Skip to content

Commit 4292c49

Browse files
risiclerisicle
committed
expat: add patches for CVE-2022-23852 
1 parent 734e186 commit 4292c49

3 files changed

Lines changed: 87 additions & 0 deletions

File tree

pkgs/development/libraries/expat/CVE-2022-23852-fix.patch

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
2+
From: Samanta Navarro <ferivoz@riseup.net>
3+
Date: Sat, 22 Jan 2022 17:48:00 +0100
4+
Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
5+
(CVE-2022-23852)
6+
7+
---
8+
expat/lib/xmlparse.c | 5 +++++
9+
1 file changed, 5 insertions(+)
10+
11+
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
12+
index d54af683..5ce31402 100644
13+
--- a/expat/lib/xmlparse.c
14+
+++ b/expat/lib/xmlparse.c
15+
@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
16+
keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
17+
if (keep > XML_CONTEXT_BYTES)
18+
keep = XML_CONTEXT_BYTES;
19+
+ /* Detect and prevent integer overflow */
20+
+ if (keep > INT_MAX - neededSize) {
21+
+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
22+
+ return NULL;
23+
+ }
24+
neededSize += keep;
25+
#endif /* defined XML_CONTEXT_BYTES */
26+
if (neededSize

pkgs/development/libraries/expat/CVE-2022-23852-test.patch

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001
2+
From: Sebastian Pipping <sebastian@pipping.org>
3+
Date: Sun, 23 Jan 2022 18:17:04 +0100
4+
Subject: [PATCH] tests: Cover integer overflow in XML_GetBuffer
5+
(CVE-2022-23852)
6+
7+
---
8+
expat/tests/runtests.c | 27 +++++++++++++++++++++++++++
9+
1 file changed, 27 insertions(+)
10+
11+
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
12+
index e89e8220..579dad1a 100644
13+
--- a/expat/tests/runtests.c
14+
+++ b/expat/tests/runtests.c
15+
@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
16+
}
17+
END_TEST
18+
19+
+/* Test for signed integer overflow CVE-2022-23852 */
20+
+#if defined(XML_CONTEXT_BYTES)
21+
+START_TEST(test_get_buffer_3_overflow) {
22+
+ XML_Parser parser = XML_ParserCreate(NULL);
23+
+ assert(parser != NULL);
24+
+
25+
+ const char *const text = "\n";
26+
+ const int expectedKeepValue = (int)strlen(text);
27+
+
28+
+ // After this call, variable "keep" in XML_GetBuffer will
29+
+ // have value expectedKeepValue
30+
+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
31+
+ == XML_STATUS_ERROR)
32+
+ xml_failure(parser);
33+
+
34+
+ assert(expectedKeepValue > 0);
35+
+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
36+
+ fail("enlarging buffer not failed");
37+
+
38+
+ XML_ParserFree(parser);
39+
+}
40+
+END_TEST
41+
+#endif // defined(XML_CONTEXT_BYTES)
42+
+
43+
/* Test position information macros */
44+
START_TEST(test_byte_info_at_end) {
45+
const char *text = "<doc></doc>";
46+
@@ -11731,6 +11755,9 @@ make_suite(void) {
47+
tcase_add_test(tc_basic, test_empty_parse);
48+
tcase_add_test(tc_basic, test_get_buffer_1);
49+
tcase_add_test(tc_basic, test_get_buffer_2);
50+
+#if defined(XML_CONTEXT_BYTES)
51+
+ tcase_add_test(tc_basic, test_get_buffer_3_overflow);
52+
+#endif
53+
tcase_add_test(tc_basic, test_byte_info_at_end);
54+
tcase_add_test(tc_basic, test_byte_info_at_error);
55+
tcase_add_test(tc_basic, test_byte_info_at_cdata);

pkgs/development/libraries/expat/default.nix

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,12 @@ stdenv.mkDerivation rec {
1414
sha256 = "sha256-sfnxsaXrsKyqiMn/eb+k4UWCO3iqUYXlxdhfBggkd4o=";
1515
};
1616

17+
patches = [
18+
./CVE-2022-23852-fix.patch
19+
./CVE-2022-23852-test.patch
20+
];
21+
patchFlags = "-p2";
22+
1723
outputs = [ "out" "dev" ]; # TODO: fix referrers
1824
outputBin = "dev";
1925

0 commit comments

Comments
 (0)