOpPtr) xmlMalloc(sizeof(xsltStepOp) *
+ cur->maxStep);
+ if (cur->steps == NULL) {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsltNewCompMatch : out of memory error\n");
+ xmlFree(cur);
+ return(NULL);
+ }
cur->nsNr = 0;
cur->nsList = NULL;
cur->direct = 0;
@@ -181,6 +190,7 @@ xsltFreeCompMatch(xsltCompMatchPtr comp) {
if (op->comp != NULL)
xmlXPathFreeCompExpr(op->comp);
}
+ xmlFree(comp->steps);
memset(comp, -1, sizeof(xsltCompMatch));
xmlFree(comp);
}
@@ -279,14 +289,26 @@ static int
xsltCompMatchAdd(xsltParserContextPtr ctxt, xsltCompMatchPtr comp,
xsltOp op, xmlChar * value, xmlChar * value2, int novar)
{
- if (comp->nbStep >= 40) {
- xsltTransformError(NULL, NULL, NULL,
- "xsltCompMatchAdd: overflow\n");
- return (-1);
+ if (comp->nbStep >= comp->maxStep) {
+ xsltStepOpPtr tmp;
+
+ tmp = (xsltStepOpPtr) xmlRealloc(comp->steps, comp->maxStep * 2 *
+ sizeof(xsltStepOp));
+ if (tmp == NULL) {
+ xsltGenericError(xsltGenericErrorContext,
+ "xsltCompMatchAdd: memory re-allocation failure.\n");
+ if (ctxt->style != NULL)
+ ctxt->style->errors++;
+ return (-1);
+ }
+ comp->maxStep *= 2;
+ comp->steps = tmp;
}
comp->steps[comp->nbStep].op = op;
comp->steps[comp->nbStep].value = value;
comp->steps[comp->nbStep].value2 = value2;
+ comp->steps[comp->nbStep].value3 = NULL;
+ comp->steps[comp->nbStep].comp = NULL;
if (ctxt->ctxt != NULL) {
comp->steps[comp->nbStep].previousExtra =
xsltAllocateExtraCtxt(ctxt->ctxt);
@@ -343,6 +365,7 @@ xsltSwapTopCompMatch(xsltCompMatchPtr comp) {
register xmlChar *tmp;
register xsltOp op;
register xmlXPathCompExprPtr expr;
+ register int t;
i = j - 1;
tmp = comp->steps[i].value;
comp->steps[i].value = comp->steps[j].value;
@@ -350,46 +373,74 @@ xsltSwapTopCompMatch(xsltCompMatchPtr comp) {
tmp = comp->steps[i].value2;
comp->steps[i].value2 = comp->steps[j].value2;
comp->steps[j].value2 = tmp;
+ tmp = comp->steps[i].value3;
+ comp->steps[i].value3 = comp->steps[j].value3;
+ comp->steps[j].value3 = tmp;
op = comp->steps[i].op;
comp->steps[i].op = comp->steps[j].op;
comp->steps[j].op = op;
expr = comp->steps[i].comp;
comp->steps[i].comp = comp->steps[j].comp;
comp->steps[j].comp = expr;
+ t = comp->steps[i].previousExtra;
+ comp->steps[i].previousExtra = comp->steps[j].previousExtra;
+ comp->steps[j].previousExtra = t;
+ t = comp->steps[i].indexExtra;
+ comp->steps[i].indexExtra = comp->steps[j].indexExtra;
+ comp->steps[j].indexExtra = t;
+ t = comp->steps[i].lenExtra;
+ comp->steps[i].lenExtra = comp->steps[j].lenExtra;
+ comp->steps[j].lenExtra = t;
}
}
/**
* xsltReverseCompMatch:
+ * @ctxt: the parser context
* @comp: the compiled match expression
*
* reverse all the stack of expressions
*/
static void
-xsltReverseCompMatch(xsltCompMatchPtr comp) {
+xsltReverseCompMatch(xsltParserContextPtr ctxt, xsltCompMatchPtr comp) {
int i = 0;
int j = comp->nbStep - 1;
while (j > i) {
register xmlChar *tmp;
register xsltOp op;
- register xmlXPathCompExprPtr expr;
+ register xmlXPathCompExprPtr expr;
+ register int t;
+
tmp = comp->steps[i].value;
