organicmaps/libexpat
13
Fork 0
mirror of https://github.com/libexpat/libexpat.git synced 2025-04-15 17:54:45 +00:00
Code Issues 1 Projects Releases Wiki Activity Actions 19
3458 commits 3 branches 65 tags 40 MiB
Commit graph

3458 commits

This branch
This branch
All branches
Author SHA1 Message Date
Samanta Navarro
9b4ce651b2 Prevent stack exhaustion in build_model 
It is possible to trigger stack exhaustion in build_model function if
depth of nested children in DTD element is large enough. This happens
because build_node is a recursively called function within build_model.

The code has been adjusted to run iteratively. It uses the already
allocated heap space as temporary stack (growing from top to bottom).

Output is identical to recursive version. No new fields in data
structures were added, i.e. it keeps full API and ABI compatibility.
Instead the numchildren variable is used to temporarily keep the
index of items (uint vs int).

Documentation and readability improvements kindly added by Sebastian.

Proof of Concept:

1. Compile poc binary which parses XML file line by line

```
cat > poc.c << EOF
 #include <err.h>
 #include <expat.h>
 #include <stdio.h>

 XML_Parser parser;

 static void XMLCALL
 dummy_element_decl_handler(void *userData, const XML_Char *name,
                            XML_Content *model) {
   XML_FreeContentModel(parser, model);
 }

 int main(int argc, char *argv[]) {
   FILE *fp;
   char *p = NULL;
   size_t s = 0;
   ssize_t l;
   if (argc != 2)
     errx(1, "usage: poc poc.xml");
   if ((parser = XML_ParserCreate(NULL)) == NULL)
     errx(1, "XML_ParserCreate");
   XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
   if ((fp = fopen(argv[1], "r")) == NULL)
     err(1, "fopen");
   while ((l = getline(&p, &s, fp)) > 0)
     if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK)
       errx(1, "XML_Parse");
   XML_ParserFree(parser);
   free(p);
   fclose(fp);
   return 0;
 }
EOF
cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c
```

2. Create XML file with a lot of nested groups in DTD element

```
cat > poc.xml.zst.b64 << EOF
KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA
ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC
ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ==
EOF
base64 -d poc.xml.zst.b64 | zstd -d > poc.xml
```

