1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
|
Description: CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input
The Xerces-C XML parser mishandles certain kinds of malformed input
documents, resulting in a segmentation fault during a parse operation.
Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1667870
Bug-Debian: https://bugs.debian.org/780827
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-03-12
Applied-Upstream: 3.1.2
--- a/src/xercesc/internal/XMLReader.cpp
+++ b/src/xercesc/internal/XMLReader.cpp
@@ -1460,6 +1460,17 @@ void XMLReader::doInitDecode()
while (fRawBufIndex < fRawBytesAvail)
{
+ // Security fix: make sure there are at least sizeof(UCS4Ch) bytes to consume.
+ if (fRawBufIndex + sizeof(UCS4Ch) > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ TranscodingException
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
// Get out the current 4 byte value and inc our raw buf index
UCS4Ch curVal = *asUCS++;
fRawBufIndex += sizeof(UCS4Ch);
@@ -1619,6 +1630,17 @@ void XMLReader::doInitDecode()
while (fRawBufIndex < fRawBytesAvail)
{
+ // Security fix: make sure there are at least sizeof(UTF16Ch) bytes to consume.
+ if (fRawBufIndex + sizeof(UTF16Ch) > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ TranscodingException
+ , XMLExcepts::Reader_CouldNotDecodeFirstLine
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
// Get out the current 2 byte value
UTF16Ch curVal = *asUTF16++;
fRawBufIndex += sizeof(UTF16Ch);
@@ -1708,6 +1730,17 @@ void XMLReader::doInitDecode()
//
void XMLReader::refreshRawBuffer()
{
+ // Security fix: make sure we don't underflow on the subtraction.
+ if (fRawBufIndex > fRawBytesAvail) {
+ ThrowXMLwithMemMgr1
+ (
+ RuntimeException
+ , XMLExcepts::Str_StartIndexPastEnd
+ , fSystemId
+ , fMemoryManager
+ );
+ }
+
//
// If there are any bytes left, move them down to the start. There
// should only ever be (max bytes per char - 1) at the most.
|