-
Notifications
You must be signed in to change notification settings - Fork 245
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASB - Security Patch integration October 2023
Tracked-On: OAM-112412 Signed-off-by: Alam, SahibeX <[email protected]>
- Loading branch information
Showing
26 changed files
with
5,644 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
126 changes: 126 additions & 0 deletions
126
...nary/external/libxml2/0001-malloc-fail-Fix-OOB-read-after-xmlRegGetCounter.bulletin.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| From f8016cd3e5e5ddef29a97122382fbd863813f9d3 Mon Sep 17 00:00:00 2001 | ||
| From: Nick Wellnhofer <[email protected]> | ||
| Date: Fri, 17 Feb 2023 15:53:07 +0100 | ||
| Subject: [PATCH] malloc-fail: Fix OOB read after xmlRegGetCounter | ||
|
|
||
| Found with libFuzzer, see #344. | ||
|
|
||
| (cherry picked from commit 1743c4c3fc58cf38ecce68db9de51d0f3651e033) | ||
|
|
||
| I also copied the error label from | ||
| e64653c0e7975594e27d7de2ed4be062c1e4ad03 to fix the build failure. | ||
|
|
||
| Bug: http://b/274231102 | ||
| Test: TreeHugger | ||
| (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:761198eaee09f721452adfefa92b9a6c9b875f24) | ||
| Merged-In: I3bad3e03092e17a761cb6e299aff848ebd35b6f4 | ||
| Change-Id: I3bad3e03092e17a761cb6e299aff848ebd35b6f4 | ||
| --- | ||
| xmlregexp.c | 28 ++++++++++++++++++++++++++++ | ||
| 1 file changed, 28 insertions(+) | ||
|
|
||
| diff --git a/xmlregexp.c b/xmlregexp.c | ||
| index 40dabb20..0395219a 100644 | ||
| --- a/xmlregexp.c | ||
| +++ b/xmlregexp.c | ||
| @@ -1673,6 +1673,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, | ||
| return(-1); | ||
| inter = ctxt->state; | ||
| counter = xmlRegGetCounter(ctxt); | ||
| + if (counter < 0) | ||
| + return(-1); | ||
| ctxt->counters[counter].min = atom->min - 1; | ||
| ctxt->counters[counter].max = atom->max - 1; | ||
| /* count the number of times we see it again */ | ||
| @@ -1691,6 +1693,8 @@ xmlFAGenerateTransitions(xmlRegParserCtxtPtr ctxt, xmlRegStatePtr from, | ||
| * epsilon transition. | ||
| */ | ||
| counter = xmlRegGetCounter(ctxt); | ||
| + if (counter < 0) | ||
| + return(-1); | ||
| ctxt->counters[counter].min = atom->min - 1; | ||
| ctxt->counters[counter].max = atom->max - 1; | ||
| /* count the number of times we see it again */ | ||
| @@ -6008,6 +6012,8 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| * associate a counter to the transition. | ||
| */ | ||
| counter = xmlRegGetCounter(am); | ||
| + if (counter < 0) | ||
| + goto error; | ||
| am->counters[counter].min = min; | ||
| am->counters[counter].max = max; | ||
|
|
||
| @@ -6027,6 +6033,10 @@ xmlAutomataNewCountTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| if (min == 0) | ||
| xmlFAGenerateEpsilonTransition(am, from, to); | ||
| return(to); | ||
| + | ||
| +error: | ||
| + xmlRegFreeAtom(atom); | ||
| + return(NULL); | ||
| } | ||
|
|
||
| /** | ||
| @@ -6074,6 +6084,8 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| * associate a counter to the transition. | ||
| */ | ||
| counter = xmlRegGetCounter(am); | ||
| + if (counter < 0) | ||
| + goto error; | ||
| am->counters[counter].min = min; | ||
| am->counters[counter].max = max; | ||
|
|
||
| @@ -6093,6 +6105,10 @@ xmlAutomataNewCountTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| if (min == 0) | ||
| xmlFAGenerateEpsilonTransition(am, from, to); | ||
| return(to); | ||
| + | ||
| +error: | ||
| + xmlRegFreeAtom(atom); | ||
| + return(NULL); | ||
| } | ||
|
|
||
| /** | ||
| @@ -6160,6 +6176,8 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| * associate a counter to the transition. | ||
| */ | ||
| counter = xmlRegGetCounter(am); | ||
| + if (counter < 0) | ||
| + goto error; | ||
| am->counters[counter].min = 1; | ||
| am->counters[counter].max = 1; | ||
|
|
||
| @@ -6172,6 +6190,10 @@ xmlAutomataNewOnceTrans2(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| xmlRegAtomPush(am, atom); | ||
| am->state = to; | ||
| return(to); | ||
| + | ||
| +error: | ||
| + xmlRegFreeAtom(atom); | ||
| + return(NULL); | ||
| } | ||
|
|
||
|
|
||
| @@ -6219,6 +6241,8 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| * associate a counter to the transition. | ||
| */ | ||
| counter = xmlRegGetCounter(am); | ||
| + if (counter < 0) | ||
| + goto error; | ||
| am->counters[counter].min = 1; | ||
| am->counters[counter].max = 1; | ||
|
|
||
| @@ -6231,6 +6255,10 @@ xmlAutomataNewOnceTrans(xmlAutomataPtr am, xmlAutomataStatePtr from, | ||
| xmlRegAtomPush(am, atom); | ||
| am->state = to; | ||
| return(to); | ||
| + | ||
| +error: | ||
| + xmlRegFreeAtom(atom); | ||
| + return(NULL); | ||
| } | ||
|
|
||
| /** | ||
| -- | ||
| 2.42.0.rc2.253.gd59a3bf2b4-goog | ||
|
|
Oops, something went wrong.