Backport the security fix from bug #245960 because libxml2-2.7.x causes massive PHP breakage per bug #249703.

Package-Manager: portage-2.2_rc18/cvs/Linux 2.6.28-rc5-00117-g7f0f598 x86_64
author: Robin H. Johnson <robbat2@gentoo.org> 2008-12-23 04:56:02 +0000
committer: Robin H. Johnson <robbat2@gentoo.org> 2008-12-23 04:56:02 +0000
commit: afaf4ed422f7a345edc5f138a5c5c66cc27d4be8 (patch)
tree: 2de207d464bd36b5d7c0425757956e69db0dcc16 /dev-libs/libxml2/files
parent: New slim.conf patch (bug 250722) by Nico R. Wohlgemuth. Converted to EAPI-2 s... (diff)
download: historical-afaf4ed422f7a345edc5f138a5c5c66cc27d4be8.tar.gz
historical-afaf4ed422f7a345edc5f138a5c5c66cc27d4be8.tar.bz2
historical-afaf4ed422f7a345edc5f138a5c5c66cc27d4be8.zip
1 files changed, 102 insertions, 0 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch b/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch
new file mode 100644
index 000000000000..87d0b5977a21
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.6.32-CVE-2008-422x.patch
@@ -0,0 +1,102 @@
+This patch backported from libxml2-2.7.2-CVE-2008-422x.patch.
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+Original changelog message:
+Mon Nov 17 16:56:18 CET 2008 Daniel Veillard <daniel@...> (upstream revision 3803)
+
+	* SAX2.c parser.c: fix for CVE-2008-4226, a memory overflow
+	  when building gigantic text nodes, and a bit of cleanup
+	  to better handled out of memory problem in that code.
+	* tree.c: fix for CVE-2008-4225, lack of testing leads to
+	  a busy loop test assuming one have enough core memory.
+
+diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/SAX2.c libxml2-2.6.32/SAX2.c
+--- libxml2-2.6.32.orig/SAX2.c	2008-01-25 05:10:04.000000000 -0800
++++ libxml2-2.6.32/SAX2.c	2008-12-22 20:42:14.039171616 -0800
+@@ -11,6 +11,7 @@
+ #include "libxml.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <libxml/xmlmemory.h>
+ #include <libxml/tree.h>
+ #include <libxml/parser.h>
+@@ -26,6 +27,11 @@
+ #include <libxml/HTMLtree.h>
+ #include <libxml/globals.h>
+ 
++/* Define SIZE_T_MAX unless defined through <limits.h>. */
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX     ((size_t)-1)
++#endif /* !SIZE_T_MAX */
++
+ /* #define DEBUG_SAX2 */
+ /* #define DEBUG_SAX2_TREE */
+ 
+@@ -2445,9 +2451,14 @@
+ 	               (xmlDictOwns(ctxt->dict, lastChild->content))) {
+ 		lastChild->content = xmlStrdup(lastChild->content);
+ 	    }
++	    if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || 
++	        (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) {
++	            xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented");
++	            return;
++	    }
+ 	    if (ctxt->nodelen + len >= ctxt->nodemem) {
+ 		xmlChar *newbuf;
+-		int size;
++		size_t size;
+ 
+ 		size = ctxt->nodemem + len;
+ 		size *= 2;
+diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/tree.c libxml2-2.6.32/tree.c
+--- libxml2-2.6.32.orig/tree.c	2008-04-08 06:54:48.000000000 -0700
++++ libxml2-2.6.32/tree.c	2008-12-22 20:47:22.365674451 -0800
+@@ -14,7 +14,7 @@
+ #include "libxml.h"
+ 
+ #include <string.h> /* for memset() only ! */
+-
++#include <limits.h>
+ #ifdef HAVE_CTYPE_H
+ #include <ctype.h>
+ #endif
+@@ -6916,7 +6916,13 @@
+     case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	/*take care of empty case*/
+         newSize = (buf->size ? buf->size*2 : size + 10);
+-        while (size > newSize) newSize *= 2;
++	    while (size > newSize) {
++	        if (newSize > UINT_MAX / 2) {
++	            xmlTreeErrMemory("growing buffer");
++	            return 0;
++	        }
++	        newSize *= 2;
++	    }
+         break;
+     case XML_BUFFER_ALLOC_EXACT:
+         newSize = size+10;
+diff -Nuar --exclude '*~' --exclude '*.rej' --exclude '*.rej2' --exclude '*.orig' libxml2-2.6.32.orig/parser.c libxml2-2.6.32/parser.c
+--- libxml2-2.6.32.orig/parser.c	2008-04-08 07:47:58.000000000 -0700
++++ libxml2-2.6.32/parser.c	2008-12-22 20:42:14.053327110 -0800
+@@ -3758,6 +3758,9 @@
+                     line = ctxt->input->line;
+                     col = ctxt->input->col;
+ 		}
++                /* something really bad happened in the SAX callback */
++                if (ctxt->instate != XML_PARSER_CONTENT)
++                    return;
+ 	    }
+ 	    ctxt->input->cur = in;
+ 	    if (*in == 0xD) {
+@@ -3838,6 +3841,9 @@
+ 		}
+ 	    }
+ 	    nbchar = 0;
++            /* something really bad happened in the SAX callback */
++            if (ctxt->instate != XML_PARSER_CONTENT)
++                return;
+ 	}
+ 	count++;
+ 	if (count > 50) {
author	Robin H. Johnson <robbat2@gentoo.org>	2008-12-23 04:56:02 +0000
committer	Robin H. Johnson <robbat2@gentoo.org>	2008-12-23 04:56:02 +0000
commit	afaf4ed422f7a345edc5f138a5c5c66cc27d4be8 (patch)
tree	2de207d464bd36b5d7c0425757956e69db0dcc16 /dev-libs/libxml2/files
parent	New slim.conf patch (bug 250722) by Nico R. Wohlgemuth. Converted to EAPI-2 s... (diff)
download	historical-afaf4ed422f7a345edc5f138a5c5c66cc27d4be8.tar.gz historical-afaf4ed422f7a345edc5f138a5c5c66cc27d4be8.tar.bz2 historical-afaf4ed422f7a345edc5f138a5c5c66cc27d4be8.zip