mirror of
https://git.openwrt.org/feed/packages.git
synced 2024-06-14 11:23:57 +02:00
Merge pull request #5541 from micmac1/jiri-lede-17.01
libssh2, libxslt, tiff: security bumps + fix (for lede-17.01)
This commit is contained in:
commit
ea967b5a71
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright (C) 2015-2016 OpenWrt.org
|
||||
# Copyright (C) 2015-2018 OpenWrt.org
|
||||
#
|
||||
# This is free software, licensed under the GNU General Public License v2.
|
||||
# See /LICENSE for more information.
|
||||
|
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=libssh2
|
||||
PKG_VERSION:=1.7.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://www.libssh2.org/download
|
||||
PKG_SOURCE_URL:=https://www.libssh2.org/download
|
||||
PKG_MD5SUM:=b01662a210e94cccf2f76094db7dac5c
|
||||
|
||||
PKG_INSTALL:=1
|
||||
|
@ -26,7 +26,7 @@ define Package/libssh2
|
|||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=SSH2 library
|
||||
URL:=http://www.libssh2.org/
|
||||
URL:=https://www.libssh2.org/
|
||||
DEPENDS:=+libopenssl +zlib
|
||||
MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
|
||||
endef
|
||||
|
@ -39,7 +39,8 @@ TARGET_CFLAGS += $(FPIC)
|
|||
|
||||
CONFIGURE_ARGS += \
|
||||
--disable-examples-build \
|
||||
--with-libssl-prefix=$(STAGING_DIR)/usr
|
||||
--with-libssl-prefix=$(STAGING_DIR)/usr \
|
||||
--with-libz-prefix=$(STAGING_DIR)/usr
|
||||
|
||||
define Build/InstallDev
|
||||
$(INSTALL_DIR) $(1)/usr/include
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright (C) 2014 OpenWrt.org
|
||||
# Copyright (C) 2014 - 2018 OpenWrt.org
|
||||
#
|
||||
# This is free software, licensed under the GNU General Public License v2.
|
||||
# See /LICENSE for more information.
|
||||
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=libxslt
|
||||
PKG_VERSION:=1.1.28
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:= \
|
||||
|
@ -64,6 +64,7 @@ define Package/xsltproc/description
|
|||
endef
|
||||
|
||||
CONFIGURE_ARGS+= \
|
||||
--disable-silent-rules \
|
||||
--enable-shared \
|
||||
--enable-static \
|
||||
--without-python \
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Wed, 30 Jan 2013 16:31:37 +0000
|
||||
Subject: Fix a couple of places where (f)printf parameters were broken
|
||||
|
||||
As reported by Thomas Jarosch <thomas.jarosch@intra2net.com>
|
||||
---
|
||||
python/libxslt.c | 10 +++++-----
|
||||
xsltproc/xsltproc.c | 2 +-
|
||||
2 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/python/libxslt.c b/python/libxslt.c
|
||||
index 6a4f1c3..8dd6c78 100644
|
||||
--- a/python/libxslt.c
|
||||
+++ b/python/libxslt.c
|
||||
@@ -356,15 +356,15 @@ libxslt_xsltRegisterExtModuleElement(PyObject *self ATTRIBUTE_UNUSED,
|
||||
PyObject *pyobj_element_f;
|
||||
PyObject *pyobj_precomp_f;
|
||||
|
||||
-#ifdef DEBUG_EXTENSIONS
|
||||
- printf("libxslt_xsltRegisterExtModuleElement called\n",
|
||||
- name, ns_uri);
|
||||
-#endif
|
||||
-
|
||||
if (!PyArg_ParseTuple(args, (char *)"szOO:registerExtModuleElement",
|
||||
&name, &ns_uri, &pyobj_precomp_f, &pyobj_element_f))
|
||||
return(NULL);
|
||||
|
||||
+#ifdef DEBUG_EXTENSIONS
|
||||
+ printf("libxslt_xsltRegisterExtModuleElement called: %s %s\n",
|
||||
+ name, ns_uri);
|
||||
+#endif
|
||||
+
|
||||
if ((name == NULL) || (pyobj_element_f == NULL) || (pyobj_precomp_f == NULL)) {
|
||||
py_retval = libxml_intWrap(-1);
|
||||
return(py_retval);
|
||||
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
|
||||
index 9ec4b76..33beddf 100644
|
||||
--- a/xsltproc/xsltproc.c
|
||||
+++ b/xsltproc/xsltproc.c
|
||||
@@ -319,7 +319,7 @@ static void endTimer(char *format, ...)
|
||||
va_start(ap, format);
|
||||
vfprintf(stderr,format,ap);
|
||||
va_end(ap);
|
||||
- fprintf(stderr, " was not timed\n", msec);
|
||||
+ fprintf(stderr, " was not timed\n");
|
||||
#else
|
||||
/* We don't have gettimeofday, time or stdarg.h, what crazy world is
|
||||
* this ?!
|
|
@ -0,0 +1,56 @@
|
|||
From: Nils Werner <wernerns@iis.fraunhofer.de>
|
||||
Date: Thu, 24 Jan 2013 18:44:03 +0000
|
||||
Subject: Initialize pseudo random number generator with current time or
|
||||
optional command line parameter
|
||||
|
||||
---
|
||||
xsltproc/xsltproc.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/xsltproc/xsltproc.c b/xsltproc/xsltproc.c
|
||||
index 33beddf..7d1fe61 100644
|
||||
--- a/xsltproc/xsltproc.c
|
||||
+++ b/xsltproc/xsltproc.c
|
||||
@@ -514,6 +514,7 @@ static void usage(const char *name) {
|
||||
printf("\t--maxdepth val : increase the maximum depth (default %d)\n", xsltMaxDepth);
|
||||
printf("\t--maxvars val : increase the maximum variables (default %d)\n", xsltMaxVars);
|
||||
printf("\t--maxparserdepth val : increase the maximum parser depth\n");
|
||||
+ printf("\t--seed-rand val : initialize pseudo random number generator with specific seed\n");
|
||||
#ifdef LIBXML_HTML_ENABLED
|
||||
printf("\t--html: the input document is(are) an HTML file(s)\n");
|
||||
#endif
|
||||
@@ -556,6 +557,7 @@ main(int argc, char **argv)
|
||||
return (1);
|
||||
}
|
||||
|
||||
+ srand(time(NULL));
|
||||
xmlInitMemory();
|
||||
|
||||
LIBXML_TEST_VERSION
|
||||
@@ -750,6 +752,15 @@ main(int argc, char **argv)
|
||||
if (value > 0)
|
||||
xmlParserMaxDepth = value;
|
||||
}
|
||||
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
|
||||
+ (!strcmp(argv[i], "--seed-rand"))) {
|
||||
+ int value;
|
||||
+
|
||||
+ i++;
|
||||
+ if (sscanf(argv[i], "%d", &value) == 1) {
|
||||
+ if (value > 0)
|
||||
+ srand(value);
|
||||
+ }
|
||||
} else if ((!strcmp(argv[i],"-dumpextensions"))||
|
||||
(!strcmp(argv[i],"--dumpextensions"))) {
|
||||
dumpextensions++;
|
||||
@@ -786,6 +797,10 @@ main(int argc, char **argv)
|
||||
(!strcmp(argv[i], "--maxparserdepth"))) {
|
||||
i++;
|
||||
continue;
|
||||
+ } else if ((!strcmp(argv[i], "-seed-rand")) ||
|
||||
+ (!strcmp(argv[i], "--seed-rand"))) {
|
||||
+ i++;
|
||||
+ continue;
|
||||
} else if ((!strcmp(argv[i], "-o")) ||
|
||||
(!strcmp(argv[i], "-output")) ||
|
||||
(!strcmp(argv[i], "--output"))) {
|
|
@ -0,0 +1,38 @@
|
|||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Mon, 1 Jul 2013 13:10:10 +0000
|
||||
Subject: EXSLT function str:replace() is broken as-is
|
||||
|
||||
the str:replace() function is no longer usable without a transform
|
||||
context. I take it from the bug report that it is not supposed to be used
|
||||
from plain XPath but only from XSLT according to the EXSLT specification.
