Commit 0bc92b01 authored by Leo's avatar Leo
Browse files

main/libxml2: fix CVE-2020-24977

parent 3e7a2f09
Pipeline #47380 passed with stages
in 4 minutes and 49 seconds
......@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.9
pkgrel=3
pkgrel=4
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
......@@ -16,10 +16,13 @@ options="!strip"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
fix-null-pointer-dereference.patch
CVE-2019-19956.patch
CVE-2020-24977.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 2.9.9-r4:
# - CVE-2020-24977
# 2.9.9-r3:
# - CVE-2019-19956
# 2.9.8-r1:
......@@ -111,7 +114,7 @@ utils() {
mkdir -p "$subpkgdir"/usr
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
sha512sums="cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810 libxml2-2.9.9.tar.gz
83074e582cdba8bedff40fc653731ad18ca357bde8f1420e2e8a2a38998b951aebcb73ca5d51859be3b4d9bc1a0308836ca2bb612269edbc61b9dd6ebc7fdb2a fix-null-pointer-dereference.patch
0e03d0dcfae1e99e06c7a4c9a4d863a1518589e403d79665727883b27d7c0d7026b18e29b7c68df41138fbdffb88d977c5ef10ce2ffb96d1a6255304d89c2bb6 CVE-2019-19956.patch"
0e03d0dcfae1e99e06c7a4c9a4d863a1518589e403d79665727883b27d7c0d7026b18e29b7c68df41138fbdffb88d977c5ef10ce2ffb96d1a6255304d89c2bb6 CVE-2019-19956.patch
dfc6fa0232bd94635c66535734175c04e8b7461c216e1337da68d7c5dce36fc750f787f2ee08ef6d91521df55c45f4ae235f8f44bea697a7c734a3b62c9fab60 CVE-2020-24977.patch"
Found by OSS-Fuzz
diff --git a/xmlschemastypes.c b/xmlschemastypes.c
index ca381d3..dd9eac1 100644
--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
@@ -3628,6 +3628,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
minday = 0;
maxday = 0;
} else {
+ if (myear > LONG_MAX / 366)
+ return -2;
maxday = 366 * ((myear + 3) / 4) +
365 * ((myear - 1) % 4);
minday = maxday - 1;
@@ -4014,6 +4016,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
if ((x == NULL) || (y == NULL))
return -2;
+ if ((x->value.date.year > LONG_MAX / 366) ||
+ (x->value.date.year < LONG_MIN / 366) ||
+ (y->value.date.year > LONG_MAX / 366) ||
+ (y->value.date.year < LONG_MIN / 366)) {
+ /* Possible overflow when converting to days. */
+ return -2;
+ }
+
if (x->value.date.tz_flag) {
if (!y->value.date.tz_flag) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment