153aa9179Sopenharmony_ciFrom 077df27eb1bdc2a3268f7596415fd91db76d29d4 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Thu, 22 Dec 2022 15:22:01 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] parser: Fix integer overflow of input ID 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciApplies a patch from Chromium. Also stop incrementing input ID of 753aa9179Sopenharmony_cisubcontexts. This isn't necessary. 853aa9179Sopenharmony_ci 953aa9179Sopenharmony_ciFixes #465. 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/077df27eb1bdc2a3268f7596415fd91db76d29d4 1253aa9179Sopenharmony_ciConflict:NA 1353aa9179Sopenharmony_ci--- 1453aa9179Sopenharmony_ci parser.c | 8 ++------ 1553aa9179Sopenharmony_ci parserInternals.c | 7 ++++++- 1653aa9179Sopenharmony_ci 2 files changed, 8 insertions(+), 7 deletions(-) 1753aa9179Sopenharmony_ci 1853aa9179Sopenharmony_cidiff --git a/parser.c b/parser.c 1953aa9179Sopenharmony_ciindex 2207404..431851f 100644 2053aa9179Sopenharmony_ci--- a/parser.c 2153aa9179Sopenharmony_ci+++ b/parser.c 2253aa9179Sopenharmony_ci@@ -13337,7 +13337,7 @@ xmlParseBalancedChunkMemoryInternal(xmlParserCtxtPtr oldctxt, 2353aa9179Sopenharmony_ci ctxt->userData = ctxt; 2453aa9179Sopenharmony_ci if (ctxt->dict != NULL) xmlDictFree(ctxt->dict); 2553aa9179Sopenharmony_ci ctxt->dict = oldctxt->dict; 2653aa9179Sopenharmony_ci- ctxt->input_id = oldctxt->input_id + 1; 2753aa9179Sopenharmony_ci+ ctxt->input_id = oldctxt->input_id; 2853aa9179Sopenharmony_ci ctxt->str_xml = xmlDictLookup(ctxt->dict, BAD_CAST "xml", 3); 2953aa9179Sopenharmony_ci ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5); 3053aa9179Sopenharmony_ci ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36); 3153aa9179Sopenharmony_ci@@ -13968,11 +13968,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, 3253aa9179Sopenharmony_ci if (pctx != NULL) { 3353aa9179Sopenharmony_ci ctxt->options = pctx->options; 3453aa9179Sopenharmony_ci ctxt->_private = pctx->_private; 3553aa9179Sopenharmony_ci- /* 3653aa9179Sopenharmony_ci- * this is a subparser of pctx, so the input_id should be 3753aa9179Sopenharmony_ci- * incremented to distinguish from main entity 3853aa9179Sopenharmony_ci- */ 3953aa9179Sopenharmony_ci- ctxt->input_id = pctx->input_id + 1; 4053aa9179Sopenharmony_ci+ ctxt->input_id = pctx->input_id; 4153aa9179Sopenharmony_ci } 4253aa9179Sopenharmony_ci 4353aa9179Sopenharmony_ci /* Don't read from stdin. */ 4453aa9179Sopenharmony_cidiff --git a/parserInternals.c b/parserInternals.c 4553aa9179Sopenharmony_ciindex ef18ccf..cee4cd9 100644 4653aa9179Sopenharmony_ci--- a/parserInternals.c 4753aa9179Sopenharmony_ci+++ b/parserInternals.c 4853aa9179Sopenharmony_ci@@ -1352,8 +1352,13 @@ xmlNewInputStream(xmlParserCtxtPtr ctxt) { 4953aa9179Sopenharmony_ci * should not happen while parsing which is the situation where 5053aa9179Sopenharmony_ci * the id is actually needed. 5153aa9179Sopenharmony_ci */ 5253aa9179Sopenharmony_ci- if (ctxt != NULL) 5353aa9179Sopenharmony_ci+ if (ctxt != NULL) { 5453aa9179Sopenharmony_ci+ if (input->id >= INT_MAX) { 5553aa9179Sopenharmony_ci+ xmlErrMemory(ctxt, "Input ID overflow\n"); 5653aa9179Sopenharmony_ci+ return(NULL); 5753aa9179Sopenharmony_ci+ } 5853aa9179Sopenharmony_ci input->id = ctxt->input_id++; 5953aa9179Sopenharmony_ci+ } 6053aa9179Sopenharmony_ci 6153aa9179Sopenharmony_ci return(input); 6253aa9179Sopenharmony_ci } 6353aa9179Sopenharmony_ci-- 6453aa9179Sopenharmony_ci2.27.0 6553aa9179Sopenharmony_ci 66