-
-
Notifications
You must be signed in to change notification settings - Fork 30.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(cherry picked from commit e6fe0ac) (cherry picked from commit fdc04ad) Co-authored-by: Seth Michael Larson <[email protected]>
- Loading branch information
1 parent
2309739
commit 17b1ad5
Showing
4 changed files
with
36 additions
and
15 deletions.
There are no files selected for viewing
1 change: 1 addition & 0 deletions
1
Misc/NEWS.d/next/Security/2024-09-04-12-41-35.gh-issue-123678.N41y9n.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Upgrade libexpat to 2.6.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
/* 2a14271ad4d35e82bde8ba210b4edb7998794bcbae54deab114046a300f9639a (2.6.2+) | ||
/* ba4cdf9bdb534f355a9def4c9e25d20ee8e72f95b0a4d930be52e563f5080196 (2.6.3+) | ||
__ __ _ | ||
___\ \/ /_ __ __ _| |_ | ||
/ _ \\ /| '_ \ / _` | __| | ||
|
@@ -39,6 +39,7 @@ | |
Copyright (c) 2022 Sean McBride <[email protected]> | ||
Copyright (c) 2023 Owain Davies <[email protected]> | ||
Copyright (c) 2023-2024 Sony Corporation / Snild Dolkow <[email protected]> | ||
Copyright (c) 2024 Berkay Eren Ürün <[email protected]> | ||
Licensed under the MIT license: | ||
Permission is hereby granted, free of charge, to any person obtaining | ||
|
@@ -294,7 +295,7 @@ typedef struct { | |
The name of the element is stored in both the document and API | ||
encodings. The memory buffer 'buf' is a separately-allocated | ||
memory area which stores the name. During the XML_Parse()/ | ||
XMLParseBuffer() when the element is open, the memory for the 'raw' | ||
XML_ParseBuffer() when the element is open, the memory for the 'raw' | ||
version of the name (in the document encoding) is shared with the | ||
document buffer. If the element is open across calls to | ||
XML_Parse()/XML_ParseBuffer(), the buffer is re-allocated to | ||
|
@@ -2038,6 +2039,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { | |
|
||
if (parser == NULL) | ||
return XML_STATUS_ERROR; | ||
|
||
if (len < 0) { | ||
parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; | ||
return XML_STATUS_ERROR; | ||
} | ||
|
||
switch (parser->m_parsingStatus.parsing) { | ||
case XML_SUSPENDED: | ||
parser->m_errorCode = XML_ERROR_SUSPENDED; | ||
|
@@ -5846,18 +5853,17 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { | |
/* Set a safe default value in case 'next' does not get set */ | ||
next = textStart; | ||
|
||
#ifdef XML_DTD | ||
if (entity->is_param) { | ||
int tok | ||
= XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); | ||
result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, | ||
tok, next, &next, XML_FALSE, XML_FALSE, | ||
XML_ACCOUNT_ENTITY_EXPANSION); | ||
} else | ||
#endif /* XML_DTD */ | ||
} else { | ||
result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding, | ||
textStart, textEnd, &next, XML_FALSE, | ||
XML_ACCOUNT_ENTITY_EXPANSION); | ||
} | ||
|
||
if (result == XML_ERROR_NONE) { | ||
if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) { | ||
|
@@ -5894,18 +5900,17 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, | |
/* Set a safe default value in case 'next' does not get set */ | ||
next = textStart; | ||
|
||
#ifdef XML_DTD | ||
if (entity->is_param) { | ||
int tok | ||
= XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next); | ||
result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, | ||
tok, next, &next, XML_FALSE, XML_TRUE, | ||
XML_ACCOUNT_ENTITY_EXPANSION); | ||
} else | ||
#endif /* XML_DTD */ | ||
} else { | ||
result = doContent(parser, openEntity->startTagLevel, | ||
parser->m_internalEncoding, textStart, textEnd, &next, | ||
XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION); | ||
} | ||
|
||
if (result != XML_ERROR_NONE) | ||
return result; | ||
|
@@ -5932,17 +5937,14 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, | |
return XML_ERROR_NONE; | ||
} | ||
|
||
#ifdef XML_DTD | ||
if (entity->is_param) { | ||
int tok; | ||
parser->m_processor = prologProcessor; | ||
tok = XmlPrologTok(parser->m_encoding, s, end, &next); | ||
return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr, | ||
(XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE, | ||
XML_ACCOUNT_DIRECT); | ||
} else | ||
#endif /* XML_DTD */ | ||
{ | ||
} else { | ||
parser->m_processor = contentProcessor; | ||
/* see externalEntityContentProcessor vs contentProcessor */ | ||
result = doContent(parser, parser->m_parentParser ? 1 : 0, | ||
|
@@ -7016,6 +7018,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, | |
if (! newE) | ||
return 0; | ||
if (oldE->nDefaultAtts) { | ||
/* Detect and prevent integer overflow. | ||
* The preprocessor guard addresses the "always false" warning | ||
* from -Wtype-limits on platforms where | ||
* sizeof(int) < sizeof(size_t), e.g. on x86_64. */ | ||
#if UINT_MAX >= SIZE_MAX | ||
if ((size_t)oldE->nDefaultAtts | ||
> ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { | ||
return 0; | ||
} | ||
#endif | ||
newE->defaultAtts | ||
= ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); | ||
if (! newE->defaultAtts) { | ||
|
@@ -7558,6 +7570,15 @@ nextScaffoldPart(XML_Parser parser) { | |
int next; | ||
|
||
if (! dtd->scaffIndex) { | ||
/* Detect and prevent integer overflow. | ||
* The preprocessor guard addresses the "always false" warning | ||
* from -Wtype-limits on platforms where | ||
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ | ||
#if UINT_MAX >= SIZE_MAX | ||
if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { | ||
return -1; | ||
} | ||
#endif | ||
dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); | ||
if (! dtd->scaffIndex) | ||
return -1; | ||
|