Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src/external/mit/expat/dist Pull up revisions:
details: https://anonhg.NetBSD.org/src/rev/cfcd9efd0120
branches: netbsd-6
changeset: 775531:cfcd9efd0120
user: jdc <jdc%NetBSD.org@localhost>
date: Sat Nov 24 21:08:46 2012 +0000
description:
Pull up revisions:
src/external/mit/expat/dist/lib/expat.h 1.1.1.2 via patch
src/external/mit/expat/dist/lib/xmlparse.c 1.1.1.2 via patch
src/external/mit/expat/dist/xmlwf/readfilemap.c 1.1.1.2 via patch
(requested by spz in ticket #715)
import of expat 2.1.0
Fixes CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876 (other security
issues have been previously fixed in our tree)
diffstat:
external/mit/expat/dist/lib/expat.h | 9 +
external/mit/expat/dist/lib/xmlparse.c | 182 ++++++++++++++++++---------
external/mit/expat/dist/xmlwf/readfilemap.c | 2 +
3 files changed, 132 insertions(+), 61 deletions(-)
diffs (truncated from 598 to 300 lines):
diff -r 3a4201a2aeef -r cfcd9efd0120 external/mit/expat/dist/lib/expat.h
--- a/external/mit/expat/dist/lib/expat.h Sat Nov 24 20:58:00 2012 +0000
+++ b/external/mit/expat/dist/lib/expat.h Sat Nov 24 21:08:46 2012 +0000
@@ -883,6 +883,15 @@
XML_SetParamEntityParsing(XML_Parser parser,
enum XML_ParamEntityParsing parsing);
+/* Sets the hash salt to use for internal hash calculations.
+ Helps in preventing DoS attacks based on predicting hash
+ function behavior. This must be called before parsing is started.
+ Returns 1 if successful, 0 when called after parsing has started.
+*/
+XMLPARSEAPI(int)
+XML_SetHashSalt(XML_Parser parser,
+ unsigned long hash_salt);
+
/* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
XML_GetErrorCode returns information about the error.
*/
diff -r 3a4201a2aeef -r cfcd9efd0120 external/mit/expat/dist/lib/xmlparse.c
--- a/external/mit/expat/dist/lib/xmlparse.c Sat Nov 24 20:58:00 2012 +0000
+++ b/external/mit/expat/dist/lib/xmlparse.c Sat Nov 24 21:08:46 2012 +0000
@@ -5,6 +5,8 @@
#include <stddef.h>
#include <string.h> /* memset(), memcpy() */
#include <assert.h>
+#include <limits.h> /* UINT_MAX */
+#include <time.h> /* time() */
#define XML_BUILDING_EXPAT 1
@@ -391,12 +393,13 @@
static void
dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms);
static int
-dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms);
+dtdCopy(XML_Parser oldParser,
+ DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms);
static int
-copyEntityTable(HASH_TABLE *, STRING_POOL *, const HASH_TABLE *);
-
+copyEntityTable(XML_Parser oldParser,
+ HASH_TABLE *, STRING_POOL *, const HASH_TABLE *);
static NAMED *
-lookup(HASH_TABLE *table, KEY name, size_t createSize);
+lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize);
static void FASTCALL
hashTableInit(HASH_TABLE *, const XML_Memory_Handling_Suite *ms);
static void FASTCALL hashTableClear(HASH_TABLE *);
@@ -429,11 +432,15 @@
getElementType(XML_Parser parser, const ENCODING *enc,
const char *ptr, const char *end);
+static unsigned long generate_hash_secret_salt(void);
+static XML_Bool startParsing(XML_Parser parser);
+
static XML_Parser
parserCreate(const XML_Char *encodingName,
const XML_Memory_Handling_Suite *memsuite,
const XML_Char *nameSep,
DTD *dtd);
+
static void
parserInit(XML_Parser parser, const XML_Char *encodingName);
@@ -546,6 +553,7 @@
XML_Bool m_useForeignDTD;
