mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

libxslt: revision bump to address open CVEs 

- Add patches copied from Debian to address open CVEs
- Update mail address of maintainer
- Fix a typo
- Add --disable-silent-rules for verbose build output

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit is contained in:
Sebastian Kemper 2018-01-30 15:28:33 +01:00
parent f84cc525d6
commit 7d2337a17f
18 changed files with 1009 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libs/libxslt/Makefile
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2014 OpenWrt.org
# Copyright (C) 2014 - 2018 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libxslt
PKG_VERSION:=1.1.28
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
@ -20,7 +20,7 @@ PKG_MD5SUM:=9667bf6f9310b957254fdcf6596600b7
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=COPYING
PKG_MAINTAINER:=Jiri Slachta <slachta@cesnet.cz>
PKG_MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
@ -43,7 +43,7 @@ define Package/libexslt
SECTION:=libs
CATEGORY:=Libraries
DEPENDS:=+libxslt
TITLE:=Gnome XSLT library Extention
TITLE:=Gnome XSLT library Extension
URL:=http://xmlsoft.org/XSLT/EXSLT/
endef
@ -64,6 +64,7 @@ define Package/xsltproc/description
endef
CONFIGURE_ARGS+= \
--disable-silent-rules \
--enable-shared \
--enable-static \
--without-python \

48
libs/libxslt/patches/0005-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch Normal file
View File

@ -0,0 +1,48 @@
From: Daniel Veillard <veillard@redhat.com>
Date: Wed, 30 Jan 2013 16:31:37 +0000
Subject: Fix a couple of places where (f)printf parameters were broken
As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>
---
python/libxslt.c | 10 +++++-----
xsltproc/xsltproc.c | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/python/libxslt.c b/python/libxslt.c
index 6a4f1c3..8dd6c78 100644
--- a/python/libxslt.c
+++ b/python/libxslt.c
@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED,
PyObject *pyobj_element_f;
PyObject *pyobj_precomp_f;
-#ifdef DEBUG_EXTENSIONS
- printf("libxslt_xsltRegisterExtModuleElement called\n",
- name, ns_uri);
-#endif
-
if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement",
&name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f))
return(NULL);
+#ifdef DEBUG_EXTENSIONS
+ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n",
+ name, ns_uri);
+#endif
+
if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) {
py_retval = libxml_intWrap(-1);
return(py_retval);
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
index 9ec4b76..33beddf 100644
--- a/xsltproc/xsltproc.c
+++ b/xsltproc/xsltproc.c
@@ -319,7 +319,7 @@ static void endTimer(char *format, ...)
va_start(ap, format);
vfprintf(stderr,format,ap);
va_end(ap);
- fprintf(stderr, " was not timed\n", msec);
+ fprintf(stderr, " was not timed\n");
#else
/* We don't have gettimeofday, time or stdarg.h, what crazy world is
* this ?!

56
libs/libxslt/patches/0006-Initialize-pseudo-random-number-generator-with-curre.patch Normal file
View File

@ -0,0 +1,56 @@
From: Nils Werner <wernerns@iis.fraunhofer.de>
Date: Thu, 24 Jan 2013 18:44:03 +0000
Subject: Initialize pseudo random number generator with current time or
optional command line parameter
---
xsltproc/xsltproc.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
index 33beddf..7d1fe61 100644
--- a/xsltproc/xsltproc.c
+++ b/xsltproc/xsltproc.c
@@ -514,6 +514,7 @@ static void usage(const char *name) {
printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth);
printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars);
printf("\t--maxparserdepth val : increase the maximum parser depth\n");
+ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n");
#ifdef LIBXML_HTML_ENABLED
printf("\t--html: the input document is(are) an HTML file(s)\n");
#endif
@@ -556,6 +557,7 @@ main(int argc, char **argv)
return (1);
}
+ srand(time(NULL));
xmlInitMemory();
LIBXML_TEST_VERSION
@@ -750,6 +752,15 @@ main(int argc, char **argv)
if (value > 0)
xmlParserMaxDepth = value;
}
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
+ (!strcmp(argv[i], "--seed-rand"))) {
+ int value;
+
+ i++;
+ if (sscanf(argv[i], "%d", &value) == 1) {
+ if (value > 0)
+ srand(value);
+ }
} else if ((!strcmp(argv[i],"-dumpextensions"))||
(!strcmp(argv[i],"--dumpextensions"))) {
dumpextensions++;
@@ -786,6 +797,10 @@ main(int argc, char **argv)
(!strcmp(argv[i], "--maxparserdepth"))) {
i++;
continue;
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
+ (!strcmp(argv[i], "--seed-rand"))) {
+ i++;
+ continue;
} else if ((!strcmp(argv[i], "-o")) ||
(!strcmp(argv[i], "-output")) ||
(!strcmp(argv[i], "--output"))) {