|
||||
|
||||
However, the previous implementation used to work in XPath and is still
|
||||
registered on an xmlXPathContext by the exsltStrXpathCtxtRegister()
|
||||
function. When called from plain XPath, it results in a memory error in
|
||||
line 526 (exsltStrReturnString()) of strings.c because xsltCreateRVT()
|
||||
returns NULL as an error indicator due to a NULL transform context being
|
||||
passed in, which was the return value from xsltXPathGetTransformContext() a
|
||||
bit further up (and the code doesn't validate that).
|
||||
|
||||
Since fixing the function looks impossible, best is to remove it.
|
||||
---
|
||||
libexslt/strings.c | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/libexslt/strings.c b/libexslt/strings.c
|
||||
index 045cc14..c0c7a18 100644
|
||||
--- a/libexslt/strings.c
|
||||
+++ b/libexslt/strings.c
|
||||
@@ -838,11 +838,7 @@ exsltStrXpathCtxtRegister (xmlXPathContextPtr ctxt, const xmlChar *prefix)
|
||||
&& !xmlXPathRegisterFuncNS(ctxt,
|
||||
(const xmlChar *) "concat",
|
||||
(const xmlChar *) EXSLT_STRINGS_NAMESPACE,
|
||||
- exsltStrConcatFunction)
|
||||
- && !xmlXPathRegisterFuncNS(ctxt,
|
||||
- (const xmlChar *) "replace",
|
||||
- (const xmlChar *) EXSLT_STRINGS_NAMESPACE,
|
||||
- exsltStrReplaceFunction)) {
|
||||
+ exsltStrConcatFunction)) {
|
||||
return 0;
|
||||
}
|
||||
return -1;
|
|
@ -0,0 +1,43 @@
|
|||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 30 Jul 2013 11:57:28 +0000
|
||||
Subject: Fix quoting of xlocale test program in configure.in
|
||||
|
||||
Double square brackets aren't needed anymore, probably due to the
|
||||
changes in commit a2cd8a03.
|
||||
---
|
||||
configure.in | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index 767e980..ac004fe 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -196,21 +196,21 @@ typedef locale_t xsltLocale;
|
||||
#endif
|
||||
]],[[
|
||||
xsltLocale locale;
|
||||
- const char *src[[2]] = { "\xc3\x84rger", "Zeppelin" };
|
||||
- char *dst[[2]];
|
||||
+ const char *src[2] = { "\xc3\x84rger", "Zeppelin" };
|
||||
+ char *dst[2];
|
||||
size_t len, r;
|
||||
int i;
|
||||
|
||||
locale = newlocale(LC_COLLATE_MASK, "en_US.utf8", NULL);
|
||||
if (locale == NULL) exit(1);
|
||||
for (i=0; i<2; ++i) {
|
||||
- len = strxfrm_l(NULL, src[[i]], 0, locale) + 1;
|
||||
- dst[[i]] = malloc(len);
|
||||
- if(dst[[i]] == NULL) exit(1);
|
||||
- r = strxfrm_l(dst[[i]], src[[i]], len, locale);
|
||||
+ len = strxfrm_l(NULL, src[i], 0, locale) + 1;
|
||||
+ dst[i] = malloc(len);
|
||||
+ if(dst[i] == NULL) exit(1);
|
||||
+ r = strxfrm_l(dst[i], src[i], len, locale);
|
||||
if(r >= len) exit(1);
|
||||
}
|
||||
- if (strcmp(dst[[0]], dst[[1]]) >= 0) exit(1);
|
||||
+ if (strcmp(dst[0], dst[1]) >= 0) exit(1);
|
||||
|
||||
exit(0);
|
||||
return(0);
|
|
@ -0,0 +1,29 @@
|
|||
From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Veillard <veillard@redhat.com>
|
||||
Date: Thu, 29 Oct 2015 19:33:23 +0800
|
||||
Subject: [PATCH] Fix for type confusion in preprocessing attributes
|
||||
|
||||
CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
|
||||
We need to check that the parent node is an element before dereferencing
|
||||
its namespace
|
||||
---
|
||||
libxslt/preproc.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libxslt/preproc.c b/libxslt/preproc.c
|
||||
index 0eb80a0..7f69325 100644
|
||||
--- a/libxslt/preproc.c
|
||||
+++ b/libxslt/preproc.c
|
||||
@@ -2249,7 +2249,8 @@ xsltStylePreCompute(xsltStylesheetPtr style, xmlNodePtr inst) {
|
||||
} else if (IS_XSLT_NAME(inst, "attribute")) {
|
||||
xmlNodePtr parent = inst->parent;
|
||||
|
||||
- if ((parent == NULL) || (parent->ns == NULL) ||
|
||||
+ if ((parent == NULL) ||
|
||||
+ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
|
||||
((parent->ns != inst->ns) &&
|
||||
(!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
|
||||
(!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
From 3309feb654036280d2355f8025150a69bfded6e2 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 3 Jan 2016 16:45:24 +0100
|
||||
Subject: [PATCH] Always initialize EXSLT month and day to 1
|
||||
|
||||
Fixes bug #757970
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=757970
|
||||
---
|
||||
libexslt/date.c | 17 +++++++----------
|
||||
1 file changed, 7 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/libexslt/date.c b/libexslt/date.c
|
||||
index 9ca993c..272c61b 100644
|
||||
--- a/libexslt/date.c
|
||||
+++ b/libexslt/date.c
|
||||
@@ -667,6 +667,11 @@ exsltDateCreateDate (exsltDateType type)
|
||||
}
|
||||
memset (ret, 0, sizeof(exsltDateVal));
|
||||
|
||||
+ if (type != XS_DURATION) {
|
||||
+ ret->value.date.mon = 1;
|
||||
+ ret->value.date.day = 1;
|
||||
+ }
|
||||
+
|
||||
if (type != EXSLT_UNKNOWN)
|
||||
ret->type = type;
|
||||
|
||||
@@ -1395,10 +1400,10 @@ _exsltDateTruncateDate (exsltDateValPtr dt, exsltDateType type)
|
||||
}
|
||||
|
||||
if ((type & XS_GDAY) != XS_GDAY)
|
||||
- dt->value.date.day = 0;
|
||||
+ dt->value.date.day = 1;
|
||||
|
||||
if ((type & XS_GMONTH) != XS_GMONTH)
|
||||
- dt->value.date.mon = 0;
|
||||
+ dt->value.date.mon = 1;
|
||||
|
||||
if ((type & XS_GYEAR) != XS_GYEAR)
|
||||
dt->value.date.year = 0;
|
||||
@@ -1473,18 +1478,10 @@ _exsltDateAdd (exsltDateValPtr dt, exsltDateValPtr dur)
|
||||
d = &(dt->value.date);
|
||||
u = &(dur->value.dur);
|
||||
|
||||
- /* normalization */
|
||||
- if (d->mon == 0)
|
||||
- d->mon = 1;
|
||||
-
|
||||
/* normalize for time zone offset */
|
||||
u->sec -= (d->tzo * 60); /* changed from + to - (bug 153000) */
|
||||
d->tzo = 0;
|
||||
|
||||
- /* normalization */
|
||||
- if (d->day == 0)
|
||||
- d->day = 1;
|
||||
-
|
||||
/* month */
|
||||
carry = d->mon + u->mon;
|
||||
r->mon = (unsigned int)MODULO_RANGE(carry, 1, 13);
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,105 @@
|
|||
From fc1ff481fd01e9a65a921c542fed68d8c965e8a3 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 25 Feb 2016 17:16:06 +0100
|
||||
Subject: [PATCH] Fix use-after-free in xsltDocumentFunctionLoadDocument
|
||||
|
||||
Also fixes a memory leak in an unlikely error case.
