upgrade expat to 2.4.3 + CVE-2022-23852 and CVE-2022-23990

wget https://github.com/libexpat/libexpat/pull/550.patch -O CVE-2022-23852.patch wget https://github.com/libexpat/libexpat/pull/551.patch -O CVE-2022-23990.patch Change-Id: I1f2694abd9f577e0b4fedbf27118b52be8a1a688 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/129124 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2022-01-28 19:40:40 +0000
committer: Caolán McNamara <caolanm@redhat.com> 2022-01-28 21:50:46 +0100
commit: 43d04b91e59e17b872798e3227cbf44e9973506e (patch)
tree: 4be8cc80f9b9c8903635f1268338d5a24a6aa3eb /external/expat
parent: ac41defa75365451db264379c514993679618208 (diff)
4 files changed, 194 insertions, 9 deletions
diff --git a/external/expat/CVE-2022-23852.patch b/external/expat/CVE-2022-23852.patch
new file mode 100644
index 000000000000..c2b55ca854ef
--- /dev/null
+++ b/external/expat/CVE-2022-23852.patch
@@ -0,0 +1,115 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+     if (neededSize
+
+From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 23 Jan 2022 18:17:04 +0100
+Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+---
+ expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
+index e89e8220..579dad1a 100644
+--- a/expat/tests/runtests.c
++++ b/expat/tests/runtests.c
+@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
+ }
+ END_TEST
+ 
++/* Test for signed integer overflow CVE-2022-23852 */
++#if defined(XML_CONTEXT_BYTES)
++START_TEST(test_get_buffer_3_overflow) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++  assert(parser != NULL);
++
++  const char *const text = "\n";
++  const int expectedKeepValue = (int)strlen(text);
++
++  // After this call, variable "keep" in XML_GetBuffer will
++  // have value expectedKeepValue
++  if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
++      == XML_STATUS_ERROR)
++    xml_failure(parser);
++
++  assert(expectedKeepValue > 0);
++  if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
++    fail("enlarging buffer not failed");
++
++  XML_ParserFree(parser);
++}
++END_TEST
++#endif // defined(XML_CONTEXT_BYTES)
++
+ /* Test position information macros */
+ START_TEST(test_byte_info_at_end) {
+   const char *text = "<doc></doc>";
+@@ -11731,6 +11755,9 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_empty_parse);
+   tcase_add_test(tc_basic, test_get_buffer_1);
+   tcase_add_test(tc_basic, test_get_buffer_2);
++#if defined(XML_CONTEXT_BYTES)
++  tcase_add_test(tc_basic, test_get_buffer_3_overflow);
++#endif
+   tcase_add_test(tc_basic, test_byte_info_at_end);
+   tcase_add_test(tc_basic, test_byte_info_at_error);
+   tcase_add_test(tc_basic, test_byte_info_at_cdata);
+
+From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 22 Jan 2022 17:49:17 +0100
+Subject: [PATCH 3/3] Changes: Document CVE-2022-23852
+
+---
+ expat/Changes | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/expat/Changes b/expat/Changes
+index 7540d38c..64d75d05 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things:
+       https://github.com/libexpat/libexpat/labels/help%20wanted
+       If you can help, please get in touch.  Thanks!
+ 
++Release x.x.x xxx xxxxxxx xx xxxx
++        Security fixes:
++            #550  CVE-2022-23852 -- Fix signed integer overflow
++                    (undefined behavior) in function XML_GetBuffer
++                    (that is also called by function XML_Parse internally)
++                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
++                    common and default).
++                    Impact is denial of service or more.
++
++        Special thanks to:
++            Samanta Navarro
++
+ Release 2.4.3 Sun January 16 2022
+         Security fixes:
+        #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
diff --git a/external/expat/CVE-2022-23990.patch b/external/expat/CVE-2022-23990.patch
new file mode 100644
index 000000000000..df46631d7f35
--- /dev/null
+++ b/external/expat/CVE-2022-23990.patch
@@ -0,0 +1,71 @@
+From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 26 Jan 2022 02:36:43 +0100
+Subject: [PATCH 1/2] lib: Prevent integer overflow in doProlog
+ (CVE-2022-23990)
+
+The change from "int nameLen" to "size_t nameLen"
+addresses the overflow on "nameLen++" in code
+"for (; name[nameLen++];)" right above the second
+change in the patch.
+---
+ expat/lib/xmlparse.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 5ce31402..d1d17005 100644
+--- a/expat/lib/xmlparse.c
++++ b/expat/lib/xmlparse.c
+@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (dtd->in_eldecl) {
+         ELEMENT_TYPE *el;
+         const XML_Char *name;
+-        int nameLen;
++        size_t nameLen;
+         const char *nxt
+             = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+         int myindex = nextScaffoldPart(parser);
+@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+         nameLen = 0;
+         for (; name[nameLen++];)
+           ;
+-        dtd->contentStringLen += nameLen;
++
++        /* Detect and prevent integer overflow */
++        if (nameLen > UINT_MAX - dtd->contentStringLen) {
++          return XML_ERROR_NO_MEMORY;
++        }
++
++        dtd->contentStringLen += (unsigned)nameLen;
+         if (parser->m_elementDeclHandler)
+           handleDefault = XML_FALSE;
+       }
+
+From 6e3449594fb2f61c92fc561f51f82196fdd15d63 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 26 Jan 2022 02:51:39 +0100
+Subject: [PATCH 2/2] Changes: Document CVE-2022-23990
+
+---
+ expat/Changes | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/expat/Changes b/expat/Changes
+index 5ff5da5e..ec1f7604 100644
+--- a/expat/Changes
++++ b/expat/Changes
+@@ -10,8 +10,14 @@
+                     for when XML_CONTEXT_BYTES is defined to >0 (which is both
+                     common and default).
+                     Impact is denial of service or more.
++            #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
++                    doProlog triggered by large content in element type
++                    declarations when there is an element declaration handler
++                    present (from a prior call to XML_SetElementDeclHandler).
++                    Impact is denial of service or more.
+ 
+         Special thanks to:
++            Roland Illig
+             Samanta Navarro
+ 
+ Release 2.4.3 Sun January 16 2022
diff --git a/external/expat/UnpackedTarball_expat.mk b/external/expat/UnpackedTarball_expat.mk
index 5d4f41f6d147..8cb6ef9b95eb 100644
--- a/external/expat/UnpackedTarball_expat.mk
+++ b/external/expat/UnpackedTarball_expat.mk
@@ -15,6 +15,8 @@ $(eval $(call gb_UnpackedTarball_update_autoconf_configs,expat,conftools))
 