38
libs/libxslt/patches/0007-EXSLT-function-str-replace-is-broken-as-is.patch Normal file
View File

@ -0,0 +1,38 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 1 Jul 2013 13:10:10 +0000
Subject: EXSLT function str:replace() is broken as-is
the str:replace() function is no longer usable without a transform
context. I take it from the bug report that it is not supposed to be used
from plain XPath but only from XSLT according to the EXSLT specification.
However, the previous implementation used to work in XPath and is still
registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
function. When called from plain XPath, it results in a memory error in
line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
returns NULL as an error indicator due to a NULL transform context being
passed in, which was the return value from xsltXPathGetTransformContext() a
bit further up (and the code doesn't validate that).
Since fixing the function looks impossible, best is to remove it.
---
libexslt/strings.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/libexslt/strings.c b/libexslt/strings.c
index 045cc14..c0c7a18 100644
--- a/libexslt/strings.c
+++ b/libexslt/strings.c
@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix)
&& !xmlXPathRegisterFuncNS(ctxt,
(const xmlChar *) "concat",
(const xmlChar *) EXSLT_STRINGS_NAMESPACE,
- exsltStrConcatFunction)
- && !xmlXPathRegisterFuncNS(ctxt,
- (const xmlChar *) "replace",
- (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
- exsltStrReplaceFunction)) {
+ exsltStrConcatFunction)) {
return 0;
}
return -1;

43
libs/libxslt/patches/0008-Fix-quoting-of-xlocale-test-program-in-configure.in.patch Normal file
View File

@ -0,0 +1,43 @@
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 30 Jul 2013 11:57:28 +0000
Subject: Fix quoting of xlocale test program in configure.in
Double square brackets aren't needed anymore, probably due to the
changes in commit a2cd8a03.
---
configure.in | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index 767e980..ac004fe 100644
--- a/configure.in
+++ b/configure.in
@@ -196,21 +196,21 @@ typedef locale_t xsltLocale;
#endif
]],[[
xsltLocale locale;
- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" };
- char *dst[[2]];
+ const char *src[2] = { "\xc3\x84rger", "Zeppelin" };
+ char *dst[2];
size_t len, r;
int i;
locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL);
if (locale == NULL) exit(1);
for (i=0; i<2; ++i) {
- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1;
- dst[[i]] = malloc(len);
- if(dst[[i]] == NULL) exit(1);
- r = strxfrm_l(dst[[i]], src[[i]], len, locale);
+ len = strxfrm_l(NULL, src[i], 0, locale) + 1;
+ dst[i] = malloc(len);
+ if(dst[i] == NULL) exit(1);
+ r = strxfrm_l(dst[i], src[i], len, locale);
if(r >= len) exit(1);
}
- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1);
+ if (strcmp(dst[0], dst[1]) >= 0) exit(1);
exit(0);
return(0);

29
libs/libxslt/patches/0009-Fix-for-type-confusion-in-preprocessing-attributes.patch Normal file
View File

@ -0,0 +1,29 @@
From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Thu, 29 Oct 2015 19:33:23 +0800
Subject: [PATCH] Fix for type confusion in preprocessing attributes
CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
We need to check that the parent node is an element before dereferencing
its namespace
---
libxslt/preproc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/preproc.c b/libxslt/preproc.c
index 0eb80a0..7f69325 100644
--- a/libxslt/preproc.c
+++ b/libxslt/preproc.c
@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
} else if (IS_XSLT_NAME(inst, "attribute")) {
xmlNodePtr parent = inst->parent;
- if ((parent == NULL) || (parent->ns == NULL) ||
+ if ((parent == NULL) ||
+ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
((parent->ns != inst->ns) &&
(!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
--
2.8.1