|
||||
|
||||
Fixes bug #758291
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=758291
|
||||
---
|
||||
libxslt/functions.c | 3 ++-
|
||||
tests/docs/bug-185-data.xml | 5 +++++
|
||||
tests/docs/bug-185.xml | 2 ++
|
||||
tests/general/bug-185.err | 3 +++
|
||||
tests/general/bug-185.out | 0
|
||||
tests/general/bug-185.xsl | 14 ++++++++++++++
|
||||
6 files changed, 26 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/docs/bug-185-data.xml
|
||||
create mode 100644 tests/docs/bug-185.xml
|
||||
create mode 100644 tests/general/bug-185.err
|
||||
create mode 100644 tests/general/bug-185.out
|
||||
create mode 100644 tests/general/bug-185.xsl
|
||||
|
||||
diff --git a/libxslt/functions.c b/libxslt/functions.c
|
||||
index 549649c..a5e7021 100644
|
||||
--- a/libxslt/functions.c
|
||||
+++ b/libxslt/functions.c
|
||||
@@ -180,7 +180,6 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
|
||||
resObj = xmlXPtrEval(fragment, xptrctxt);
|
||||
xmlXPathFreeContext(xptrctxt);
|
||||
#endif
|
||||
- xmlFree(fragment);
|
||||
|
||||
if (resObj == NULL)
|
||||
goto out_fragment;
|
||||
@@ -204,6 +203,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
|
||||
}
|
||||
|
||||
valuePush(ctxt, resObj);
|
||||
+ xmlFree(fragment);
|
||||
return;
|
||||
|
||||
out_object:
|
||||
@@ -211,6 +211,7 @@ out_object:
|
||||
|
||||
out_fragment:
|
||||
valuePush(ctxt, xmlXPathNewNodeSet(NULL));
|
||||
+ xmlFree(fragment);
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/tests/docs/bug-185-data.xml b/tests/docs/bug-185-data.xml
|
||||
new file mode 100644
|
||||
index 0000000..166ef17
|
||||
--- /dev/null
|
||||
+++ b/tests/docs/bug-185-data.xml
|
||||
@@ -0,0 +1,5 @@
|
||||
+<!DOCTYPE test [ <!ATTLIST A id ID #REQUIRED> ] >
|
||||
+<test>
|
||||
+ <A id="X"/>
|
||||
+ <A id="Y"/>
|
||||
+</test>
|
||||
diff --git a/tests/docs/bug-185.xml b/tests/docs/bug-185.xml
|
||||
new file mode 100644
|
||||
index 0000000..72bfdc4
|
||||
--- /dev/null
|
||||
+++ b/tests/docs/bug-185.xml
|
||||
@@ -0,0 +1,2 @@
|
||||
+<?xml-stylesheet href="poc.xsl" type="text/xsl"?>
|
||||
+<in>bug-185-data.xml#xpointer(id('X')/range-to(id('Y')))</in>
|
||||
diff --git a/tests/general/bug-185.err b/tests/general/bug-185.err
|
||||
new file mode 100644
|
||||
index 0000000..d7bbe92
|
||||
--- /dev/null
|
||||
+++ b/tests/general/bug-185.err
|
||||
@@ -0,0 +1,3 @@
|
||||
+runtime error: file ./bug-185.xsl line 7 element copy-of
|
||||
+document() : XPointer does not select a node set: #xpointer(id('X')/range-to(id('Y')))
|
||||
+no result for ./../docs/bug-185.xml
|
||||
diff --git a/tests/general/bug-185.out b/tests/general/bug-185.out
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
diff --git a/tests/general/bug-185.xsl b/tests/general/bug-185.xsl
|
||||
new file mode 100644
|
||||
index 0000000..1c5c7d1
|
||||
--- /dev/null
|
||||
+++ b/tests/general/bug-185.xsl
|
||||
@@ -0,0 +1,14 @@
|
||||
+<?xml version="1.0" encoding="utf-8"?>
|
||||
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
||||
+ <xsl:template match="in">
|
||||
+ <annotation>
|
||||
+ <xsl:copy-of select="."/>
|
||||
+ <value>
|
||||
+ <xsl:copy-of select="document(.)"/>
|
||||
+ </value>
|
||||
+ </annotation>
|
||||
+ </xsl:template>
|
||||
+ <xsl:template match="@*|node()">
|
||||
+ <xsl:apply-templates/>
|
||||
+ </xsl:template>
|
||||
+</xsl:stylesheet>
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,171 @@
|
|||
From d182d8f6ba3071503d96ce17395c9d55871f0242 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Tue, 22 Mar 2016 18:20:01 +0100
|
||||
Subject: [PATCH] Fix xsltNumberFormatGetMultipleLevel
|
||||
|
||||
Namespace nodes are actually an xmlNs, not an xmlNode. They must be
|
||||
special-cased in xsltNumberFormatGetMultipleLevel to avoid an
|
||||
out-of-bounds heap access.
|
||||
|
||||
Move the test whether a node matches the "count" pattern to a separate
|
||||
function to make the code more readable. As a side effect, we also
|
||||
compare expanded names when walking up the ancestor axis, fixing an
|
||||
insignificant bug.
|
||||
---
|
||||
libxslt/numbers.c | 82 +++++++++++++++++++++++++++--------------------
|
||||
tests/docs/bug-186.xml | 4 +++
|
||||
tests/general/bug-186.out | 5 +++
|
||||
tests/general/bug-186.xsl | 7 ++++
|
||||
4 files changed, 63 insertions(+), 35 deletions(-)
|
||||
create mode 100644 tests/docs/bug-186.xml
|
||||
create mode 100644 tests/general/bug-186.out
|
||||
create mode 100644 tests/general/bug-186.xsl
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index e3209e0..184ee6f 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -532,6 +532,43 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
|
||||
}
|
||||
|
||||
static int
|
||||
+xsltTestCompMatchCount(xsltTransformContextPtr context,
|
||||
+ xmlNodePtr node,
|
||||
+ xsltCompMatchPtr countPat,
|
||||
+ xmlNodePtr cur)
|
||||
+{
|
||||
+ if (countPat != NULL) {
|
||||
+ return xsltTestCompMatchList(context, node, countPat);
|
||||
+ }
|
||||
+ else {
|
||||
+ /*
|
||||
+ * 7.7 Numbering
|
||||
+ *
|
||||
+ * If count attribute is not specified, then it defaults to the
|
||||
+ * pattern that matches any node with the same node type as the
|
||||
+ * current node and, if the current node has an expanded-name, with
|
||||
+ * the same expanded-name as the current node.
|
||||
+ */
|
||||
+ if (node->type != cur->type)
|
||||
+ return 0;
|
||||
+ if (node->type == XML_NAMESPACE_DECL)
|
||||
+ /*
|
||||
+ * Namespace nodes have no preceding siblings and no parents
|
||||
+ * that are namespace nodes. This means that node == cur.
