153aa9179Sopenharmony_ciFrom d7daf9fd967ad7fcd509e6355f12f824327f07a4 Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Nick Wellnhofer <wellnhofer@aevum.de> 353aa9179Sopenharmony_ciDate: Tue, 14 Mar 2023 13:02:36 +0100 453aa9179Sopenharmony_ciSubject: [PATCH] xmllint: Fix use-after-free with --maxmem 553aa9179Sopenharmony_ci 653aa9179Sopenharmony_ciFixes #498. 753aa9179Sopenharmony_ci 853aa9179Sopenharmony_ciReference:https://github.com/GNOME/libxml2/commit/d7daf9fd967ad7fcd509e6355f12f824327f07a4 953aa9179Sopenharmony_ciConflict:include/libxml/xmlmemory.h 1053aa9179Sopenharmony_ci 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_ci--- 1353aa9179Sopenharmony_ci include/libxml/xmlmemory.h | 2 ++ 1453aa9179Sopenharmony_ci xmllint.c | 15 ++++++--------- 1553aa9179Sopenharmony_ci xmlmemory.c | 21 +++++++++++++++++++++ 1653aa9179Sopenharmony_ci 3 files changed, 29 insertions(+), 9 deletions(-) 1753aa9179Sopenharmony_ci 1853aa9179Sopenharmony_cidiff --git a/include/libxml/xmlmemory.h b/include/libxml/xmlmemory.h 1953aa9179Sopenharmony_ciindex 17e375a..0a5f3eb 100644 2053aa9179Sopenharmony_ci--- a/include/libxml/xmlmemory.h 2153aa9179Sopenharmony_ci+++ b/include/libxml/xmlmemory.h 2253aa9179Sopenharmony_ci@@ -137,6 +137,8 @@ XMLPUBFUN void XMLCALL 2353aa9179Sopenharmony_ci /* 2453aa9179Sopenharmony_ci * These are specific to the XML debug memory wrapper. 2553aa9179Sopenharmony_ci */ 2653aa9179Sopenharmony_ci+XMLPUBFUN size_t 2753aa9179Sopenharmony_ci+ xmlMemSize (void *ptr); 2853aa9179Sopenharmony_ci XMLPUBFUN int XMLCALL 2953aa9179Sopenharmony_ci xmlMemUsed (void); 3053aa9179Sopenharmony_ci XMLPUBFUN int XMLCALL 3153aa9179Sopenharmony_cidiff --git a/xmllint.c b/xmllint.c 3253aa9179Sopenharmony_ciindex fd43893..a17aa07 100644 3353aa9179Sopenharmony_ci--- a/xmllint.c 3453aa9179Sopenharmony_ci+++ b/xmllint.c 3553aa9179Sopenharmony_ci@@ -358,17 +358,14 @@ myMallocFunc(size_t size) 3653aa9179Sopenharmony_ci static void * 3753aa9179Sopenharmony_ci myReallocFunc(void *mem, size_t size) 3853aa9179Sopenharmony_ci { 3953aa9179Sopenharmony_ci- void *ret; 4053aa9179Sopenharmony_ci+ size_t oldsize = xmlMemSize(mem); 4153aa9179Sopenharmony_ci 4253aa9179Sopenharmony_ci- ret = xmlMemRealloc(mem, size); 4353aa9179Sopenharmony_ci- if (ret != NULL) { 4453aa9179Sopenharmony_ci- if (xmlMemUsed() > maxmem) { 4553aa9179Sopenharmony_ci- OOM(); 4653aa9179Sopenharmony_ci- xmlMemFree(ret); 4753aa9179Sopenharmony_ci- return (NULL); 4853aa9179Sopenharmony_ci- } 4953aa9179Sopenharmony_ci+ if (xmlMemUsed() + size - oldsize > (size_t) maxmem) { 5053aa9179Sopenharmony_ci+ OOM(); 5153aa9179Sopenharmony_ci+ return (NULL); 5253aa9179Sopenharmony_ci } 5353aa9179Sopenharmony_ci- return (ret); 5453aa9179Sopenharmony_ci+ 5553aa9179Sopenharmony_ci+ return (xmlMemRealloc(mem, size)); 5653aa9179Sopenharmony_ci } 5753aa9179Sopenharmony_ci static char * 5853aa9179Sopenharmony_ci myStrdupFunc(const char *str) 5953aa9179Sopenharmony_cidiff --git a/xmlmemory.c b/xmlmemory.c 6053aa9179Sopenharmony_ciindex c51f49a..469fcfb 100644 6153aa9179Sopenharmony_ci--- a/xmlmemory.c 6253aa9179Sopenharmony_ci+++ b/xmlmemory.c 6353aa9179Sopenharmony_ci@@ -573,6 +573,27 @@ xmlMemoryStrdup(const char *str) { 6453aa9179Sopenharmony_ci return(xmlMemStrdupLoc(str, "none", 0)); 6553aa9179Sopenharmony_ci } 6653aa9179Sopenharmony_ci 6753aa9179Sopenharmony_ci+/** 6853aa9179Sopenharmony_ci+ * xmlMemSize: 6953aa9179Sopenharmony_ci+ * @ptr: pointer to the memory allocation 7053aa9179Sopenharmony_ci+ * 7153aa9179Sopenharmony_ci+ * Returns the size of a memory allocation. 7253aa9179Sopenharmony_ci+ */ 7353aa9179Sopenharmony_ci+ 7453aa9179Sopenharmony_ci+size_t 7553aa9179Sopenharmony_ci+xmlMemSize(void *ptr) { 7653aa9179Sopenharmony_ci+ MEMHDR *p; 7753aa9179Sopenharmony_ci+ 7853aa9179Sopenharmony_ci+ if (ptr == NULL) 7953aa9179Sopenharmony_ci+ return(0); 8053aa9179Sopenharmony_ci+ 8153aa9179Sopenharmony_ci+ p = CLIENT_2_HDR(ptr); 8253aa9179Sopenharmony_ci+ if (p->mh_tag != MEMTAG) 8353aa9179Sopenharmony_ci+ return(0); 8453aa9179Sopenharmony_ci+ 8553aa9179Sopenharmony_ci+ return(p->mh_size); 8653aa9179Sopenharmony_ci+} 8753aa9179Sopenharmony_ci+ 8853aa9179Sopenharmony_ci /** 8953aa9179Sopenharmony_ci * xmlMemUsed: 9053aa9179Sopenharmony_ci * 9153aa9179Sopenharmony_ci-- 9253aa9179Sopenharmony_ci2.27.0 9353aa9179Sopenharmony_ci 94