62
libs/libxslt/patches/0010-Always-initialize-EXSLT-month-and-day-to-1.patch Normal file
View File

@ -0,0 +1,62 @@
From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 3 Jan 2016 16:45:24 +0100
Subject: [PATCH] Always initialize EXSLT month and day to 1
Fixes bug #757970
https://bugzilla.gnome.org/show_bug.cgi?id=757970
---
libexslt/date.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/libexslt/date.c b/libexslt/date.c
index 9ca993c..272c61b 100644
--- a/libexslt/date.c
+++ b/libexslt/date.c
@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type)
}
memset (ret, 0, sizeof(exsltDateVal));
+ if (type != XS_DURATION) {
+ ret->value.date.mon = 1;
+ ret->value.date.day = 1;
+ }
+
if (type != EXSLT_UNKNOWN)
ret->type = type;
@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type)
}
if ((type & XS_GDAY) != XS_GDAY)
- dt->value.date.day = 0;
+ dt->value.date.day = 1;
if ((type & XS_GMONTH) != XS_GMONTH)
- dt->value.date.mon = 0;
+ dt->value.date.mon = 1;
if ((type & XS_GYEAR) != XS_GYEAR)
dt->value.date.year = 0;
@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur)
d = &(dt->value.date);
u = &(dur->value.dur);
- /* normalization */
- if (d->mon == 0)
- d->mon = 1;
-
/* normalize for time zone offset */
u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */
d->tzo = 0;
- /* normalization */
- if (d->day == 0)
- d->day = 1;
-
/* month */
carry = d->mon + u->mon;
r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13);
--
2.8.1

105
libs/libxslt/patches/0011-Fix-use-after-free-in-xsltDocumentFunctionLoadDocume.patch Normal file
View File

@ -0,0 +1,105 @@
From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 25 Feb 2016 17:16:06 +0100
Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument
Also fixes a memory leak in an unlikely error case.
Fixes bug #758291
https://bugzilla.gnome.org/show_bug.cgi?id=758291
---
libxslt/functions.c | 3 ++-
tests/docs/bug-185-data.xml | 5 +++++
tests/docs/bug-185.xml | 2 ++
tests/general/bug-185.err | 3 +++
tests/general/bug-185.out | 0
tests/general/bug-185.xsl | 14 ++++++++++++++
6 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 tests/docs/bug-185-data.xml
create mode 100644 tests/docs/bug-185.xml
create mode 100644 tests/general/bug-185.err
create mode 100644 tests/general/bug-185.out
create mode 100644 tests/general/bug-185.xsl
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 549649c..a5e7021 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
resObj = xmlXPtrEval(fragment, xptrctxt);
xmlXPathFreeContext(xptrctxt);
#endif
- xmlFree(fragment);
if (resObj == NULL)
goto out_fragment;
@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
}
valuePush(ctxt, resObj);
+ xmlFree(fragment);
return;
out_object:
@@ -211,6 +211,7 @@ out_object:
out_fragment:
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
+ xmlFree(fragment);
}
/**
diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml
new file mode 100644
index 0000000..166ef17
--- /dev/null
+++ b/tests/docs/bug-185-data.xml
@@ -0,0 +1,5 @@
+<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
+<test>
+ <A id="X"/>
+ <A id="Y"/>
+</test>
diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml
new file mode 100644
index 0000000..72bfdc4
--- /dev/null
+++ b/tests/docs/bug-185.xml
@@ -0,0 +1,2 @@
+<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
+<in>bug-185-data.xml#xpointer(id('X')/range-to(id('Y')))</in>
diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err
new file mode 100644
index 0000000..d7bbe92
--- /dev/null
+++ b/tests/general/bug-185.err
@@ -0,0 +1,3 @@
+runtime error: file ./bug-185.xsl line 7 element copy-of
+document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y')))
+no result for ./../docs/bug-185.xml
diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out
new file mode 100644
index 0000000..e69de29
diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl
new file mode 100644
index 0000000..1c5c7d1
--- /dev/null
+++ b/tests/general/bug-185.xsl
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+ <xsl:template match="in">
+ <annotation>
+ <xsl:copy-of select="."/>
+ <value>
+ <xsl:copy-of select="document(.)"/>
+ </value>
+ </annotation>
+ </xsl:template>
+ <xsl:template match="@*|node()">
+ <xsl:apply-templates/>
+ </xsl:template>
+</xsl:stylesheet>
--
2.8.1

