ports/137980: fix for textprox/libxml2
Tsurutani Naoki
turutani at scphys.kyoto-u.ac.jp
Wed Aug 19 23:30:05 UTC 2009
>Number: 137980
>Category: ports
>Synopsis: fix for textprox/libxml2
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 19 23:30:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Tsurutani Naoki
>Release: FreeBSD 7.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.2-STABLE FreeBSD 7.2-STABLE #19: Sun Jun 21 20:36:09 JST 2009 turutani at h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386
>Description:
CVE-2009-2414, CVE-2009-2416 are issued.
some fixes are required to textproc/libxml2.
>How-To-Repeat:
>Fix:
here is a patch, taken from Debian:
--- parser.c.orig
+++ parser.c
@@ -5306,7 +5306,8 @@
if (name == NULL) {
xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED,
"Name expected in NOTATION declaration\n");
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
tmp = ret;
while (tmp != NULL) {
@@ -5322,7 +5323,10 @@
}
if (tmp == NULL) {
cur = xmlCreateEnumeration(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL) {
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5334,8 +5338,8 @@
if (RAW != ')') {
xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL);
if ((last != NULL) && (last != ret))
- xmlFreeEnumeration(last);
- return(ret);
+ xmlFreeEnumeration(ret);
+ return(NULL);
}
NEXT;
return(ret);
@@ -5390,7 +5394,10 @@
cur = xmlCreateEnumeration(name);
if (!xmlDictOwns(ctxt->dict, name))
xmlFree(name);
- if (cur == NULL) return(ret);
+ if (cur == NULL){
+ xmlFreeEnumeration(ret);
+ return(NULL);
+ }
if (last == NULL) ret = last = cur;
else {
last->next = cur;
@@ -5794,6 +5801,11 @@
const xmlChar *elem;
xmlChar type = 0;
+ if (ctxt->depth > 128) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, "xmlParseElementChildrenContentDecl : depth %d too deep\n", ctxt->depth);
+ return(NULL);
+ }
+
SKIP_BLANKS;
GROW;
if (RAW == '(') {
@@ -5802,7 +5814,9 @@
/* Recurse on first child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
GROW;
} else {
@@ -5934,7 +5948,9 @@
/* Recurse on second child */
NEXT;
SKIP_BLANKS;
+ ctxt->depth++;
last = xmlParseElementChildrenContentDecl(ctxt, inputid);
+ ctxt->depth--;
SKIP_BLANKS;
} else {
elem = xmlParseName(ctxt);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list