c/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2 synced 2025-03-28 21:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer size checks in xmlSnprintfElementContent

Browse Source 
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.

Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).

Thanks to Marcel Böhme and Thuan Pham for the report.
This commit is contained in:
Nick Wellnhofer 2017-06-03 02:01:29 +02:00
parent e26630548e
commit 932cc9896a
5 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
result/valid/781333.xml Normal file
View File

File diff suppressed because one or more lines are too long

3
result/valid/781333.xml.err Normal file
View File

@ -0,0 +1,3 @@
./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
<a/>
^

6
result/valid/781333.xml.err.rdr Normal file
View File

@ -0,0 +1,6 @@
./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got
<a/>
^
./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
^

4
test/valid/781333.xml Normal file
View File

File diff suppressed because one or more lines are too long

22
valid.c
View File

@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
case XML_ELEMENT_CONTENT_PCDATA:
strcat(buf, "#PCDATA");
break;
case XML_ELEMENT_CONTENT_ELEMENT:
if (content->prefix != NULL) {
if (size - len < xmlStrlen(content->prefix) + 10) {
strcat(buf, " ...");
return;
}
strcat(buf, (char *) content->prefix);
strcat(buf, ":");
}
if (size - len < xmlStrlen(content->name) + 10) {
case XML_ELEMENT_CONTENT_ELEMENT: {
int qnameLen = xmlStrlen(content->name);
if (content->prefix != NULL)
qnameLen += xmlStrlen(content->prefix) + 1;
if (size - len < qnameLen + 10) {
strcat(buf, " ...");
return;
}
if (content->prefix != NULL) {
strcat(buf, (char *) content->prefix);
strcat(buf, ":");
}
if (content->name != NULL)
strcat(buf, (char *) content->name);
break;
}
case XML_ELEMENT_CONTENT_SEQ:
if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
(content->c1->type == XML_ELEMENT_CONTENT_SEQ))
@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
xmlSnprintfElementContent(buf, size, content->c2, 0);
break;
}
if (size - strlen(buf) <= 2) return;
if (englob)
strcat(buf, ")");
switch (content->ocur) {