171
libs/libxslt/patches/0012-Fix-xsltNumberFormatGetMultipleLevel.patch Normal file
View File

@ -0,0 +1,171 @@
From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 22 Mar 2016 18:20:01 +0100
Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel
Namespace nodes are actually an xmlNs, not an xmlNode. They must be
special-cased in xsltNumberFormatGetMultipleLevel to avoid an
out-of-bounds heap access.
Move the test whether a node matches the "count" pattern to a separate
function to make the code more readable. As a side effect, we also
compare expanded names when walking up the ancestor axis, fixing an
insignificant bug.
---
libxslt/numbers.c | 82 +++++++++++++++++++++++++++--------------------
tests/docs/bug-186.xml | 4 +++
tests/general/bug-186.out | 5 +++
tests/general/bug-186.xsl | 7 ++++
4 files changed, 63 insertions(+), 35 deletions(-)
create mode 100644 tests/docs/bug-186.xml
create mode 100644 tests/general/bug-186.out
create mode 100644 tests/general/bug-186.xsl
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index e3209e0..184ee6f 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
}
static int
+xsltTestCompMatchCount(xsltTransformContextPtr context,
+ xmlNodePtr node,
+ xsltCompMatchPtr countPat,
+ xmlNodePtr cur)
+{
+ if (countPat != NULL) {
+ return xsltTestCompMatchList(context, node, countPat);
+ }
+ else {
+ /*
+ * 7.7 Numbering
+ *
+ * If count attribute is not specified, then it defaults to the
+ * pattern that matches any node with the same node type as the
+ * current node and, if the current node has an expanded-name, with
+ * the same expanded-name as the current node.
+ */
+ if (node->type != cur->type)
+ return 0;
+ if (node->type == XML_NAMESPACE_DECL)
+ /*
+ * Namespace nodes have no preceding siblings and no parents
+ * that are namespace nodes. This means that node == cur.
+ */
+ return 1;
+ /* TODO: Skip node types without expanded names like text nodes. */
+ if (!xmlStrEqual(node->name, cur->name))
+ return 0;
+ if (node->ns == cur->ns)
+ return 1;
+ if ((node->ns == NULL) || (cur->ns == NULL))
+ return 0;
+ return (xmlStrEqual(node->ns->href, cur->ns->href));
+ }
+}
+
+static int
xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
xmlNodePtr node,
xsltCompMatchPtr countPat,
@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
while (cur != NULL) {
/* process current node */
- if (countPat == NULL) {
- if ((node->type == cur->type) &&
- /* FIXME: must use expanded-name instead of local name */
- xmlStrEqual(node->name, cur->name)) {
- if ((node->ns == cur->ns) ||
- ((node->ns != NULL) &&
- (cur->ns != NULL) &&
- (xmlStrEqual(node->ns->href,
- cur->ns->href) )))
- cnt++;
- }
- } else {
- if (xsltTestCompMatchList(context, cur, countPat))
- cnt++;
- }
+ if (xsltTestCompMatchCount(context, cur, countPat, node))
+ cnt++;
if ((fromPat != NULL) &&
xsltTestCompMatchList(context, cur, fromPat)) {
break; /* while */
@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context,
xsltTestCompMatchList(context, ancestor, fromPat))
break; /* for */
- if ((countPat == NULL && node->type == ancestor->type &&
- xmlStrEqual(node->name, ancestor->name)) ||
- xsltTestCompMatchList(context, ancestor, countPat)) {
+ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) {
/* count(preceding-sibling::*) */
- cnt = 0;
- for (preceding = ancestor;
+ cnt = 1;
+ for (preceding =
+ xmlXPathNextPrecedingSibling(parser, ancestor);
preceding != NULL;
preceding =
xmlXPathNextPrecedingSibling(parser, preceding)) {
- if (countPat == NULL) {
- if ((preceding->type == ancestor->type) &&
- xmlStrEqual(preceding->name, ancestor->name)){
- if ((preceding->ns == ancestor->ns) ||
- ((preceding->ns != NULL) &&
- (ancestor->ns != NULL) &&
- (xmlStrEqual(preceding->ns->href,
- ancestor->ns->href) )))
- cnt++;
- }
- } else {
- if (xsltTestCompMatchList(context, preceding,
- countPat))
- cnt++;
- }
+
+ if (xsltTestCompMatchCount(context, preceding, countPat,
+ node))
+ cnt++;
}
array[amount++] = (double)cnt;
if (amount >= max)
diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml
new file mode 100644
index 0000000..424db6b
--- /dev/null
+++ b/tests/docs/bug-186.xml
@@ -0,0 +1,4 @@
+<top xmlns:a="AAAA" xmlns:b="BBBB" xmlns:c="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC">
+<foo/>
+<bar/>
+</top>
diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out
new file mode 100644
index 0000000..01a59f8
--- /dev/null
+++ b/tests/general/bug-186.out
@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+
+1111
+1111
+
diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl
new file mode 100644
index 0000000..9c491dd
--- /dev/null
+++ b/tests/general/bug-186.xsl
@@ -0,0 +1,7 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ <xsl:template match="*/*">
+ <xsl:for-each select="namespace::*">
+ <xsl:number/>
+ </xsl:for-each>
+ </xsl:template>
+</xsl:stylesheet>
--
2.8.1