|
||||
+ */
|
||||
+ return 1;
|
||||
+ /* TODO: Skip node types without expanded names like text nodes. */
|
||||
+ if (!xmlStrEqual(node->name, cur->name))
|
||||
+ return 0;
|
||||
+ if (node->ns == cur->ns)
|
||||
+ return 1;
|
||||
+ if ((node->ns == NULL) || (cur->ns == NULL))
|
||||
+ return 0;
|
||||
+ return (xmlStrEqual(node->ns->href, cur->ns->href));
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
|
||||
xmlNodePtr node,
|
||||
xsltCompMatchPtr countPat,
|
||||
@@ -562,21 +599,8 @@ xsltNumberFormatGetAnyLevel(xsltTransformContextPtr context,
|
||||
|
||||
while (cur != NULL) {
|
||||
/* process current node */
|
||||
- if (countPat == NULL) {
|
||||
- if ((node->type == cur->type) &&
|
||||
- /* FIXME: must use expanded-name instead of local name */
|
||||
- xmlStrEqual(node->name, cur->name)) {
|
||||
- if ((node->ns == cur->ns) ||
|
||||
- ((node->ns != NULL) &&
|
||||
- (cur->ns != NULL) &&
|
||||
- (xmlStrEqual(node->ns->href,
|
||||
- cur->ns->href) )))
|
||||
- cnt++;
|
||||
- }
|
||||
- } else {
|
||||
- if (xsltTestCompMatchList(context, cur, countPat))
|
||||
- cnt++;
|
||||
- }
|
||||
+ if (xsltTestCompMatchCount(context, cur, countPat, node))
|
||||
+ cnt++;
|
||||
if ((fromPat != NULL) &&
|
||||
xsltTestCompMatchList(context, cur, fromPat)) {
|
||||
break; /* while */
|
||||
@@ -633,30 +657,18 @@ xsltNumberFormatGetMultipleLevel(xsltTransformContextPtr context,
|
||||
xsltTestCompMatchList(context, ancestor, fromPat))
|
||||
break; /* for */
|
||||
|
||||
- if ((countPat == NULL && node->type == ancestor->type &&
|
||||
- xmlStrEqual(node->name, ancestor->name)) ||
|
||||
- xsltTestCompMatchList(context, ancestor, countPat)) {
|
||||
+ if (xsltTestCompMatchCount(context, ancestor, countPat, node)) {
|
||||
/* count(preceding-sibling::*) */
|
||||
- cnt = 0;
|
||||
- for (preceding = ancestor;
|
||||
+ cnt = 1;
|
||||
+ for (preceding =
|
||||
+ xmlXPathNextPrecedingSibling(parser, ancestor);
|
||||
preceding != NULL;
|
||||
preceding =
|
||||
xmlXPathNextPrecedingSibling(parser, preceding)) {
|
||||
- if (countPat == NULL) {
|
||||
- if ((preceding->type == ancestor->type) &&
|
||||
- xmlStrEqual(preceding->name, ancestor->name)){
|
||||
- if ((preceding->ns == ancestor->ns) ||
|
||||
- ((preceding->ns != NULL) &&
|
||||
- (ancestor->ns != NULL) &&
|
||||
- (xmlStrEqual(preceding->ns->href,
|
||||
- ancestor->ns->href) )))
|
||||
- cnt++;
|
||||
- }
|
||||
- } else {
|
||||
- if (xsltTestCompMatchList(context, preceding,
|
||||
- countPat))
|
||||
- cnt++;
|
||||
- }
|
||||
+
|
||||
+ if (xsltTestCompMatchCount(context, preceding, countPat,
|
||||
+ node))
|
||||
+ cnt++;
|
||||
}
|
||||
array[amount++] = (double)cnt;
|
||||
if (amount >= max)
|
||||
diff --git a/tests/docs/bug-186.xml b/tests/docs/bug-186.xml
|
||||
new file mode 100644
|
||||
index 0000000..424db6b
|
||||
--- /dev/null
|
||||
+++ b/tests/docs/bug-186.xml
|
||||
@@ -0,0 +1,4 @@
|
||||
+<top xmlns:a="AAAA" xmlns:b="BBBB" xmlns:c="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC">
|
||||
+<foo/>
|
||||
+<bar/>
|
||||
+</top>
|
||||
diff --git a/tests/general/bug-186.out b/tests/general/bug-186.out
|
||||
new file mode 100644
|
||||
index 0000000..01a59f8
|
||||
--- /dev/null
|
||||
+++ b/tests/general/bug-186.out
|
||||
@@ -0,0 +1,5 @@
|
||||
+<?xml version="1.0"?>
|
||||
+
|
||||
+1111
|
||||
+1111
|
||||
+
|
||||
diff --git a/tests/general/bug-186.xsl b/tests/general/bug-186.xsl
|
||||
new file mode 100644
|
||||
index 0000000..9c491dd
|
||||
--- /dev/null
|
||||
+++ b/tests/general/bug-186.xsl
|
||||
@@ -0,0 +1,7 @@
|
||||
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||||
+ <xsl:template match="*/*">
|
||||
+ <xsl:for-each select="namespace::*">
|
||||
+ <xsl:number/>
|
||||
+ </xsl:for-each>
|
||||
+ </xsl:template>
|
||||
+</xsl:stylesheet>
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
From 345e0bfb1c1131155a32dfbdfc8f78d1c602dc40 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 10 Apr 2016 12:50:02 +0200
|
||||
Subject: [PATCH] Round xsl:number values to nearest integer
|
||||
|
||||
This matches XSLT 2.0 behavior.
|
||||
---
|
||||
libxslt/numbers.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index 184ee6f..eb087bc 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -440,6 +440,8 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
|
||||
for (i = 0; i < numbers_max; i++) {
|
||||
/* Insert number */
|
||||
number = numbers[(numbers_max - 1) - i];
|
||||
+ /* Round to nearest like XSLT 2.0 */
|
||||
+ number = floor(number + 0.5);
|
||||
if (i < tokens->nTokens) {
|
||||
/*
|
||||
* The "n"th format token will be used to format the "n"th
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From 69ec3da1b653024aca6515ddd4adc91919dd188e Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 10 Apr 2016 12:51:57 +0200
|
||||
Subject: [PATCH] Handle negative xsl:number values
|
||||
|
||||
According to XSLT 2.0, negative values are a non-recoverable dynamic error.
|
||||
Print an error message and treat negative values as zero.
|
||||
|
||||
Fixes an OOB array access in xsltNumberFormatAlpha.
|
||||
---
|
||||
libxslt/numbers.c | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index eb087bc..a3cabcf 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -246,7 +246,7 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
|
||||
number--;
|
||||
*(--pointer) = alpha_list[((int)fmod(number, alpha_size))];
|
||||
number /= alpha_size;
|
||||
- if (fabs(number) < 1.0)
|
||||
+ if (number < 1.0)
|
||||
break; /* for */
|
||||
}
|
||||
xmlBufferCCat(buffer, pointer);
|
||||
@@ -442,6 +442,21 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
|
||||
number = numbers[(numbers_max - 1) - i];
|
||||
/* Round to nearest like XSLT 2.0 */
|
||||
number = floor(number + 0.5);
|
||||
+ /*
|
||||
+ * XSLT 1.0 isn't clear on how to handle negative numbers, but XSLT
|
||||
+ * 2.0 says:
|
||||
+ *
|
||||
+ * It is a non-recoverable dynamic error if any undiscarded item
|
||||
+ * in the atomized sequence supplied as the value of the value
|
||||
+ * attribute of xsl:number cannot be converted to an integer, or
|
||||
+ * if the resulting integer is less than 0 (zero).
|
||||
+ */
|
||||
+ if (number < 0.0) {
|
||||
+ xsltTransformError(NULL, NULL, NULL,
|
||||
+ "xsl-number : negative value\n");
|
||||
+ /* Recover by treating negative values as zero. */
|
||||
+ number = 0.0;
|
||||
+ }
|
||||
if (i < tokens->nTokens) {
|
||||
/*
|
||||
* The "n"th format token will be used to format the "n"th
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,75 @@
|
|||
From 405034286fbdd6166229335b7203a41bf53b40fc Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 10 Apr 2016 13:11:31 +0200
|
||||
Subject: [PATCH] Lower bound for format token "a"
|
||||
|
||||
Handle xsl:number with format "a" and value 0 according to XSLT 2.0.
|
||||
|
||||
Fixes an OOB array access in xsltNumberFormatAlpha.
|
||||
---
|
||||
libxslt/numbers.c | 33 ++++++++++++++++++++++++---------
|
||||
1 file changed, 24 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index a3cabcf..af52883 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -227,7 +227,8 @@ xsltNumberFormatDecimal(xmlBufferPtr buffer,
|
||||
}
|
||||
|
||||
static void
|
||||
-xsltNumberFormatAlpha(xmlBufferPtr buffer,
|
||||
+xsltNumberFormatAlpha(xsltNumberDataPtr data,
|
||||
+ xmlBufferPtr buffer,
|
||||
double number,
|
||||
int is_upper)
|
||||
{
|
||||
@@ -237,6 +238,26 @@ xsltNumberFormatAlpha(xmlBufferPtr buffer,
|
||||
char *alpha_list;
|
||||
double alpha_size = (double)(sizeof(alpha_upper_list) - 1);
|
||||
|
||||
+ /*
|
||||
+ * XSLT 1.0 isn't clear on how to handle zero, but XSLT 2.0 says:
|
||||
+ *
|
||||
+ * For all format tokens other than the first kind above (one that
|
||||
+ * consists of decimal digits), there may be implementation-defined
|
||||
+ * lower and upper bounds on the range of numbers that can be
|
||||
+ * formatted using this format token; indeed, for some numbering
|
||||
+ * sequences there may be intrinsic limits. [...] Numbers that fall
|
||||
+ * outside this range must be formatted using the format token 1.
