1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From <http://seclists.org/fulldisclosure/2016/May/10>.
From e5269fd1e83743f7e62c89eca45000c2e84e6edc Mon Sep 17 00:00:00 2001
From: Peter Simons <psimons () suse com>
Date: Thu, 14 Apr 2016 16:15:13 +0200
Subject: [PATCH 1/2] xmlStringGetNodeList: limit the function to 1024
recursions to avoid CVE-2016-3627
This patch prevents stack overflows like the one reported in
https://bugzilla.gnome.org/show_bug.cgi?id=762100.
---
tree.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
Index: libxml2-2.9.3/tree.c
===================================================================
--- libxml2-2.9.3.orig/tree.c
+++ libxml2-2.9.3/tree.c
@@ -1464,6 +1464,8 @@ out:
return(ret);
}
+static xmlNodePtr xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel);
+
/**
* xmlStringGetNodeList:
* @doc: the document
@@ -1475,6 +1477,12 @@ out:
*/
xmlNodePtr
xmlStringGetNodeList(const xmlDoc *doc, const xmlChar *value) {
+ return xmlStringGetNodeListInternal(doc, value, 0);
+ }
+
+xmlNodePtr
+xmlStringGetNodeListInternal(const xmlDoc *doc, const xmlChar *value, size_t recursionLevel) {
+
xmlNodePtr ret = NULL, last = NULL;
xmlNodePtr node;
xmlChar *val;
@@ -1483,6 +1491,8 @@ xmlStringGetNodeList(const xmlDoc *doc,
xmlEntityPtr ent;
xmlBufPtr buf;
+ if (recursionLevel > 1024) return(NULL);
+
if (value == NULL) return(NULL);
buf = xmlBufCreateSize(0);
@@ -1593,8 +1603,9 @@ xmlStringGetNodeList(const xmlDoc *doc,
else if ((ent != NULL) && (ent->children == NULL)) {
xmlNodePtr temp;
- ent->children = xmlStringGetNodeList(doc,
- (const xmlChar*)node->content);
+ ent->children = xmlStringGetNodeListInternal(doc,
+ (const xmlChar*)node->content,
+ recursionLevel+1);
ent->owner = 1;
temp = ent->children;
while (temp) {
|