26
libs/libxslt/patches/0013-Round-xsl-number-values-to-nearest-integer.patch Normal file
View File

@ -0,0 +1,26 @@
From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 12:50:02 +0200
Subject: [PATCH] Round xsl:number values to nearest integer
This matches XSLT 2.0 behavior.
---
libxslt/numbers.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 184ee6f..eb087bc 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
for (i = 0; i < numbers_max; i++) {
/* Insert number */
number = numbers[(numbers_max - 1) - i];
+ /* Round to nearest like XSLT 2.0 */
+ number = floor(number + 0.5);
if (i < tokens->nTokens) {
/*
* The "n"th format token will be used to format the "n"th
--
2.8.1

51
libs/libxslt/patches/0014-Handle-negative-xsl-number-values.patch Normal file
View File

@ -0,0 +1,51 @@
From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 12:51:57 +0200
Subject: [PATCH] Handle negative xsl:number values
According to XSLT 2.0, negative values are a non-recoverable dynamic error.
Print an error message and treat negative values as zero.
Fixes an OOB array access in xsltNumberFormatAlpha.
---
libxslt/numbers.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index eb087bc..a3cabcf 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
number--;
*(--pointer) = alpha_list[((int)fmod(number, alpha_size))];
number /= alpha_size;
- if (fabs(number) < 1.0)
+ if (number < 1.0)
break; /* for */
}
xmlBufferCCat(buffer, pointer);
@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
number = numbers[(numbers_max - 1) - i];
/* Round to nearest like XSLT 2.0 */
number = floor(number + 0.5);
+ /*
+ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT
+ * 2.0 says:
+ *
+ * It is a non-recoverable dynamic error if any undiscarded item
+ * in the atomized sequence supplied as the value of the value
+ * attribute of xsl:number cannot be converted to an integer, or
+ * if the resulting integer is less than 0 (zero).
+ */
+ if (number < 0.0) {
+ xsltTransformError(NULL, NULL, NULL,
+ "xsl-number : negative value\n");
+ /* Recover by treating negative values as zero. */
+ number = 0.0;
+ }
if (i < tokens->nTokens) {
/*
* The "n"th format token will be used to format the "n"th
--
2.8.1

75
libs/libxslt/patches/0015-Lower-bound-for-format-token-a.patch Normal file
View File

