Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | From afd27c21f6b36e22682b7da20d726bce2dcb2f43 Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Veillard <veillard@redhat.com> |
| 3 | Date: Mon, 9 Nov 2015 18:07:18 +0800 |
| 4 | Subject: [PATCH] Avoid processing entities after encoding conversion failures |
| 5 | |
| 6 | For https://bugzilla.gnome.org/show_bug.cgi?id=756527 |
| 7 | and was also raised by Chromium team in the past |
| 8 | |
| 9 | When we hit a convwersion failure when switching encoding |
| 10 | it is bestter to stop parsing there, this was treated as a |
| 11 | fatal error but the parser was continuing to process to extract |
| 12 | more errors, unfortunately that makes little sense as the data |
| 13 | is obviously corrupt and can potentially lead to unexpected behaviour. |
| 14 | |
| 15 | Upstream-Status: Backport |
| 16 | |
| 17 | CVE-2015-7498 |
| 18 | |
| 19 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 20 | |
| 21 | --- |
| 22 | parser.c | 7 +++++-- |
| 23 | parserInternals.c | 11 ++++++++++- |
| 24 | 2 files changed, 15 insertions(+), 3 deletions(-) |
| 25 | |
| 26 | diff --git a/parser.c b/parser.c |
| 27 | index 134afe7..c79b4e8 100644 |
| 28 | --- a/parser.c |
| 29 | +++ b/parser.c |
| 30 | @@ -10665,7 +10665,8 @@ xmlParseXMLDecl(xmlParserCtxtPtr ctxt) { |
| 31 | xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED, "Blank needed here\n"); |
| 32 | } |
| 33 | xmlParseEncodingDecl(ctxt); |
| 34 | - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { |
| 35 | + if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || |
| 36 | + (ctxt->instate == XML_PARSER_EOF)) { |
| 37 | /* |
| 38 | * The XML REC instructs us to stop parsing right here |
| 39 | */ |
| 40 | @@ -10789,6 +10790,7 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { |
| 41 | |
| 42 | if (CUR == 0) { |
| 43 | xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL); |
| 44 | + return(-1); |
| 45 | } |
| 46 | |
| 47 | /* |
| 48 | @@ -10806,7 +10808,8 @@ xmlParseDocument(xmlParserCtxtPtr ctxt) { |
| 49 | * Note that we will switch encoding on the fly. |
| 50 | */ |
| 51 | xmlParseXMLDecl(ctxt); |
| 52 | - if (ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) { |
| 53 | + if ((ctxt->errNo == XML_ERR_UNSUPPORTED_ENCODING) || |
| 54 | + (ctxt->instate == XML_PARSER_EOF)) { |
| 55 | /* |
| 56 | * The XML REC instructs us to stop parsing right here |
| 57 | */ |
| 58 | diff --git a/parserInternals.c b/parserInternals.c |
| 59 | index df204fd..c8230c1 100644 |
| 60 | --- a/parserInternals.c |
| 61 | +++ b/parserInternals.c |
| 62 | @@ -937,6 +937,7 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) |
| 63 | { |
| 64 | xmlCharEncodingHandlerPtr handler; |
| 65 | int len = -1; |
| 66 | + int ret; |
| 67 | |
| 68 | if (ctxt == NULL) return(-1); |
| 69 | switch (enc) { |
| 70 | @@ -1097,7 +1098,15 @@ xmlSwitchEncoding(xmlParserCtxtPtr ctxt, xmlCharEncoding enc) |
| 71 | if (handler == NULL) |
| 72 | return(-1); |
| 73 | ctxt->charset = XML_CHAR_ENCODING_UTF8; |
| 74 | - return(xmlSwitchToEncodingInt(ctxt, handler, len)); |
| 75 | + ret = xmlSwitchToEncodingInt(ctxt, handler, len); |
| 76 | + if ((ret < 0) || (ctxt->errNo == XML_I18N_CONV_FAILED)) { |
| 77 | + /* |
| 78 | + * on encoding conversion errors, stop the parser |
| 79 | + */ |
| 80 | + xmlStopParser(ctxt); |
| 81 | + ctxt->errNo = XML_I18N_CONV_FAILED; |
| 82 | + } |
| 83 | + return(ret); |
| 84 | } |
| 85 | |
| 86 | /** |
| 87 | -- |
| 88 | 2.3.5 |
| 89 | |