diff options
| author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-18 01:31:41 +0000 |
|---|---|---|
| committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-18 01:31:41 +0000 |
| commit | ddcafd9d6661c36d1a1665e32ebf8354c1ae3d0d (patch) | |
| tree | b7cb448c2e718065fbebb0d0ef5c3aab99ac0edd /third_party/libxml | |
| parent | 640579651b4a52f58d96db3a693274e3db47efda (diff) | |
| download | chromium_src-ddcafd9d6661c36d1a1665e32ebf8354c1ae3d0d.zip chromium_src-ddcafd9d6661c36d1a1665e32ebf8354c1ae3d0d.tar.gz chromium_src-ddcafd9d6661c36d1a1665e32ebf8354c1ae3d0d.tar.bz2 | |
Apply fix for CVE-2009-2416 (use-after-free) and CVE-2009-2414 (stack recursion overflow).
I used https://bugzilla.redhat.com/attachment.cgi?id=356032 and fixed the issue with lint vs. tabs.
BUG=19158
TEST=http://cevans-app.appspot.com/static/CVE-2009-2416.xml
Review URL: http://codereview.chromium.org/172025
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23606 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/libxml')
| -rw-r--r-- | third_party/libxml/README.chromium | 1 | ||||
| -rw-r--r-- | third_party/libxml/parser.c | 28 |
2 files changed, 23 insertions, 6 deletions
diff --git a/third_party/libxml/README.chromium b/third_party/libxml/README.chromium index 4c89912..659e650 100644 --- a/third_party/libxml/README.chromium +++ b/third_party/libxml/README.chromium @@ -16,6 +16,7 @@ includes the following modifications : This allows parsed entities to inherit namespaces. (http://bugzilla.gnome.org/show_bug.cgi?id=502960 ) * Applied security patch located at https://bugzilla.redhat.com/show_bug.cgi?id=461015 +* Applied v2.6.26 version of security patch located at https://bugzilla.redhat.com/show_bug.cgi?id=515195 Current version: 2.6.32 diff --git a/third_party/libxml/parser.c b/third_party/libxml/parser.c index fab0ea8..5948f91 100644 --- a/third_party/libxml/parser.c +++ b/third_party/libxml/parser.c @@ -4900,10 +4900,14 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { if (name == NULL) { xmlFatalErrMsg(ctxt, XML_ERR_NAME_REQUIRED, "Name expected in NOTATION declaration\n"); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } cur = xmlCreateEnumeration(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -4913,9 +4917,8 @@ xmlParseNotationType(xmlParserCtxtPtr ctxt) { } while (RAW == '|'); if (RAW != ')') { xmlFatalErr(ctxt, XML_ERR_NOTATION_NOT_FINISHED, NULL); - if ((last != NULL) && (last != ret)) - xmlFreeEnumeration(last); - return(ret); + xmlFreeEnumeration(ret); + return(NULL); } NEXT; return(ret); @@ -4956,7 +4959,10 @@ xmlParseEnumerationType(xmlParserCtxtPtr ctxt) { } cur = xmlCreateEnumeration(name); xmlFree(name); - if (cur == NULL) return(ret); + if (cur == NULL) { + xmlFreeEnumeration(ret); + return(NULL); + } if (last == NULL) ret = last = cur; else { last->next = cur; @@ -5358,6 +5364,12 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { const xmlChar *elem; xmlChar type = 0; + if (ctxt->depth > 128) { + xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED, + "xmlParseElementChildrenContentDecl : depth %d too deep\n", + ctxt->depth); + return(NULL); + } SKIP_BLANKS; GROW; if (RAW == '(') { @@ -5366,7 +5378,9 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { /* Recurse on first child */ NEXT; SKIP_BLANKS; + ctxt->depth++; cur = ret = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; GROW; } else { @@ -5498,7 +5512,9 @@ xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) { /* Recurse on second child */ NEXT; SKIP_BLANKS; + ctxt->depth++; last = xmlParseElementChildrenContentDecl(ctxt, inputid); + ctxt->depth--; SKIP_BLANKS; } else { elem = xmlParseName(ctxt); |