[libxml] Add patch for CVE-2011-1944 (#709751)

Thu Jun 2 17:45:04 UTC 2011

commit 1fd8897726bcf1f913736e5b1a4024d7fefa35d9
Author: Paul Howarth <paul at city-fan.org>
Date:   Thu Jun 2 18:43:07 2011 +0100

    Add patch for CVE-2011-1944 (#709751)
    
    Fix CVE-2011-1944 (heap-based buffer overflow by adding new
    namespace node to an existing nodeset or merging nodesets)

 libxml-1.8.17-CVE-2011-1944.patch |   35 +++++++++++++++++++++++++++++++++++
 libxml.spec                       |    6 ++++++
 2 files changed, 41 insertions(+), 0 deletions(-)
---

diff --git a/libxml-1.8.17-CVE-2011-1944.patch b/libxml-1.8.17-CVE-2011-1944.patch
new file mode 100644
index 0000000..4310381
--- /dev/null
+++ b/libxml-1.8.17-CVE-2011-1944.patch
@@ -0,0 +1,35 @@
+--- libxml-1.8.17/xpath.c.orig	2000-06-28 19:33:51.000000000 +0100
++++ libxml-1.8.17/xpath.c	2011-06-02 16:20:16.095097371 +0100
+@@ -179,13 +179,13 @@
+ #define PUSH_AND_POP(type, name)					\
+ extern int name##Push(xmlXPathParserContextPtr ctxt, type value) {	\
+     if (ctxt->name##Nr >= ctxt->name##Max) {				\
+-	ctxt->name##Max *= 2;						\
+         ctxt->name##Tab = (void *) xmlRealloc(ctxt->name##Tab,		\
+-	             ctxt->name##Max * sizeof(ctxt->name##Tab[0]));	\
++	             ctxt->name##Max * 2 * sizeof(ctxt->name##Tab[0]));	\
+         if (ctxt->name##Tab == NULL) {					\
+ 	    fprintf(xmlXPathDebug, "realloc failed !\n");		\
+ 	    return(0);							\
+ 	}								\
++	ctxt->name##Max *= 2;						\
+     }									\
+     ctxt->name##Tab[ctxt->name##Nr] = value;				\
+     ctxt->name = value;							\
+@@ -418,14 +418,14 @@
+     } else if (cur->nodeNr == cur->nodeMax) {
+         xmlNodePtr *temp;
+ 
+-        cur->nodeMax *= 2;
+-	temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax *
++	temp = (xmlNodePtr *) xmlRealloc(cur->nodeTab, cur->nodeMax * 2 *
+ 				      sizeof(xmlNodePtr));
+ 	if (temp == NULL) {
+ 	    fprintf(xmlXPathDebug, "xmlXPathNodeSetAdd: out of memory\n");
+ 	    return;
+ 	}
+ 	cur->nodeTab = temp;
++        cur->nodeMax *= 2;
+     }
+     cur->nodeTab[cur->nodeNr++] = val;
+ }
diff --git a/libxml.spec b/libxml.spec
index aa2c92f..1ea3ed0 100644
--- a/libxml.spec
+++ b/libxml.spec
@@ -9,6 +9,7 @@ URL:		http://veillard.com/XML/
 Source:		ftp://xmlsoft.org/libxml/old/libxml-%{version}.tar.gz
 Patch0:		libxml-1.8.17-CAN-2004-0110.patch
 Patch1:		libxml-1.8.17-ficora-245608.patch
+Patch2:		libxml-1.8.17-CVE-2011-1944.patch
 Patch10:	libxml-1.8.17-open-mode.patch
 Patch11:	libxml-1.8.17-multiarch.patch
 Patch12:	libxml-1.8.17-declarations.patch
@@ -36,6 +37,10 @@ Libraries, includes, etc. to build old libxml-based applications.
 # fix CVE-2009-2416 (use-after-free DoS vulnerabilities)
 %patch1 -p0
 
+# fix CVE-2011-1944 (heap-based buffer overflow by adding new namespace node to
+# an existing nodeset or merging nodesets)
+%patch2 -p1
+
 # open() with O_CREAT must have 3 arguments
 %patch10 -p1
 
@@ -94,6 +99,7 @@ rm -rf %{buildroot}
 
 %changelog
 * Thu Jun  2 2011 Paul Howarth <paul at city-fan.org> 1:1.8.17-26
+- add patch for CVE-2011-1944 (#709751)
 - add %%check section and run regression tests (note that diffs appearing in
   the output do not cause the build to fail)
 - nobody else likes macros for commands