|
||||
+ *
|
||||
+ * The "a" token has an intrinsic lower limit of 1.
|
||||
+ */
|
||||
+ if (number < 1.0) {
|
||||
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
|
||||
+ data->digitsPerGroup,
|
||||
+ data->groupingCharacter,
|
||||
+ data->groupingCharacterLen);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* Build buffer from back */
|
||||
pointer = &temp_string[sizeof(temp_string)];
|
||||
*(--pointer) = 0;
|
||||
@@ -500,16 +521,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
|
||||
|
||||
switch (token->token) {
|
||||
case 'A':
|
||||
- xsltNumberFormatAlpha(buffer,
|
||||
- number,
|
||||
- TRUE);
|
||||
-
|
||||
+ xsltNumberFormatAlpha(data, buffer, number, TRUE);
|
||||
break;
|
||||
case 'a':
|
||||
- xsltNumberFormatAlpha(buffer,
|
||||
- number,
|
||||
- FALSE);
|
||||
-
|
||||
+ xsltNumberFormatAlpha(data, buffer, number, FALSE);
|
||||
break;
|
||||
case 'I':
|
||||
xsltNumberFormatRoman(buffer,
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
From 91d0540ac9beaa86719a05b749219a69baa0dd8d Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Sun, 10 Apr 2016 13:12:28 +0200
|
||||
Subject: [PATCH] Lower and upper bound for format token "i"
|
||||
|
||||
Handle xsl:number with format "i" and value 0 according to XSLT 2.0.
|
||||
|
||||
Also introduce an upper bound to fix a denial of service.
|
||||
---
|
||||
libxslt/numbers.c | 25 ++++++++++++++++---------
|
||||
1 file changed, 16 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index af52883..e769c42 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -274,11 +274,24 @@ xsltNumberFormatAlpha(xsltNumberDataPtr data,
|
||||
}
|
||||
|
||||
static void
|
||||
-xsltNumberFormatRoman(xmlBufferPtr buffer,
|
||||
+xsltNumberFormatRoman(xsltNumberDataPtr data,
|
||||
+ xmlBufferPtr buffer,
|
||||
double number,
|
||||
int is_upper)
|
||||
{
|
||||
/*
|
||||
+ * See discussion in xsltNumberFormatAlpha. Also use a reasonable upper
|
||||
+ * bound to avoid denial of service.
|
||||
+ */
|
||||
+ if (number < 1.0 || number > 5000.0) {
|
||||
+ xsltNumberFormatDecimal(buffer, number, '0', 1,
|
||||
+ data->digitsPerGroup,
|
||||
+ data->groupingCharacter,
|
||||
+ data->groupingCharacterLen);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* Based on an example by Jim Walsh
|
||||
*/
|
||||
while (number >= 1000.0) {
|
||||
@@ -527,16 +540,10 @@ xsltNumberFormatInsertNumbers(xsltNumberDataPtr data,
|
||||
xsltNumberFormatAlpha(data, buffer, number, FALSE);
|
||||
break;
|
||||
case 'I':
|
||||
- xsltNumberFormatRoman(buffer,
|
||||
- number,
|
||||
- TRUE);
|
||||
-
|
||||
+ xsltNumberFormatRoman(data, buffer, number, TRUE);
|
||||
break;
|
||||
case 'i':
|
||||
- xsltNumberFormatRoman(buffer,
|
||||
- number,
|
||||
- FALSE);
|
||||
-
|
||||
+ xsltNumberFormatRoman(data, buffer, number, FALSE);
|
||||
break;
|
||||
default:
|
||||
if (IS_DIGIT_ZERO(token->token)) {
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
From d8862309f08054218b28e2c8f5fb3cb2f650cac7 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Wed, 20 Apr 2016 14:35:43 +0200
|
||||
Subject: [PATCH] Fix double free in libexslt hash functions
|
||||
|
||||
Thanks to Nicolas Gregoire for the report.
|
||||
|
||||
Fixes bug #765271:
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=765271
|
||||
---
|
||||
libexslt/crypto.c | 15 +++------------
|
||||
tests/exslt/crypto/hash.1.out | 2 ++
|
||||
tests/exslt/crypto/hash.1.xml | 5 +++++
|
||||
3 files changed, 10 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/libexslt/crypto.c b/libexslt/crypto.c
|
||||
index 6aa9dd2..e13db8b 100644
|
||||
--- a/libexslt/crypto.c
|
||||
+++ b/libexslt/crypto.c
|
||||
@@ -499,11 +499,8 @@ exsltCryptoMd4Function (xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
|
||||
|
||||
str_len = exsltCryptoPopString (ctxt, nargs, &str);
|
||||
- if (str_len == 0) {
|
||||
- xmlXPathReturnEmptyString (ctxt);
|
||||
- xmlFree (str);
|
||||
+ if (str_len == 0)
|
||||
return;
|
||||
- }
|
||||
|
||||
PLATFORM_HASH (ctxt, PLATFORM_MD4, (const char *) str, str_len,
|
||||
(char *) hash);
|
||||
@@ -532,11 +529,8 @@ exsltCryptoMd5Function (xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
unsigned char hex[MD5_DIGEST_LENGTH * 2 + 1];
|
||||
|
||||
str_len = exsltCryptoPopString (ctxt, nargs, &str);
|
||||
- if (str_len == 0) {
|
||||
- xmlXPathReturnEmptyString (ctxt);
|
||||
- xmlFree (str);
|
||||
+ if (str_len == 0)
|
||||
return;
|
||||
- }
|
||||
|
||||
PLATFORM_HASH (ctxt, PLATFORM_MD5, (const char *) str, str_len,
|
||||
(char *) hash);
|
||||
@@ -565,11 +559,8 @@ exsltCryptoSha1Function (xmlXPathParserContextPtr ctxt, int nargs) {
|
||||
unsigned char hex[SHA1_DIGEST_LENGTH * 2 + 1];
|
||||
|
||||
str_len = exsltCryptoPopString (ctxt, nargs, &str);
|
||||
- if (str_len == 0) {
|
||||
- xmlXPathReturnEmptyString (ctxt);
|
||||
- xmlFree (str);
|
||||
+ if (str_len == 0)
|
||||
return;
|
||||
- }
|
||||
|
||||
PLATFORM_HASH (ctxt, PLATFORM_SHA1, (const char *) str, str_len,
|
||||
(char *) hash);
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
From 5d0c6565bab5b9b7efceb33b626916d22b4101a7 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 28 Apr 2016 17:34:27 +0200
|
||||
Subject: [PATCH] Fix buffer overflow in exsltDateFormat
|
||||
|
||||
Long years can overflow a stack-based buffer on 64-bit platforms by
|
||||
up to four bytes.
|
||||
|
||||
Thanks to Nicolas Gregoire for the report.
