apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1002628 - in /apr/apr-util/branches/1.5.x: test/testxml.c xml/expat/lib/xmlparse.c xml/expat/lib/xmltok_impl.c
Date Wed, 29 Sep 2010 13:45:51 GMT
Author: jorton
Date: Wed Sep 29 13:45:51 2010
New Revision: 1002628

URL: http://svn.apache.org/viewvc?rev=1002628&view=rev
Log:
Backport security fixes from expat CVS:

* xml/expat/lib/xmlparse.c (doProlog): Add fix for CVE-2009-3560.

* xml/expat/lib/xmltok_impl.c (updatePosition): Add fix for
  CVE-2009-3720.

* test/testxml.c (test_CVE_2009_3720_beta, test_CVE_2009_3720_alpha):
  Add test cases for -3720.

Modified:
    apr/apr-util/branches/1.5.x/test/testxml.c
    apr/apr-util/branches/1.5.x/xml/expat/lib/xmlparse.c
    apr/apr-util/branches/1.5.x/xml/expat/lib/xmltok_impl.c

Modified: apr/apr-util/branches/1.5.x/test/testxml.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/test/testxml.c?rev=1002628&r1=1002627&r2=1002628&view=diff
==============================================================================
--- apr/apr-util/branches/1.5.x/test/testxml.c (original)
+++ apr/apr-util/branches/1.5.x/test/testxml.c Wed Sep 29 13:45:51 2010
@@ -165,12 +165,40 @@ static void test_billion_laughs(abts_cas
     apr_file_close(fd);
 }
 
+static void test_CVE_2009_3720_alpha(abts_case *tc, void *data)
+{
+    apr_xml_parser *xp;
+    apr_xml_doc *doc;
+    apr_status_t rv;
+
+    xp = apr_xml_parser_create(p);
+    
+    rv = apr_xml_parser_feed(xp, "\0\r\n", 3);
+    if (rv == APR_SUCCESS)
+        apr_xml_parser_done(xp, &doc);
+}
+
+static void test_CVE_2009_3720_beta(abts_case *tc, void *data)
+{
+    apr_xml_parser *xp;
+    apr_xml_doc *doc;
+    apr_status_t rv;
+
+    xp = apr_xml_parser_create(p);
+    
+    rv = apr_xml_parser_feed(xp, "<?xml version\xc2\x85='1.0'?>\r\n", 25);
+    if (rv == APR_SUCCESS)
+        apr_xml_parser_done(xp, &doc);
+}
+
 abts_suite *testxml(abts_suite *suite)
 {
     suite = ADD_SUITE(suite);
 
     abts_run_test(suite, test_xml_parser, NULL);
     abts_run_test(suite, test_billion_laughs, NULL);
+    abts_run_test(suite, test_CVE_2009_3720_alpha, NULL);
+    abts_run_test(suite, test_CVE_2009_3720_beta, NULL);
 
     return suite;
 }

Modified: apr/apr-util/branches/1.5.x/xml/expat/lib/xmlparse.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/xml/expat/lib/xmlparse.c?rev=1002628&r1=1002627&r2=1002628&view=diff
==============================================================================
--- apr/apr-util/branches/1.5.x/xml/expat/lib/xmlparse.c (original)
+++ apr/apr-util/branches/1.5.x/xml/expat/lib/xmlparse.c Wed Sep 29 13:45:51 2010
@@ -3361,6 +3361,9 @@ doProlog(XML_Parser parser,
         return XML_ERROR_UNCLOSED_TOKEN;
       case XML_TOK_PARTIAL_CHAR:
         return XML_ERROR_PARTIAL_CHAR;
+      case -XML_TOK_PROLOG_S:
+        tok = -tok;
+        break;
       case XML_TOK_NONE:
 #ifdef XML_DTD
         if (enc != encoding)

Modified: apr/apr-util/branches/1.5.x/xml/expat/lib/xmltok_impl.c
URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.5.x/xml/expat/lib/xmltok_impl.c?rev=1002628&r1=1002627&r2=1002628&view=diff
==============================================================================
--- apr/apr-util/branches/1.5.x/xml/expat/lib/xmltok_impl.c (original)
+++ apr/apr-util/branches/1.5.x/xml/expat/lib/xmltok_impl.c Wed Sep 29 13:45:51 2010
@@ -1741,7 +1741,7 @@ PREFIX(updatePosition)(const ENCODING *e
                        const char *end,
                        POSITION *pos)
 {
-  while (ptr != end) {
+  while (ptr < end) {
     switch (BYTE_TYPE(enc, ptr)) {
 #define LEAD_CASE(n) \
     case BT_LEAD ## n: \



Mime
View raw message