enum XML_ParamEntityParsing m_paramEntityParsing;
#endif
+ unsigned long m_hash_secret_salt;
};
#define MALLOC(s) (parser->m_mem.malloc_fcn((s)))
@@ -653,6 +661,7 @@
#define useForeignDTD (parser->m_useForeignDTD)
#define paramEntityParsing (parser->m_paramEntityParsing)
#endif /* XML_DTD */
+#define hash_secret_salt (parser->m_hash_secret_salt)
XML_Parser XMLCALL
XML_ParserCreate(const XML_Char *encodingName)
@@ -677,22 +686,35 @@
ASCII_s, ASCII_p, ASCII_a, ASCII_c, ASCII_e, '\0'
};
+static unsigned long
+generate_hash_secret_salt(void)
+{
+ unsigned int seed = time(NULL) % UINT_MAX;
+ srand(seed);
+ return rand();
+}
+
+static XML_Bool /* only valid for root parser */
+startParsing(XML_Parser parser)
+{
+ /* hash functions must be initialized before setContext() is called */
+ if (hash_secret_salt == 0)
+ hash_secret_salt = generate_hash_secret_salt();
+ if (ns) {
+ /* implicit context only set for root parser, since child
+ parsers (i.e. external entity parsers) will inherit it
+ */
+ return setContext(parser, implicitContext);
+ }
+ return XML_TRUE;
+}
+
XML_Parser XMLCALL
XML_ParserCreate_MM(const XML_Char *encodingName,
const XML_Memory_Handling_Suite *memsuite,
const XML_Char *nameSep)
{
- XML_Parser parser = parserCreate(encodingName, memsuite, nameSep, NULL);
- if (parser != NULL && ns) {
- /* implicit context only set for root parser, since child
- parsers (i.e. external entity parsers) will inherit it
- */
- if (!setContext(parser, implicitContext)) {
- XML_ParserFree(parser);
- return NULL;
- }
- }
- return parser;
+ return parserCreate(encodingName, memsuite, nameSep, NULL);
}
static XML_Parser
@@ -866,6 +888,7 @@
useForeignDTD = XML_FALSE;
paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER;
#endif
+ hash_secret_salt = 0;
}
/* moves list of bindings to freeBindingList */
@@ -913,7 +936,7 @@
poolClear(&temp2Pool);
parserInit(parser, encodingName);
dtdReset(_dtd, &parser->m_mem);
- return setContext(parser, implicitContext);
+ return XML_TRUE;
}
enum XML_Status XMLCALL
@@ -982,6 +1005,12 @@
int oldInEntityValue = prologState.inEntityValue;
#endif
XML_Bool oldns_triplets = ns_triplets;
+ /* Note that the new parser shares the same hash secret as the old
+ parser, so that dtdCopy and copyEntityTable can lookup values
+ from hash tables associated with either parser without us having
+ to worry which hash secrets each table has.
+ */
+ unsigned long oldhash_secret_salt = hash_secret_salt;
#ifdef XML_DTD
if (!context)
@@ -1035,13 +1064,14 @@
externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg;
defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
ns_triplets = oldns_triplets;
+ hash_secret_salt = oldhash_secret_salt;
parentParser = oldParser;
#ifdef XML_DTD
paramEntityParsing = oldParamEntityParsing;
prologState.inEntityValue = oldInEntityValue;
if (context) {
#endif /* XML_DTD */
- if (!dtdCopy(_dtd, oldDtd, &parser->m_mem)
+ if (!dtdCopy(oldParser, _dtd, oldDtd, &parser->m_mem)
|| !setContext(parser, context)) {
XML_ParserFree(parser);
return NULL;
@@ -1426,6 +1456,17 @@
#endif
}
+int XMLCALL
+XML_SetHashSalt(XML_Parser parser,
+ unsigned long hash_salt)
+{
+ /* block after XML_Parse()/XML_ParseBuffer() has been called */
+ if (ps_parsing == XML_PARSING || ps_parsing == XML_SUSPENDED)
+ return 0;
+ hash_secret_salt = hash_salt;