|
||||
|
||||
Fixes bug #765380:
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=765380
|
||||
---
|
||||
libexslt/date.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libexslt/date.c b/libexslt/date.c
|
||||
index 272c61b..12c9919 100644
|
||||
--- a/libexslt/date.c
|
||||
+++ b/libexslt/date.c
|
||||
@@ -1283,7 +1283,7 @@ exsltDateFormat (const exsltDateValPtr dt)
|
||||
}
|
||||
|
||||
if (dt->type & XS_GYEAR) {
|
||||
- xmlChar buf[20], *cur = buf;
|
||||
+ xmlChar buf[100], *cur = buf;
|
||||
|
||||
FORMAT_GYEAR(dt->value.date.year, cur);
|
||||
if (dt->type == XS_GYEARMONTH) {
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
From 87c3d9ea214fc0503fd8130b6dd97431d69cc066 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 5 May 2016 15:12:48 +0200
|
||||
Subject: [PATCH] Fix OOB heap read in xsltExtModuleRegisterDynamic
|
||||
|
||||
xsltExtModuleRegisterDynamic would read a byte before the start of a
|
||||
string under certain circumstances. I looks like this piece code was
|
||||
supposed to strip characters from the end of the extension name, but
|
||||
it didn't have any effect. Don't read beyond the beginning of the
|
||||
string and actually strip unwanted characters.
|
||||
|
||||
Found with afl-fuzz and ASan.
|
||||
---
|
||||
libxslt/extensions.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libxslt/extensions.c b/libxslt/extensions.c
|
||||
index 5ad73cb..ae6eef0 100644
|
||||
--- a/libxslt/extensions.c
|
||||
+++ b/libxslt/extensions.c
|
||||
@@ -367,8 +367,11 @@ xsltExtModuleRegisterDynamic(const xmlChar * URI)
|
||||
i++;
|
||||
}
|
||||
|
||||
- if (*(i - 1) == '_')
|
||||
+ /* Strip underscores from end of string. */
|
||||
+ while (i > ext_name && *(i - 1) == '_') {
|
||||
+ i--;
|
||||
*i = '\0';
|
||||
+ }
|
||||
|
||||
/* determine module directory */
|
||||
ext_directory = (xmlChar *) getenv("LIBXSLT_PLUGINS_PATH");
|
||||
--
|
||||
2.8.1
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Fri, 10 Jun 2016 14:23:58 +0200
|
||||
Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
|
||||
|
||||
An empty decimal-separator could cause a heap overread. This can be
|
||||
exploited to leak a couple of bytes after the buffer that holds the
|
||||
pattern string.
|
||||
|
||||
Found with afl-fuzz and ASan.
|
||||
---
|
||||
libxslt/numbers.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
|
||||
index d1549b4..e78c46b 100644
|
||||
--- a/libxslt/numbers.c
|
||||
+++ b/libxslt/numbers.c
|
||||
@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
|
||||
}
|
||||
|
||||
/* We have finished the integer part, now work on fraction */
|
||||
- if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
|
||||
+ if ( (*the_format != 0) &&
|
||||
+ (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
|
||||
format_info.add_decimal = TRUE;
|
||||
the_format += xsltUTF8Size(the_format); /* Skip over the decimal */
|
||||
}
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -0,0 +1,74 @@
|
|||
From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 12 Jan 2017 15:39:52 +0100
|
||||
Subject: [PATCH] Check for integer overflow in xsltAddTextString
|
||||
|
||||
Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
|
||||
exploited to trigger an out of bounds write on 64-bit systems.
|
||||
|
||||
Originally reported to Chromium:
|
||||
|
||||
https://crbug.com/676623
|
||||
---
|
||||
libxslt/transform.c | 25 ++++++++++++++++++++++---
|
||||
libxslt/xsltInternals.h | 4 ++--
|
||||
2 files changed, 24 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/libxslt/transform.c b/libxslt/transform.c
|
||||
index 519133fc..02bff34a 100644
|
||||
--- a/libxslt/transform.c
|
||||
+++ b/libxslt/transform.c
|
||||
@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
|
||||
return(target);
|
||||
|
||||
if (ctxt->lasttext == target->content) {
|
||||
+ int minSize;
|
||||
|
||||
- if (ctxt->lasttuse + len >= ctxt->lasttsize) {
|
||||
+ /* Check for integer overflow accounting for NUL terminator. */
|
||||
+ if (len >= INT_MAX - ctxt->lasttuse) {
|
||||
+ xsltTransformError(ctxt, NULL, target,
|
||||
+ "xsltCopyText: text allocation failed\n");
|
||||
+ return(NULL);
|
||||
+ }
|
||||
+ minSize = ctxt->lasttuse + len + 1;
|
||||
+
|
||||
+ if (ctxt->lasttsize < minSize) {
|
||||
xmlChar *newbuf;
|
||||
int size;
|
||||
+ int extra;
|
||||
+
|
||||
+ /* Double buffer size but increase by at least 100 bytes. */
|
||||
+ extra = minSize < 100 ? 100 : minSize;
|
||||
+
|
||||
+ /* Check for integer overflow. */
|
||||
+ if (extra > INT_MAX - ctxt->lasttsize) {
|
||||
+ size = INT_MAX;
|
||||
+ }
|
||||
+ else {
|
||||
+ size = ctxt->lasttsize + extra;
|
||||
+ }
|
||||
|
||||
- size = ctxt->lasttsize + len + 100;
|
||||
- size *= 2;
|
||||
newbuf = (xmlChar *) xmlRealloc(target->content,size);
|
||||
if (newbuf == NULL) {
|
||||
xsltTransformError(ctxt, NULL, target,
|
||||
diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
|
||||
index 060b1783..5ad17719 100644
|
||||
--- a/libxslt/xsltInternals.h
|
||||
+++ b/libxslt/xsltInternals.h
|
||||
@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
|
||||
* Speed optimization when coalescing text nodes
|
||||
*/
|
||||
const xmlChar *lasttext; /* last text node content */
|
||||
- unsigned int lasttsize; /* last text node size */
|
||||
- unsigned int lasttuse; /* last text node use */
|
||||
+ int lasttsize; /* last text node size */
|
||||
+ int lasttuse; /* last text node use */
|
||||
/*
|
||||
* Per Context Debugging
|
||||
*/
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright (C) 2006-2016 OpenWrt.org
|
||||
# Copyright (C) 2006-2018 OpenWrt.org
|
||||
#
|
||||
# This is free software, licensed under the GNU General Public License v2.
|
||||
# See /LICENSE for more information.
|
||||
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=tiff
|
||||
PKG_VERSION:=4.0.6
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=4.0.9
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://download.osgeo.org/libtiff
|
||||
PKG_MD5SUM:=d1d2e940dea0b5ad435f21f03d96dd72
|
||||
PKG_MD5SUM:=54bad211279cc93eb4fca31ba9bfdc79
|
||||
|
||||
PKG_FIXUP:=autoreconf
|
||||
PKG_REMOVE_FILES:=autogen.sh aclocal.m4
|
||||
|
|
|
@ -1,136 +0,0 @@
|
|||
From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sat, 26 Dec 2015 17:32:03 +0000
|
||||
Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
|
||||
TIFFRGBAImage interface in case of unsupported values of
|
||||
SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
|
||||
TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
|
||||
limingxing and CVE-2015-8683 reported by zzf of Alibaba.
|
||||
|
||||
---
|
||||
ChangeLog | 8 ++++++++
|
||||
libtiff/tif_getimage.c | 37 +++++++++++++++++++++++--------------
|
||||
2 files changed, 31 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index a7d283a..4beb30b 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,11 @@
|
||||
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
|
||||
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
|
||||
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
|
||||
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
|
||||
+ CVE-2015-8683 reported by zzf of Alibaba.
|
||||
+
|
||||
2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
|
||||
|
||||
* libtiff 4.0.6 released.
