Commit 8598060b authored by Daniel Veillard's avatar Daniel Veillard
Browse files

Patch for security issue CVE-2021-3541

This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
parent bfd2f430
Pipeline #282584 passed with stage
in 12 minutes and 22 seconds
......@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
xmlEntityPtr ent, size_t replacement)
{
size_t consumed = 0;
int i;
if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
return (0);
......@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
rep = NULL;
}
}
/*
* Prevent entity exponential check, not just replacement while
* parsing the DTD
* The check is potentially costly so do that only once in a thousand
*/
if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
(ctxt->nbentities % 1024 == 0)) {
for (i = 0;i < ctxt->inputNr;i++) {
consumed += ctxt->inputTab[i]->consumed +
(ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
}
if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
ctxt->instate = XML_PARSER_EOF;
return (1);
}
consumed = 0;
}
if (replacement != 0) {
if (replacement < XML_MAX_TEXT_LENGTH)
return(0);
......@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
xmlChar start[4];
xmlCharEncoding enc;
if (xmlParserEntityCheck(ctxt, 0, entity, 0))
return;
if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
((ctxt->options & XML_PARSE_NOENT) == 0) &&
((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
......
  • Hi @veillard and dear libxml2 maintainers,

    Do we get a test case to reproduce this CVE now?

    I'm affected by this CVE and I want to confirm the problem.

    BTW it's strange this CVE could not be found in NVD. I think it's because the cve is still a private now. Is it? :)

    Thank you for your hard work.

Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment