Merge pull request #484 from libexpat/fix-accounting-issues
Fix accounting issues
This commit is contained in:
commit
41b732a163
@ -4,7 +4,7 @@ NOTE: We are looking for help with a few things:
|
||||
|
||||
Release X.X.X XXX XXXXX XX XXXX
|
||||
Security fixes:
|
||||
#34 #466 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
|
||||
#34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
|
||||
(denial-of-service; flavors targeting CPU time or RAM or both,
|
||||
leveraging general entities or parameter entities or both)
|
||||
by tracking and limiting the input amplification factor
|
||||
@ -21,18 +21,18 @@ Release X.X.X XXX XXXXX XX XXXX
|
||||
for UTF-16 payloads containing CDATA sections.
|
||||
|
||||
New features:
|
||||
#34 #466 Add two new API functions to further tighten billion laughs
|
||||
#34 #466 #484 Add two new API functions to further tighten billion laughs
|
||||
protection parameters when desired.
|
||||
- XML_SetBillionLaughsAttackProtectionMaximumAmplification
|
||||
- XML_SetBillionLaughsAttackProtectionActivationThreshold
|
||||
Please see file "doc/reference.html" for more details.
|
||||
If you ever need to increase the defaults for non-attack XML
|
||||
payload, please file a bug report with libexpat.
|
||||
#34 #466 Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
|
||||
#34 #466 #484 Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
|
||||
and EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting
|
||||
and entity processing; specific behavior of these values may
|
||||
change in the future.
|
||||
#34 #466 xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
|
||||
#34 #466 #484 xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
|
||||
billion laughs protection parameters when desired.
|
||||
If you ever need to increase the defaults for non-attack XML
|
||||
payload, please file a bug report with libexpat.
|
||||
@ -51,6 +51,7 @@ Release X.X.X XXX XXXXX XX XXXX
|
||||
and
|
||||
Clang LeakSan
|
||||
JetBrains
|
||||
OSS-Fuzz
|
||||
|
||||
Release 2.3.0 Thu March 25 2021
|
||||
Bug fixes:
|
||||
|
@ -462,7 +462,8 @@ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
|
||||
XML_Bool haveMore, enum XML_Account account);
|
||||
static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
|
||||
const char **startPtr, const char *end,
|
||||
const char **nextPtr, XML_Bool haveMore);
|
||||
const char **nextPtr, XML_Bool haveMore,
|
||||
enum XML_Account account);
|
||||
#ifdef XML_DTD
|
||||
static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
|
||||
const char **startPtr, const char *end,
|
||||
@ -3096,7 +3097,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
|
||||
/* END disabled code */
|
||||
else if (parser->m_defaultHandler)
|
||||
reportDefault(parser, enc, s, next);
|
||||
result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
|
||||
result
|
||||
= doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
|
||||
if (result != XML_ERROR_NONE)
|
||||
return result;
|
||||
else if (! next) {
|
||||
@ -3725,9 +3727,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
|
||||
static enum XML_Error PTRCALL
|
||||
cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
|
||||
const char **endPtr) {
|
||||
enum XML_Error result
|
||||
= doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
|
||||
(XML_Bool)! parser->m_parsingStatus.finalBuffer);
|
||||
enum XML_Error result = doCdataSection(
|
||||
parser, parser->m_encoding, &start, end, endPtr,
|
||||
(XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
|
||||
if (result != XML_ERROR_NONE)
|
||||
return result;
|
||||
if (start) {
|
||||
@ -3747,7 +3749,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
|
||||
*/
|
||||
static enum XML_Error
|
||||
doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
|
||||
const char *end, const char **nextPtr, XML_Bool haveMore) {
|
||||
const char *end, const char **nextPtr, XML_Bool haveMore,
|
||||
enum XML_Account account) {
|
||||
const char *s = *startPtr;
|
||||
const char **eventPP;
|
||||
const char **eventEndPP;
|
||||
@ -3766,11 +3769,12 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
|
||||
const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */
|
||||
int tok = XmlCdataSectionTok(enc, s, end, &next);
|
||||
#ifdef XML_DTD
|
||||
if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
|
||||
XML_ACCOUNT_DIRECT)) {
|
||||
if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
|
||||
accountingOnAbort(parser);
|
||||
return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
|
||||
}
|
||||
#else
|
||||
UNUSED_P(account);
|
||||
#endif
|
||||
*eventEndPP = next;
|
||||
switch (tok) {
|
||||
|
@ -11318,6 +11318,16 @@ START_TEST(test_accounting_precision) {
|
||||
|
||||
/* CDATA */
|
||||
{"<e><![CDATA[one two three]]></e>", NULL, NULL, 0, filled_later},
|
||||
/* The following is the essence of this OSS-Fuzz finding:
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34302
|
||||
https://oss-fuzz.com/testcase-detail/4860575394955264
|
||||
*/
|
||||
{"<!DOCTYPE r [\n"
|
||||
"<!ENTITY e \"111<![CDATA[2 <= 2]]>333\">\n"
|
||||
"]>\n"
|
||||
"<r>&e;</r>\n",
|
||||
NULL, NULL, sizeof(XML_Char) * strlen("111<![CDATA[2 <= 2]]>333"),
|
||||
filled_later},
|
||||
|
||||
/* Conditional sections */
|
||||
{"<!DOCTYPE r [\n"
|
||||
|
Loading…
Reference in New Issue
Block a user