Skip to content

libxml2

Jump to bottom
Suresoft-GLaDOS edited this page May 26, 2023 · 9 revisions

#1

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/db07dd613e461df93dde7902c6505629bf0734e9
Description: Heap-based buffer overread in xmlParserPrintFileContextInternal
CVE Info: CVE-2016-1838

At parser.c

@@ -9825,7 +9825,6 @@ static void
 xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
                 const xmlChar *URI, int line, int nsNr, int tlen) {
     const xmlChar *name;
+    size_t curLength;
     GROW;
     if ((RAW != '<') || (NXT(1) != '/')) {
@@ -9834,11 +9833,8 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix,
     }
     SKIP(2);
+    curLength = ctxt->input->end - ctxt->input->cur;
+    if ((tlen > 0) && (curLength >= (size_t)tlen) &&
+        (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
+        if ((curLength >= (size_t)(tlen + 1)) &&
+	    (ctxt->input->cur[tlen] == '>')) {
-    if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) {
-             if (ctxt->input->cur[tlen] == '>') {
 	    ctxt->input->cur += tlen + 1;
 	    ctxt->input->col += tlen + 1;
 	    goto done;

Tags
#Omission #Multi-line #Modified #CVE

#2

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/a820dbeac29d330bae4be05d9ecd939ad6b4aa33
Description: Heap-based buffer overread in xmlDictAddString
CVE Info: CVE-2016-1839

At HTMLparser.c

@@ -2472,8 +2472,6 @@ htmlParseName(htmlParserCtxtPtr ctxt) {
 	       (*in == ':') || (*in == '.'))
 	    in++;
+	if (in == ctxt->input->end)
+	    return(NULL);
 	if ((*in > 0) && (*in < 0x80)) {
 	    count = in - ctxt->input->cur;
@@ -2519,8 +2517,6 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) {
 	c = CUR_CHAR(l);
     }
+    if (ctxt->input->base > ctxt->input->cur - len)
+	return(NULL);
     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
 }

Tags
#Omission #Multi-line #Added #CVE

#3

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/00906759053986b8079985644172085f74331f83
Description: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE Info: CVE-2016-4447

At parser.c

@@ -6708,7 +6708,6 @@ xmlParseElementDecl(xmlParserCtxtPtr ctxt) {
 	if (!IS_BLANK_CH(CUR)) {
 	    xmlFatalErrMsg(ctxt, XML_ERR_SPACE_REQUIRED,
 		           "Space required after 'ELEMENT'\n");
+	    return(-1);
 	}
         SKIP_BLANKS;
         name = xmlParseName(ctxt);

Tags
#Etc #Single-line #Added #CVE

#4

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/4629ee02ac649c27f9c0cf98ba017c6b5526070f
Description: Improper Restriction of XML External Entity Reference
CVE Info: CVE-2016-9318

At parser.c

@@ -6933,9 +6933,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
      * far more secure as the parser will only process data coming from
      * the document entity by default.
      */
+    if ((ent->checked == 0) &&
+        ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) ||
+         (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) {
-    if (ent->checked == 0) {
 	unsigned long oldnbent = ctxt->nbentities;
 	/*

Tags
#Invalid-condition #Multi-line #Modified #CVE

#5

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3
Description: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE Info: CVE-2017-16931

At parser.c

@@ -3353,7 +3353,11 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
 	    return(NULL);
 	}
 	len += l;
+	NEXTL(l);
-	if (*(ctxt->input->cur) == '\n') {
-	ctxt->input->line++; ctxt->input->col = 1;
-    } else ctxt->input->col++;
-    ctxt->input->cur += l;
-	if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);
 	c = CUR_CHAR(l);
 	while ((c != ' ') && (c != '>') && (c != '/') && /* accelerators */
 	       (((c >= 'a') && (c <= 'z')) ||
@@ -3930,7 +3934,11 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
 	    buf = tmp;
 	}
 	COPY_BUF(l,buf,len,c);
+	NEXTL(l);
-	if (*(ctxt->input->cur) == '\n') {
-	ctxt->input->line++; ctxt->input->col = 1;
-    } else ctxt->input->col++;
-    ctxt->input->cur += l;
-	if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);
 	/*
 	 * Pop-up of finished entities.
 	 */
@@ -4365,7 +4373,11 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
             }
 	}
 	COPY_BUF(l,buf,len,cur);
+	NEXTL(l);
-	if (*(ctxt->input->cur) == '\n') {
-	ctxt->input->line++; ctxt->input->col = 1;
-    } else ctxt->input->col++;
-    ctxt->input->cur += l;
-	if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);
 	cur = CUR_CHAR(l);
 	if (cur == 0) {
 	    GROW;

Tags
#Logical-error #Multi-line #Modified #CVE

#6

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
Description: Loop with Unreachable Exit Condition ('Infinite Loop')
CVE Info: CVE-2017-16932

At parser.c

@@ -2252,7 +2252,6 @@ xmlPushInput(xmlParserCtxtPtr ctxt, xmlParserInputPtr input) {
     }
     if (((ctxt->inputNr > 40) && ((ctxt->options & XML_PARSE_HUGE) == 0)) ||
         (ctxt->inputNr > 1024)) {
+        xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
         while (ctxt->inputNr > 1)
             xmlFreeInputStream(inputPop(ctxt));
 	return(-1);

Tags
#Infinite-loop-error #Etc #Single-line #Added #CVE

#7

Link : https://gitlab.gnome.org/GNOME/libxml2/commit/a7a94612aa3b16779e2c74e1fa353b5d9786c602
Description: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE Info: CVE-2016-1762

At parser.c

@@ -8468,7 +8468,6 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) {
      */
     if (RAW != '>') {
 	xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL);
+	return;
     }
     NEXT;
 }

Tags
#Etc #Single-line #Added #CVE

HOME

TAGS

Lines

Patch Type

Error Type

#CVE

#Address_Sanitizer

Clone this wiki locally