3. Run Proof of Concept

```
./poc poc.xml
```

Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
 2022-02-15 12:16:23 +00:00
Sebastian Pipping
81b89678e2
Merge pull request #554 from libexpat/issue-552-prepare-release 
Prepare release 2.4.4 (part of #552)
 2022-01-30 01:09:37 +01:00
Sebastian Pipping
3ce557eecb win32: Add missing files to the installer 2022-01-29 23:33:09 +01:00
Sebastian Pipping
c322e14f9f doc: Drop unused file valid-xhtml10.png 
Unused since commit 30c4aa85f5 of 2.4.0
 2022-01-29 23:28:05 +01:00
Sebastian Pipping
26b677744c .gitignore: Add missing 2022-01-29 23:28:05 +01:00
Sebastian Pipping
da3dcd4ecf xmlwf.xml: Adapt note to current practice 2022-01-29 23:28:05 +01:00
Sebastian Pipping
0afb2df6a9 Set expected release date for 2.4.4 2022-01-29 23:28:05 +01:00
Sebastian Pipping
039af6611d Sync file headers 2022-01-29 23:28:05 +01:00
Sebastian Pipping
a445be8e0d Bump version to 2.4.4 2022-01-29 23:20:49 +01:00
Sebastian Pipping
2a0add0a7a Bump version info from 9:3:8 to 9:4:8 
See https://verbump.de/ for what these numbers do
 2022-01-29 23:20:18 +01:00
Sebastian Pipping
6c7c96d98c Changes: Document #546 2022-01-29 23:20:18 +01:00
czentgr
d97a123d0b
Stop casting void* results from calls to .malloc_fcn (#553) 2022-01-29 01:21:41 +01:00
Sebastian Pipping
5c168279c5
Merge pull request #551 from libexpat/prevent-doprolog-overflow 
[CVE-2022-23990] lib: Prevent integer overflow in function doProlog
 2022-01-26 23:16:10 +01:00
Sebastian Pipping
6e3449594f Changes: Document CVE-2022-23990 2022-01-26 19:33:23 +01:00
Sebastian Pipping
ede41d1e18 lib: Prevent integer overflow in doProlog (CVE-2022-23990) 
The change from "int nameLen" to "size_t nameLen"
addresses the overflow on "nameLen++" in code
"for (; name[nameLen++];)" right above the second
change in the patch.
 2022-01-26 19:33:12 +01:00
Sebastian Pipping
5f100ffa78
Merge pull request #545 from libexpat/issue-544-fix-xmlwf-memleak-on-file-opening-error 
[>=2.3.0] xmlwf: Fix a memory leak on output file opening error (fixes #544)
 2022-01-24 18:45:26 +01:00
Sebastian Pipping
85a6f8fcdb xmlwf: Fix a memory leak on output file opening error 2022-01-24 15:41:32 +01:00
Sebastian Pipping
178d26f50a
Merge pull request #550 from libexpat/prevent-getbuffer-overflow 
[CVE-2022-23852] Prevent XML_GetBuffer signed integer overflow
 2022-01-24 15:39:04 +01:00
Sebastian Pipping
99cec436fb Changes: Document CVE-2022-23852 2022-01-24 02:37:47 +01:00
Sebastian Pipping
acf956f14b tests: Cover integer overflow in XML_GetBuffer (CVE-2022-23852) 2022-01-24 02:37:47 +01:00
Samanta Navarro
847a645152 lib: Detect and prevent integer overflow in XML_GetBuffer (CVE-2022-23852) 2022-01-24 02:35:02 +01:00
Sebastian Pipping
8fb2211e99
Merge pull request #548 from ferivoz/typos 
Fix typos
 2022-01-22 15:59:07 +01:00
Samanta Navarro
5a8f5f1d40 Fix typos 
Typos found with codespell.
 2022-01-22 12:06:45 +00:00
Carlo Bramini
1e1b52be2d
[>=2.3.0] Autotools: Fix broken CMake support under Cygwin (#546) 
Autotools: Fix broken CMake support under Cygwin
 2022-01-20 21:03:36 +01:00
Sebastian Pipping
57c7da69b7 Merge branch 'issue-533-prepare-release' (#533) 2022-01-16 14:13:19 +01:00
Sebastian Pipping
fc4652b2b3 Set expected release date for 2.4.3 2022-01-13 23:47:57 +01:00
Sebastian Pipping
87638f86fd Changes: Streamline item order for 2.4.3 2022-01-13 23:47:57 +01:00
Sebastian Pipping
09044348e1 Changes: Document #528 and #529 2022-01-13 23:47:43 +01:00
Sebastian Pipping
6496a03d40 Sync years in file headers 2022-01-13 23:45:22 +01:00
Sebastian Pipping
d102671bfe Bump version to 2.4.3 2022-01-13 20:08:47 +01:00
Sebastian Pipping
2a6019d0fb Bump version info from 9:2:8 to 9:3:8 
See https://verbump.de/ for what these numbers do
 2022-01-13 20:02:42 +01:00
Sebastian Pipping
919a2bec5e
Merge pull request #539 from libexpat/prevent-more-integer-overflows 
[CVE-2022-22822 to CVE-2022-22827] lib: Prevent more integer overflows
 2022-01-13 19:56:36 +01:00
Sebastian Pipping
8e9f6ea08c Changes: Document CVE-2022-22822 to CVE-2022-22827 2022-01-12 17:01:55 +01:00
Sebastian Pipping
9f93e8036e lib: Prevent integer overflow at multiple places (CVE-2022-22822 to CVE-2022-22827) 
The involved functions are:
- addBinding (CVE-2022-22822)
- build_model (CVE-2022-22823)
- defineAttribute (CVE-2022-22824)
- lookup (CVE-2022-22825)
- nextScaffoldPart (CVE-2022-22826)
- storeAtts (CVE-2022-22827)
 2022-01-12 17:01:55 +01:00
Sebastian Pipping
653bcf9c25 linux.yml: Add some -m32 coverage to -DEXPAT_ATTR_INFO=ON 2022-01-10 18:01:38 +01:00
Sebastian Pipping
82c11af9d3
Merge pull request #538 from libexpat/issue-532-integer-overflow 
[CVE-2021-46143] lib: Prevent integer overflow on m_groupSize in function doProlog (fixes #532)
 2022-01-10 18:01:11 +01:00
Sebastian Pipping
f488b072b7 Changes: Document integer overflow CVE-2021-46143 2022-01-10 16:51:50 +01:00
Sebastian Pipping
85ae9a2d7d lib: Prevent integer overflow on m_groupSize in function doProlog (CVE-2021-46143) 2022-01-10 16:51:14 +01:00
Sebastian Pipping
b6b432bad5
Merge pull request #541 from libexpat/fix-run-sh-in-for-native-windows 
run.sh.in: Do not use Wine with Cygwin and MSYS2
 2022-01-10 16:26:31 +01:00
Sebastian Pipping
572ef7a2ac run.sh.in: Do not use Wine with Cygwin and MSYS2 2022-01-09 23:04:13 +01:00
Sebastian Pipping
9dc50735f7
Merge pull request #534 from libexpat/issue-531-troublesome-shifts 
[CVE-2021-45960] lib: Detect and prevent troublesome left shifts in function storeAtts (fixes #531)
 2022-01-07 23:17:01 +01:00
Sebastian Pipping
f82a72271c Changes: Document CVE-2021-45960 2022-01-05 18:23:42 +01:00
Sebastian Pipping
0adcb34c49 lib: Detect and prevent troublesome left shifts in function storeAtts (CVE-2021-45960) 2022-01-05 18:23:42 +01:00
Sebastian Pipping
5cde0d78fc
Merge pull request #536 from libexpat/actions-cover-cmake-required-version 
Actions: Check for realistic minimum CMake version requirement
 2022-01-01 16:49:58 +01:00
Sebastian Pipping
9470015a1f Actions: Check for realistic minimum CMake version requirement 2022-01-01 15:58:47 +01:00
Sebastian Pipping
4a0af42c35
Merge pull request #535 from libexpat/cmake-fix-call-to-file-generate 
CMake: Make call to file(GENERATE [..]) work for CMake <3.19
 2021-12-31 22:35:46 +01:00
Sebastian Pipping
2ed8e19ada CMake: Make call to file(GENERATE [..]) work for CMake <3.19 
Error from CMake 3.7.2 was:

CMake Error at CMakeLists.txt:482 (file):
  file Incorrect arguments to GENERATE subcommand.
 2021-12-31 20:49:00 +01:00
Sebastian Pipping
60bbbe560c
Merge pull request #529 from libexpat/actions-cover-m32 
GitHub Actions: Cover -m32 + store coverage results as an artifact
 2021-12-28 16:11:41 +01:00
Sebastian Pipping
5aaa96e1a2 coverage.yml: Store coverage .info and HTML report 2021-12-28 04:18:10 +01:00
Sebastian Pipping
28e427e689 linux.yml: Add some coverage to -m32 32bit mode 2021-12-28 04:06:05 +01:00