comp->steps[i].value = comp->steps[j].value;
comp->steps[j].value = tmp;
tmp = comp->steps[i].value2;
comp->steps[i].value2 = comp->steps[j].value2;
comp->steps[j].value2 = tmp;
+ tmp = comp->steps[i].value3;
+ comp->steps[i].value3 = comp->steps[j].value3;
+ comp->steps[j].value3 = tmp;
op = comp->steps[i].op;
comp->steps[i].op = comp->steps[j].op;
comp->steps[j].op = op;
expr = comp->steps[i].comp;
comp->steps[i].comp = comp->steps[j].comp;
comp->steps[j].comp = expr;
+ t = comp->steps[i].previousExtra;
+ comp->steps[i].previousExtra = comp->steps[j].previousExtra;
+ comp->steps[j].previousExtra = t;
+ t = comp->steps[i].indexExtra;
+ comp->steps[i].indexExtra = comp->steps[j].indexExtra;
+ comp->steps[j].indexExtra = t;
+ t = comp->steps[i].lenExtra;
+ comp->steps[i].lenExtra = comp->steps[j].lenExtra;
+ comp->steps[j].lenExtra = t;
j--;
i++;
}
- comp->steps[comp->nbStep++].op = XSLT_OP_END;
+ xsltCompMatchAdd(ctxt, comp, XSLT_OP_END, NULL, NULL, 0);
+
/*
* detect consecutive XSLT_OP_PREDICATE indicating a direct
* matching should be done.
@@ -420,7 +471,8 @@ xsltReverseCompMatch(xsltCompMatchPtr comp) {
************************************************************************/
static int
-xsltPatPushState(xsltStepStates *states, int step, xmlNodePtr node) {
+xsltPatPushState(xsltTransformContextPtr ctxt, xsltStepStates *states,
+ int step, xmlNodePtr node) {
if ((states->states == NULL) || (states->maxstates <= 0)) {
states->maxstates = 4;
states->nbstates = 0;
@@ -431,8 +483,12 @@ xsltPatPushState(xsltStepStates *states, int step, xmlNodePtr node) {
tmp = (xsltStepStatePtr) xmlRealloc(states->states,
2 * states->maxstates * sizeof(xsltStepState));
- if (tmp == NULL)
+ if (tmp == NULL) {
+ xsltGenericError(xsltGenericErrorContext,
+ "xsltPatPushState: memory re-allocation failure.\n");
+ ctxt->state = XSLT_STATE_STOPPED;
return(-1);
+ }
states->states = tmp;
states->maxstates *= 2;
}
@@ -728,12 +784,12 @@ restart:
goto rollback;
node = node->parent;
if ((step->op != XSLT_OP_ELEM) && step->op != XSLT_OP_ALL) {
- xsltPatPushState(&states, i, node);
+ xsltPatPushState(ctxt, &states, i, node);
continue;
}
i++;
if (step->value == NULL) {
- xsltPatPushState(&states, i - 1, node);
+ xsltPatPushState(ctxt, &states, i - 1, node);
continue;
}
while (node != NULL) {
@@ -754,7 +810,7 @@ restart:
}
if (node == NULL)
goto rollback;
- xsltPatPushState(&states, i - 1, node);
+ xsltPatPushState(ctxt, &states, i - 1, node);
continue;
case XSLT_OP_ID: {
/* TODO Handle IDs decently, must be done differently */
@@ -1960,7 +2016,7 @@ xsltCompilePatternInternal(const xmlChar *pattern, xmlDocPtr doc,
/*
* Reverse for faster interpretation.
*/
- xsltReverseCompMatch(element);
+ xsltReverseCompMatch(ctxt, element);
/*
* Set-up the priority
diff --git a/libxslt/pattern.c b/libxslt/pattern.c.orig
similarity index 100%
copy from libxslt/pattern.c
copy to libxslt/pattern.c.orig
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/libxslt.git
More information about the Reproducible-commits
mailing list