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index fd0a4f9..fae1e31 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_getimage.c,v 1.90 2015-06-17 01:34:08 bfriesen Exp $ */
|
||||
+/* $Id: tif_getimage.c,v 1.94 2015-12-26 17:32:03 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1991-1997 Sam Leffler
|
||||
@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
|
||||
"Planarconfiguration", td->td_planarconfig);
|
||||
return (0);
|
||||
}
|
||||
- if( td->td_samplesperpixel != 3 )
|
||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
|
||||
{
|
||||
sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d",
|
||||
- "Samples/pixel", td->td_samplesperpixel);
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d",
|
||||
+ "Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels);
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
|
||||
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
|
||||
{
|
||||
sprintf(emsg,
|
||||
- "Sorry, can not handle image with %s=%d and %s=%d",
|
||||
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
|
||||
"Samples/pixel", td->td_samplesperpixel,
|
||||
+ "colorchannels", colorchannels,
|
||||
"Bits/sample", td->td_bitspersample);
|
||||
return 0;
|
||||
}
|
||||
@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
|
||||
int colorchannels;
|
||||
uint16 *red_orig, *green_orig, *blue_orig;
|
||||
int n_color;
|
||||
+
|
||||
+ if( !TIFFRGBAImageOK(tif, emsg) )
|
||||
+ return 0;
|
||||
|
||||
/* Initialize to normal values */
|
||||
img->row_offset = 0;
|
||||
@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
|
||||
case PHOTOMETRIC_RGB:
|
||||
switch (img->bitspersample) {
|
||||
case 8:
|
||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
||||
+ img->samplesperpixel >= 4)
|
||||
img->put.contig = putRGBAAcontig8bittile;
|
||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
||||
+ img->samplesperpixel >= 4)
|
||||
{
|
||||
if (BuildMapUaToAa(img))
|
||||
img->put.contig = putRGBUAcontig8bittile;
|
||||
}
|
||||
- else
|
||||
+ else if( img->samplesperpixel >= 3 )
|
||||
img->put.contig = putRGBcontig8bittile;
|
||||
break;
|
||||
case 16:
|
||||
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
|
||||
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
|
||||
+ img->samplesperpixel >=4 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img))
|
||||
img->put.contig = putRGBAAcontig16bittile;
|
||||
}
|
||||
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
|
||||
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
|
||||
+ img->samplesperpixel >=4 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img) &&
|
||||
BuildMapUaToAa(img))
|
||||
img->put.contig = putRGBUAcontig16bittile;
|
||||
}
|
||||
- else
|
||||
+ else if( img->samplesperpixel >=3 )
|
||||
{
|
||||
if (BuildMapBitdepth16To8(img))
|
||||
img->put.contig = putRGBcontig16bittile;
|
||||
@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_SEPARATED:
|
||||
- if (buildMap(img)) {
|
||||
+ if (img->samplesperpixel >=4 && buildMap(img)) {
|
||||
if (img->bitspersample == 8) {
|
||||
if (!img->Map)
|
||||
img->put.contig = putRGBcontig8bitCMYKtile;
|
||||
@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
|
||||
}
|
||||
break;
|
||||
case PHOTOMETRIC_CIELAB:
|
||||
- if (buildMap(img)) {
|
||||
+ if (img->samplesperpixel == 3 && buildMap(img)) {
|
||||
if (img->bitspersample == 8)
|
||||
img->put.contig = initCIELabConversion(img);
|
||||
break;
|
|
@ -1,193 +0,0 @@
|
|||
From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sun, 27 Dec 2015 16:25:11 +0000
|
||||
Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
|
||||
decode functions in non debug builds by replacing assert()s by regular if
|
||||
checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
|
||||
input data.
|
||||
|
||||
---
|
||||
ChangeLog | 7 +++++++
|
||||
libtiff/tif_luv.c | 57 +++++++++++++++++++++++++++++++++++++++++++------------
|
||||
2 files changed, 52 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 4beb30b..b8aa23c 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,10 @@
|
||||
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
|
||||
+ functions in non debug builds by replacing assert()s by regular if
|
||||
+ checks (bugzilla #2522).
|
||||
+ Fix potential out-of-bound reads in case of short input data.
|
||||
+
|
||||
2015-12-26 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
|
||||
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
|
||||
index 4e328ba..60a174d 100644
|
||||
--- a/libtiff/tif_luv.c
|
||||
+++ b/libtiff/tif_luv.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
|
||||
+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1997 Greg Ward Larson
|
||||
@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
|
||||
tp = (int16*) op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (int16*) sp->tbuf;
|
||||
}
|
||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
||||
@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
cc = tif->tif_rawcc;
|
||||
/* get each byte string */
|
||||
for (shft = 2*8; (shft -= 8) >= 0; ) {
|
||||
- for (i = 0; i < npixels && cc > 0; )
|
||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
||||
if (*bp >= 128) { /* run */
|
||||
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
||||
+ if( cc < 2 )
|
||||
+ break;
|
||||
+ rc = *bp++ + (2-128);
|
||||
b = (int16)(*bp++ << shft);
|
||||
cc -= 2;
|
||||
while (rc-- && i < npixels)
|
||||
@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
while (--cc && rc-- && i < npixels)
|
||||
tp[i++] |= (int16)*bp++ << shft;
|
||||
}
|
||||
+ }
|
||||
if (i != npixels) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
||||
tp = (uint32 *)op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (uint32 *) sp->tbuf;
|
||||
}
|
||||
/* copy to array of uint32 */
|
||||
bp = (unsigned char*) tif->tif_rawcp;
|
||||
cc = tif->tif_rawcc;
|
||||
- for (i = 0; i < npixels && cc > 0; i++) {
|
||||
+ for (i = 0; i < npixels && cc >= 3; i++) {
|
||||
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
|
||||
bp += 3;
|
||||
cc -= 3;
|
||||
@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
|
||||
tp = (uint32*) op;
|
||||
else {
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
tp = (uint32*) sp->tbuf;
|
||||
}
|
||||
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
|
||||
@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
cc = tif->tif_rawcc;
|
||||
/* get each byte string */
|
||||
for (shft = 4*8; (shft -= 8) >= 0; ) {
|
||||
- for (i = 0; i < npixels && cc > 0; )
|
||||
+ for (i = 0; i < npixels && cc > 0; ) {
|
||||
if (*bp >= 128) { /* run */
|
||||
+ if( cc < 2 )
|
||||
+ break;
|
||||
rc = *bp++ + (2-128);
|
||||
b = (uint32)*bp++ << shft;
|
||||
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
|
||||
+ cc -= 2;
|
||||
while (rc-- && i < npixels)
|
||||
tp[i++] |= b;
|
||||
} else { /* non-run */
|
||||
@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
|
||||
while (--cc && rc-- && i < npixels)
|
||||
tp[i++] |= (uint32)*bp++ << shft;
|
||||
}
|
||||
+ }
|
||||
if (i != npixels) {
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
static int
|
||||
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogL16Encode";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
int shft;
|
||||
tmsize_t i;
|
||||
@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
tp = (int16*) bp;
|
||||
else {
|
||||
tp = (int16*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* compress each byte string */
|
||||
@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
static int
|
||||
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogLuvEncode24";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
tmsize_t i;
|
||||
tmsize_t npixels;
|
||||
@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
tp = (uint32*) bp;
|
||||
else {
|
||||
tp = (uint32*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* write out encoded pixels */
|
||||
@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
static int
|
||||
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
{
|
||||
+ static const char module[] = "LogLuvEncode32";
|
||||
LogLuvState* sp = EncoderState(tif);
|
||||
int shft;
|
||||
tmsize_t i;
|
||||
@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
|
||||
tp = (uint32*) bp;
|
||||
else {
|
||||
tp = (uint32*) sp->tbuf;
|
||||
- assert(sp->tbuflen >= npixels);
|
||||
+ if(sp->tbuflen < npixels) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Translation buffer too short");
|
||||
+ return (0);
|
||||
+ }
|
||||
(*sp->tfunc)(sp, bp, npixels);
|
||||
}
|
||||
/* compress each byte string */
|
|
@ -1,72 +0,0 @@
|
|||
From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001
|
||||
From: erouault <erouault>
|
||||
Date: Sun, 27 Dec 2015 16:55:20 +0000
|
||||
Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
|
||||
NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
||||
(bugzilla #2508)
|
||||
|
||||
---
|
||||
ChangeLog | 6 ++++++
|
||||
libtiff/tif_next.c | 12 +++++++++---
|
||||
2 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index b8aa23c..04926a3 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,5 +1,11 @@
|
||||
2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
|
||||
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
|
||||
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
||||
+ (bugzilla #2508)
|
||||
+
|
||||
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
|
||||
+
|
||||
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
|
||||
functions in non debug builds by replacing assert()s by regular if
|
||||
checks (bugzilla #2522).
