|
| 1 | +From 22f1d9704ac38c7102e7a68272b07355cad4925a Mon Sep 17 00:00:00 2001 |
| 2 | +From: Sindhu Karri < [email protected]> |
| 3 | +Date: Tue, 29 Oct 2024 10:17:59 +0000 |
| 4 | +Subject: [PATCH] CVE-2024-50602 |
| 5 | + |
| 6 | +--- |
| 7 | +From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001 |
| 8 | +From: Sebastian Pipping < [email protected]> |
| 9 | +Date: Mon, 21 Oct 2024 01:42:54 +0200 |
| 10 | +Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an |
| 11 | + unstarted parser |
| 12 | + |
| 13 | +--- |
| 14 | + lib/expat.h | 4 +++- |
| 15 | + lib/xmlparse.c | 11 ++++++++++- |
| 16 | + tests/misc_tests.c | 24 ++++++++++++++++++++++++ |
| 17 | + 3 files changed, 37 insertions(+), 2 deletions(-) |
| 18 | + |
| 19 | +diff --git a/lib/expat.h b/lib/expat.h |
| 20 | +index d0d6015..3ba6130 100644 |
| 21 | +--- a/lib/expat.h |
| 22 | ++++ b/lib/expat.h |
| 23 | +@@ -130,7 +130,9 @@ enum XML_Error { |
| 24 | + /* Added in 2.3.0. */ |
| 25 | + XML_ERROR_NO_BUFFER, |
| 26 | + /* Added in 2.4.0. */ |
| 27 | +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH |
| 28 | ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, |
| 29 | ++ /* Added in 2.6.4. */ |
| 30 | ++ XML_ERROR_NOT_STARTED, |
| 31 | + }; |
| 32 | + |
| 33 | + enum XML_Content_Type { |
| 34 | +diff --git a/lib/xmlparse.c b/lib/xmlparse.c |
| 35 | +index d9285b2..983f6df 100644 |
| 36 | +--- a/lib/xmlparse.c |
| 37 | ++++ b/lib/xmlparse.c |
| 38 | +@@ -2234,6 +2234,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { |
| 39 | + if (parser == NULL) |
| 40 | + return XML_STATUS_ERROR; |
| 41 | + switch (parser->m_parsingStatus.parsing) { |
| 42 | ++ case XML_INITIALIZED: |
| 43 | ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; |
| 44 | ++ return XML_STATUS_ERROR; |
| 45 | + case XML_SUSPENDED: |
| 46 | + if (resumable) { |
| 47 | + parser->m_errorCode = XML_ERROR_SUSPENDED; |
| 48 | +@@ -2244,7 +2247,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { |
| 49 | + case XML_FINISHED: |
| 50 | + parser->m_errorCode = XML_ERROR_FINISHED; |
| 51 | + return XML_STATUS_ERROR; |
| 52 | +- default: |
| 53 | ++ case XML_PARSING: |
| 54 | + if (resumable) { |
| 55 | + #ifdef XML_DTD |
| 56 | + if (parser->m_isParamEntity) { |
| 57 | +@@ -2255,6 +2258,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { |
| 58 | + parser->m_parsingStatus.parsing = XML_SUSPENDED; |
| 59 | + } else |
| 60 | + parser->m_parsingStatus.parsing = XML_FINISHED; |
| 61 | ++ break; |
| 62 | ++ default: |
| 63 | ++ assert(0); |
| 64 | + } |
| 65 | + return XML_STATUS_OK; |
| 66 | + } |
| 67 | +@@ -2519,6 +2525,9 @@ XML_ErrorString(enum XML_Error code) { |
| 68 | + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: |
| 69 | + return XML_L( |
| 70 | + "limit on input amplification factor (from DTD and entities) breached"); |
| 71 | ++ /* Added in 2.6.4. */ |
| 72 | ++ case XML_ERROR_NOT_STARTED: |
| 73 | ++ return XML_L("parser not started"); |
| 74 | + } |
| 75 | + return NULL; |
| 76 | + } |
| 77 | +diff --git a/tests/misc_tests.c b/tests/misc_tests.c |
| 78 | +index 2ee9320..1766e41 100644 |
| 79 | +--- a/tests/misc_tests.c |
| 80 | ++++ b/tests/misc_tests.c |
| 81 | +@@ -496,6 +496,28 @@ START_TEST(test_misc_char_handler_stop_without_leak) { |
| 82 | + } |
| 83 | + END_TEST |
| 84 | + |
| 85 | ++START_TEST(test_misc_resumeparser_not_crashing) { |
| 86 | ++ XML_Parser parser = XML_ParserCreate(NULL); |
| 87 | ++ XML_GetBuffer(parser, 1); |
| 88 | ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); |
| 89 | ++ XML_ResumeParser(parser); // could crash here, previously |
| 90 | ++ XML_ParserFree(parser); |
| 91 | ++} |
| 92 | ++END_TEST |
| 93 | ++ |
| 94 | ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { |
| 95 | ++ const XML_Bool cases[] = {XML_TRUE, XML_FALSE}; |
| 96 | ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { |
| 97 | ++ const XML_Bool resumable = cases[i]; |
| 98 | ++ XML_Parser parser = XML_ParserCreate(NULL); |
| 99 | ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE); |
| 100 | ++ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR); |
| 101 | ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED); |
| 102 | ++ XML_ParserFree(parser); |
| 103 | ++ } |
| 104 | ++} |
| 105 | ++END_TEST |
| 106 | ++ |
| 107 | + void |
| 108 | + make_miscellaneous_test_case(Suite *s) { |
| 109 | + TCase *tc_misc = tcase_create("miscellaneous tests"); |
| 110 | +@@ -520,4 +542,6 @@ make_miscellaneous_test_case(Suite *s) { |
| 111 | + test_misc_create_external_entity_parser_with_null_context); |
| 112 | + tcase_add_test(tc_misc, test_misc_general_entities_support); |
| 113 | + tcase_add_test(tc_misc, test_misc_char_handler_stop_without_leak); |
| 114 | ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); |
| 115 | ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); |
| 116 | + } |
| 117 | +-- |
| 118 | +2.33.8 |
| 119 | + |
0 commit comments