!26 fix CVE-2020-24977

From: @yang_zhuang_zhuang Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2020-10-15 16:36:07 +08:00 · 2020-10-15 16:36:07 +08:00 · 4c5b2cc8ed
commit 4c5b2cc8ed
parent c401eaa4b5 ad2a15576c
2 changed files with 46 additions and 1 deletions
--- a/Fix-integer-overflow-when-comparing-schema-dates.patch
+++ b/Fix-integer-overflow-when-comparing-schema-dates.patch
@ -0,0 +1,41 @@
+From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Aug 2020 17:30:41 +0200
+Subject: Fix integer overflow when comparing schema dates
+
+Found by OSS-Fuzz.
+---
+ xmlschemastypes.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index 4249d70..d6b9f92 100644
+--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
+@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
+ 	minday = 0;
+ 	maxday = 0;
+     } else {
+        if (myear > LONG_MAX / 366)
+            return -2;
+         /* FIXME: This doesn't take leap year exceptions every 100/400 years
+            into account. */
+ 	maxday = 365 * myear + (myear + 3) / 4;
+@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
+     if ((x == NULL) || (y == NULL))
+         return -2;
+ 
+    if ((x->value.date.year > LONG_MAX / 366) ||
+        (x->value.date.year < LONG_MIN / 366) ||
+        (y->value.date.year > LONG_MAX / 366) ||
+        (y->value.date.year < LONG_MIN / 366)) {
+        /* Possible overflow when converting to days. */
+        return -2;
+    }
+
+     if (x->value.date.tz_flag) {
+ 
+         if (!y->value.date.tz_flag) {
+-- 
+1.8.3.1
+
--- a/libxml2.spec
+++ b/libxml2.spec
@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.10
-Release: 6
+Release: 7
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@ -33,6 +33,7 @@ Patch23:  Limit-regexp-nesting-depth.patch
 Patch24:  Fix-exponential-runtime-in-xmlFARecurseDeterminism.patch
 Patch25:  Fix-more-quadratic-runtime-issues-in-HTML-push-parse.patch
 Patch26:  Reset-HTML-parser-input-before-reporting-error.patch
+Patch27:  Fix-integer-overflow-when-comparing-schema-dates.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python2-devel
@ -224,6 +225,9 @@ rm -fr %{buildroot}


 %changelog
+* Thu Oct 15 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.9.10-7
+- Fix CVE-2020-24977
+
 * Fri Aug 28 2020 zoulin <zoulin13@huawei.com> - 2.9.10-6
 - Fix more quadratic runtime issues in HTML push parse
 - Fix reset HTML parser input before reporting error