+ return 1;
+}
+
enum XML_Status XMLCALL
XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
{
@@ -1436,6 +1477,11 @@
case XML_FINISHED:
errorCode = XML_ERROR_FINISHED;
return XML_STATUS_ERROR;
+ case XML_INITIALIZED:
+ if (parentParser == NULL && !startParsing(parser)) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return XML_STATUS_ERROR;
+ }
default:
ps_parsing = XML_PARSING;
}
@@ -1494,11 +1540,13 @@
break;
case XML_INITIALIZED:
case XML_PARSING:
- result = XML_STATUS_OK;
if (isFinal) {
ps_parsing = XML_FINISHED;
- return result;
+ return XML_STATUS_OK;
}
+ /* fall through */
+ default:
+ result = XML_STATUS_OK;
}
}
@@ -1559,6 +1607,11 @@
case XML_FINISHED:
errorCode = XML_ERROR_FINISHED;
return XML_STATUS_ERROR;
+ case XML_INITIALIZED:
+ if (parentParser == NULL && !startParsing(parser)) {
+ errorCode = XML_ERROR_NO_MEMORY;
+ return XML_STATUS_ERROR;
+ }
default:
ps_parsing = XML_PARSING;
}
@@ -2240,7 +2293,7 @@
next - enc->minBytesPerChar);
if (!name)
return XML_ERROR_NO_MEMORY;
- entity = (ENTITY *)lookup(&dtd->generalEntities, name, 0);
+ entity = (ENTITY *)lookup(parser, &dtd->generalEntities, name, 0);
poolDiscard(&dtd->pool);
/* First, determine if a check for an existing declaration is needed;
if yes, check that the entity exists, and that it is internal,
@@ -2630,12 +2683,12 @@
const XML_Char *localPart;
/* lookup the element type name */
- elementType = (ELEMENT_TYPE *)lookup(&dtd->elementTypes, tagNamePtr->str,0);
+ elementType = (ELEMENT_TYPE *)lookup(parser, &dtd->elementTypes, tagNamePtr->str,0);
if (!elementType) {
const XML_Char *name = poolCopyString(&dtd->pool, tagNamePtr->str);
if (!name)
return XML_ERROR_NO_MEMORY;
- elementType = (ELEMENT_TYPE *)lookup(&dtd->elementTypes, name,
+ elementType = (ELEMENT_TYPE *)lookup(parser, &dtd->elementTypes, name,
sizeof(ELEMENT_TYPE));
if (!elementType)
return XML_ERROR_NO_MEMORY;
@@ -2804,9 +2857,9 @@
if (s[-1] == 2) { /* prefixed */
ATTRIBUTE_ID *id;
const BINDING *b;
- unsigned long uriHash = 0;
+ unsigned long uriHash = hash_secret_salt;
((XML_Char *)s)[-1] = 0; /* clear flag */
- id = (ATTRIBUTE_ID *)lookup(&dtd->attributeIds, s, 0);
+ id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
b = id->prefix->binding;
if (!b)
return XML_ERROR_UNBOUND_PREFIX;
@@ -2828,7 +2881,7 @@
} while (*s++);
{ /* Check hash table for duplicate of expanded name (uriName).
- Derived from code in lookup(HASH_TABLE *table, ...).
+ Derived from code in lookup(parser, HASH_TABLE *table, ...).
*/
unsigned char step = 0;
unsigned long mask = nsAttsSize - 1;
@@ -3777,7 +3830,8 @@
case XML_ROLE_DOCTYPE_PUBLIC_ID:
#ifdef XML_DTD
useForeignDTD = XML_FALSE;
- declEntity = (ENTITY *)lookup(&dtd->paramEntities,
+ declEntity = (ENTITY *)lookup(parser,
+ &dtd->paramEntities,
externalSubsetName,
sizeof(ENTITY));
if (!declEntity)
@@ -3832,7 +3886,8 @@
XML_Bool hadParamEntityRefs = dtd->hasParamEntityRefs;
dtd->hasParamEntityRefs = XML_TRUE;
if (paramEntityParsing && externalEntityRefHandler) {
- ENTITY *entity = (ENTITY *)lookup(&dtd->paramEntities,
+ ENTITY *entity = (ENTITY *)lookup(parser,
+ &dtd->paramEntities,
externalSubsetName,
sizeof(ENTITY));
if (!entity)
@@ -3876,7 +3931,7 @@
XML_Bool hadParamEntityRefs = dtd->hasParamEntityRefs;
dtd->hasParamEntityRefs = XML_TRUE;
Home |
Main Index |
Thread Index |
Old Index