|
||||
diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
|
||||
index 17e0311..1248caa 100644
|
||||
--- a/libtiff/tif_next.c
|
||||
+++ b/libtiff/tif_next.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
|
||||
+/* $Id: tif_next.c,v 1.17 2015-12-27 16:55:20 erouault Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988-1997 Sam Leffler
|
||||
@@ -37,7 +37,7 @@
|
||||
case 0: op[0] = (unsigned char) ((v) << 6); break; \
|
||||
case 1: op[0] |= (v) << 4; break; \
|
||||
case 2: op[0] |= (v) << 2; break; \
|
||||
- case 3: *op++ |= (v); break; \
|
||||
+ case 3: *op++ |= (v); op_offset++; break; \
|
||||
} \
|
||||
}
|
||||
|
||||
@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
|
||||
uint32 imagewidth = tif->tif_dir.td_imagewidth;
|
||||
if( isTiled(tif) )
|
||||
imagewidth = tif->tif_dir.td_tilewidth;
|
||||
+ tmsize_t op_offset = 0;
|
||||
|
||||
/*
|
||||
* The scanline is composed of a sequence of constant
|
||||
@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
|
||||
* bounds, potentially resulting in a security
|
||||
* issue.
|
||||
*/
|
||||
- while (n-- > 0 && npixels < imagewidth)
|
||||
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
|
||||
SETPIXEL(op, grey);
|
||||
if (npixels >= imagewidth)
|
||||
break;
|
||||
+ if (op_offset >= scanline ) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
|
||||
+ (long) tif->tif_row);
|
||||
+ return (0);
|
||||
+ }
|
||||
if (cc == 0)
|
||||
goto bad;
|
||||
n = *bp++, cc--;
|
|
@ -1,6 +1,6 @@
|
|||
--- a/libtiff/tiffiop.h
|
||||
+++ b/libtiff/tiffiop.h
|
||||
@@ -284,7 +284,7 @@ struct tiff {
|
||||
@@ -287,7 +287,7 @@ struct tiff {
|
||||
*/
|
||||
#if defined(HAVE_FSEEKO)
|
||||
# define fseek(stream,offset,whence) fseeko(stream,offset,whence)
|
||||
|
|
34
libs/tiff/patches/019-CVE-2017-18013.patch
Normal file
34
libs/tiff/patches/019-CVE-2017-18013.patch
Normal file
|
@ -0,0 +1,34 @@
|
|||
From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sun, 31 Dec 2017 15:09:41 +0100
|
||||
Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
|
||||
|
||||
---
|
||||
libtiff/tif_print.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index 9959d35..8deceb2 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
|
||||
(unsigned long) s,
|
||||
- (unsigned __int64) td->td_stripoffset[s],
|
||||
- (unsigned __int64) td->td_stripbytecount[s]);
|
||||
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
|
||||
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
|
||||
#else
|
||||
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
|
||||
(unsigned long) s,
|
||||
- (unsigned long long) td->td_stripoffset[s],
|
||||
- (unsigned long long) td->td_stripbytecount[s]);
|
||||
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
|
||||
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
--
|
||||
libgit2 0.26.0
|
||||
|
117
libs/tiff/patches/020-CVE-2017-9935.patch
Normal file
117
libs/tiff/patches/020-CVE-2017-9935.patch
Normal file
|
@ -0,0 +1,117 @@
|
|||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index 2ccaf44..cbf2b69 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
|
||||
*va_arg(ap, uint16**) = td->td_transferfunction[1];
|
||||
*va_arg(ap, uint16**) = td->td_transferfunction[2];
|
||||
+ } else {
|
||||
+ *va_arg(ap, uint16**) = NULL;
|
||||
+ *va_arg(ap, uint16**) = NULL;
|
||||
}
|
||||
break;
|
||||
case TIFFTAG_REFERENCEBLACKWHITE:
|
||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||
index d1a9b09..484776c 100644
|
||||
--- a/tools/tiff2pdf.c
|
||||
+++ b/tools/tiff2pdf.c
|
||||
@@ -237,7 +237,7 @@ typedef struct {
|
||||
float tiff_whitechromaticities[2];
|
||||
float tiff_primarychromaticities[6];
|
||||
float tiff_referenceblackwhite[2];
|
||||
- float* tiff_transferfunction[3];
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
|
||||
1 : interpolate */
|
||||
uint16 tiff_transferfunctioncount;
|
||||
@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
uint16 pagen=0;
|
||||
uint16 paged=0;
|
||||
uint16 xuint16=0;
|
||||
+ uint16 tiff_transferfunctioncount=0;
|
||||
+ uint16* tiff_transferfunction[3];
|
||||
|
||||
directorycount=TIFFNumberOfDirectories(input);
|
||||
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
|
||||
@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||
}
|
||||
#endif
|
||||
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
|
||||
- &(t2p->tiff_transferfunction[0]),
|
||||
- &(t2p->tiff_transferfunction[1]),
|
||||
- &(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
- t2p->tiff_transferfunctioncount = 3;
|
||||
- t2p->tiff_pages[i].page_extra += 4;
|
||||
- t2p->pdf_xrefcount += 4;
|
||||
- } else {
|
||||
- t2p->tiff_transferfunctioncount = 1;
|
||||
- t2p->tiff_pages[i].page_extra += 2;
|
||||
- t2p->pdf_xrefcount += 2;
|
||||
- }
|
||||
- if(t2p->pdf_minorversion < 2)
|
||||
- t2p->pdf_minorversion = 2;
|
||||
+ &(tiff_transferfunction[0]),
|
||||
+ &(tiff_transferfunction[1]),
|
||||
+ &(tiff_transferfunction[2]))) {
|
||||
+
|
||||
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (tiff_transferfunction[2] != (uint16*) NULL)
|
||||
+ ) {
|
||||
+ tiff_transferfunctioncount=3;
|
||||
+ } else {
|
||||
+ tiff_transferfunctioncount=1;
|
||||
+ }
|
||||
} else {
|
||||
- t2p->tiff_transferfunctioncount=0;
|
||||
+ tiff_transferfunctioncount=0;
|
||||
}
|
||||
+
|
||||
+ if (i > 0){
|
||||
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
|
||||
+ TIFFError(
|
||||
+ TIFF2PDF_MODULE,
|
||||
+ "Different transfer function on page %d",
|
||||
+ i);
|
||||
+ t2p->t2p_error = T2P_ERR_ERROR;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
|
||||
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
|
||||
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
|
||||
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
|
||||
+ if(tiff_transferfunctioncount == 3){
|
||||
+ t2p->tiff_pages[i].page_extra += 4;
|
||||
+ t2p->pdf_xrefcount += 4;
|
||||
+ if(t2p->pdf_minorversion < 2)
|
||||
+ t2p->pdf_minorversion = 2;
|
||||
+ } else if (tiff_transferfunctioncount == 1){
|
||||
+ t2p->tiff_pages[i].page_extra += 2;
|
||||
+ t2p->pdf_xrefcount += 2;
|
||||
+ if(t2p->pdf_minorversion < 2)
|
||||
+ t2p->pdf_minorversion = 2;
|
||||
+ }
|
||||
+
|
||||
if( TIFFGetField(
|
||||
input,
|
||||
TIFFTAG_ICCPROFILE,
|
||||
@@ -1827,10 +1851,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||
&(t2p->tiff_transferfunction[0]),
|
||||
&(t2p->tiff_transferfunction[1]),
|
||||
&(t2p->tiff_transferfunction[2]))) {
|
||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||
- (t2p->tiff_transferfunction[1] !=
|
||||
- t2p->tiff_transferfunction[0])) {
|
||||
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
|
||||
+ ) {
|
||||
t2p->tiff_transferfunctioncount=3;
|
||||
} else {
|
||||
t2p->tiff_transferfunctioncount=1;
|
Loading…
Reference in New Issue
Block a user