 $(eval $(call gb_UnpackedTarball_add_patches,expat,\
 	external/expat/expat-winapi.patch \
+	external/expat/CVE-2022-23852.patch \
+	external/expat/CVE-2022-23990.patch \
 ))
 
 # This is a bit hackish.
diff --git a/external/expat/expat-winapi.patch b/external/expat/expat-winapi.patch
index bd4da1472fc8..7eae7d5d6139 100644
--- a/external/expat/expat-winapi.patch
+++ b/external/expat/expat-winapi.patch
@@ -13,15 +13,12 @@
  
 --- misc/expat-2.1.0/lib/xmlparse.c	2021-05-23 16:56:25.000000000 +0100
 +++ misc/build/expat-2.1.0/lib/xmlparse.c	2021-05-25 12:42:11.997173600 +0100
-@@ -92,6 +92,11 @@
+@@ -64,6 +64,8 @@
+ #endif
  
- #include <expat_config.h>
- 
-+#ifdef _WIN32
+ #ifdef _WIN32
 +#  undef HAVE_GETRANDOM
 +#  undef HAVE_SYSCALL_GETRANDOM
-+#endif
-+
- #include "ascii.h"
- #include "expat.h"
- #include "siphash.h"
+ /* force stdlib to define rand_s() */
+ #  if ! defined(_CRT_RAND_S)
+ #    define _CRT_RAND_S
author	Caolán McNamara <caolanm@redhat.com>	2022-01-28 19:40:40 +0000
committer	Caolán McNamara <caolanm@redhat.com>	2022-01-28 21:50:46 +0100
commit	43d04b91e59e17b872798e3227cbf44e9973506e (patch)
tree	4be8cc80f9b9c8903635f1268338d5a24a6aa3eb /external/expat
parent	ac41defa75365451db264379c514993679618208 (diff)