@ -0,0 +1,75 @@
From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 13:11:31 +0200
Subject: [PATCH] Lower bound for format token "a"
Handle xsl:number with format "a" and value 0 according to XSLT 2.0.
Fixes an OOB array access in xsltNumberFormatAlpha.
---
libxslt/numbers.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index a3cabcf..af52883 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer,
}
static void
-xsltNumberFormatAlpha(xmlBufferPtr buffer,
+xsltNumberFormatAlpha(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
char *alpha_list;
double alpha_size = (double)(sizeof(alpha_upper_list) - 1);
+ /*
+ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says:
+ *
+ * For all format tokens other than the first kind above (one that
+ * consists of decimal digits), there may be implementation-defined
+ * lower and upper bounds on the range of numbers that can be
+ * formatted using this format token; indeed, for some numbering
+ * sequences there may be intrinsic limits. [...] Numbers that fall
+ * outside this range must be formatted using the format token 1.
+ *
+ * The "a" token has an intrinsic lower limit of 1.
+ */
+ if (number < 1.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
/* Build buffer from back */
pointer = &temp_string[sizeof(temp_string)];
*(--pointer) = 0;
@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
switch (token->token) {
case 'A':
- xsltNumberFormatAlpha(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatAlpha(data, buffer, number, TRUE);
break;
case 'a':
- xsltNumberFormatAlpha(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
xsltNumberFormatRoman(buffer,
--
2.8.1

64
libs/libxslt/patches/0016-Lower-and-upper-bound-for-format-token-i.patch Normal file
View File

@ -0,0 +1,64 @@
From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 10 Apr 2016 13:12:28 +0200
Subject: [PATCH] Lower and upper bound for format token "i"
Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
Also introduce an upper bound to fix a denial of service.
---
libxslt/numbers.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index af52883..e769c42 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
}
static void
-xsltNumberFormatRoman(xmlBufferPtr buffer,
+xsltNumberFormatRoman(xsltNumberDataPtr data,
+ xmlBufferPtr buffer,
double number,
int is_upper)
{
/*
+ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
+ * bound to avoid denial of service.
+ */
+ if (number < 1.0 || number > 5000.0) {
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
+ data->digitsPerGroup,
+ data->groupingCharacter,
+ data->groupingCharacterLen);
+ return;
+ }
+
+ /*
* Based on an example by Jim Walsh
*/
while (number >= 1000.0) {
@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
xsltNumberFormatAlpha(data, buffer, number, FALSE);
break;
case 'I':
- xsltNumberFormatRoman(buffer,
- number,
- TRUE);
-
+ xsltNumberFormatRoman(data, buffer, number, TRUE);
break;
case 'i':
- xsltNumberFormatRoman(buffer,
- number,
- FALSE);
-
+ xsltNumberFormatRoman(data, buffer, number, FALSE);
break;
default:
if (IS_DIGIT_ZERO(token->token)) {
--
2.8.1

62
libs/libxslt/patches/0017-Fix-double-free-in-libexslt-hash-functions.patch Normal file
View File

@ -0,0 +1,62 @@
From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 20 Apr 2016 14:35:43 +0200
Subject: [PATCH] Fix double free in libexslt hash functions
Thanks to Nicolas Gregoire for the report.
Fixes bug #765271:
https://bugzilla.gnome.org/show_bug.cgi?id=765271
---
libexslt/crypto.c | 15 +++------------
tests/exslt/crypto/hash.1.out | 2 ++
tests/exslt/crypto/hash.1.xml | 5 +++++
3 files changed, 10 insertions(+), 12 deletions(-)
diff --git a/libexslt/crypto.c b/libexslt/crypto.c
index 6aa9dd2..e13db8b 100644
--- a/libexslt/crypto.c
+++ b/libexslt/crypto.c
@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len,
(char *) hash);
@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len,
(char *) hash);
@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) {
unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1];
str_len = exsltCryptoPopString (ctxt, nargs, &str);
- if (str_len == 0) {
- xmlXPathReturnEmptyString (ctxt);
- xmlFree (str);
+ if (str_len == 0)
return;
- }
PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len,
(char *) hash);
--
2.8.1

33
libs/libxslt/patches/0018-Fix-buffer-overflow-in-exsltDateFormat.patch Normal file
View File

@ -0,0 +1,33 @@
From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 28 Apr 2016 17:34:27 +0200
Subject: [PATCH] Fix buffer overflow in exsltDateFormat
Long years can overflow a stack-based buffer on 64-bit platforms by
up to four bytes.
Thanks to Nicolas Gregoire for the report.
Fixes bug #765380:
https://bugzilla.gnome.org/show_bug.cgi?id=765380
---
libexslt/date.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexslt/date.c b/libexslt/date.c
index 272c61b..12c9919 100644
--- a/libexslt/date.c
+++ b/libexslt/date.c
@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt)
}
if (dt->type & XS_GYEAR) {
- xmlChar buf[20], *cur = buf;
+ xmlChar buf[100], *cur = buf;
FORMAT_GYEAR(dt->value.date.year, cur);
if (dt->type == XS_GYEARMONTH) {
--
2.8.1

36
libs/libxslt/patches/0019-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic.patch Normal file
View File

@ -0,0 +1,36 @@
From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 May 2016 15:12:48 +0200
Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic
xsltExtModuleRegisterDynamic would read a byte before the start of a
string under certain circumstances. I looks like this piece code was
supposed to strip characters from the end of the extension name, but
it didn't have any effect. Don't read beyond the beginning of the
string and actually strip unwanted characters.
Found with afl-fuzz and ASan.
---
libxslt/extensions.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
index 5ad73cb..ae6eef0 100644
--- a/libxslt/extensions.c
+++ b/libxslt/extensions.c
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
i++;
}
- if (*(i - 1) == '_')
+ /* Strip underscores from end of string. */
+ while (i > ext_name && *(i - 1) == '_') {
+ i--;
*i = '\0';
+ }
/* determine module directory */
ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");
--
2.8.1

31
libs/libxslt/patches/0020-Fix-heap-overread-in-xsltFormatNumberConversion.patch Normal file
View File

@ -0,0 +1,31 @@
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Fri, 10 Jun 2016 14:23:58 +0200
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
An empty decimal-separator could cause a heap overread. This can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.
Found with afl-fuzz and ASan.
---
libxslt/numbers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index d1549b4..e78c46b 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
}
/* We have finished the integer part, now work on fraction */
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
+ if ( (*the_format != 0) &&
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
format_info.add_decimal = TRUE;
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
}
--
2.10.2

74
libs/libxslt/patches/0021-Check-for-integer-overflow-in-xsltAddTextString.patch Normal file
View File

@ -0,0 +1,74 @@
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 12 Jan 2017 15:39:52 +0100
Subject: [PATCH] Check for integer overflow in xsltAddTextString
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
exploited to trigger an out of bounds write on 64-bit systems.
Originally reported to Chromium:
https://crbug.com/676623
---
libxslt/transform.c | 25 ++++++++++++++++++++++---
libxslt/xsltInternals.h | 4 ++--
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 519133fc..02bff34a 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
return(target);
if (ctxt->lasttext == target->content) {
+ int minSize;
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
+ /* Check for integer overflow accounting for NUL terminator. */
+ if (len >= INT_MAX - ctxt->lasttuse) {
+ xsltTransformError(ctxt, NULL, target,
+ "xsltCopyText: text allocation failed\n");
+ return(NULL);
+ }
+ minSize = ctxt->lasttuse + len + 1;
+
+ if (ctxt->lasttsize < minSize) {
xmlChar *newbuf;
int size;
+ int extra;
+
+ /* Double buffer size but increase by at least 100 bytes. */
+ extra = minSize < 100 ? 100 : minSize;
+
+ /* Check for integer overflow. */
+ if (extra > INT_MAX - ctxt->lasttsize) {
+ size = INT_MAX;
+ }
+ else {
+ size = ctxt->lasttsize + extra;
+ }
- size = ctxt->lasttsize + len + 100;
- size *= 2;
newbuf = (xmlChar *) xmlRealloc(target->content,size);
if (newbuf == NULL) {
xsltTransformError(ctxt, NULL, target,
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
index 060b1783..5ad17719 100644
--- a/libxslt/xsltInternals.h
+++ b/libxslt/xsltInternals.h
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
* Speed optimization when coalescing text nodes
*/
const xmlChar *lasttext; /* last text node content */
- unsigned int lasttsize; /* last text node size */
- unsigned int lasttuse; /* last text node use */
+ int lasttsize; /* last text node size */
+ int lasttuse; /* last text node use */
/*
* Per Context Debugging
*/
--
2.11.0