Fix the large loop found in xsltApplyStylesheetUser through fuzzing testcase xslt.

2020-09-23 10:31:02 +08:00 · 2020-09-23 10:31:02 +08:00 · ebe8e5934b
commit ebe8e5934b
parent 7204e7d261
2 changed files with 59 additions and 6 deletions
--- a/Fix-quadratic-runtime-with-text-and-xsl-message.patch
+++ b/Fix-quadratic-runtime-with-text-and-xsl-message.patch
@ -0,0 +1,49 @@
+From 4ccc06b56b8b6d39c29932c92cd1ed82f6698d6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 20 Sep 2020 15:14:47 +0200
+Subject: [PATCH 33/37] Fix quadratic runtime with text and <xsl:message>
+
+Backup and restore "last text" data in xsltEvalTemplateString.
+Otherwise, optimization of string concatenation would be disabled
+whenever an xsl:message was processed.
+
+Found by OSS-Fuzz.
+---
+ libxslt/templates.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index 48b73a5..4108ed2 100644
+--- a/libxslt/templates.c
+++ b/libxslt/templates.c
+@@ -210,6 +210,8 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
+ {
+     xmlNodePtr oldInsert, insert = NULL;
+     xmlChar *ret;
+    const xmlChar *oldLastText;
+    int oldLastTextSize, oldLastTextUse;
+ 
+     if ((ctxt == NULL) || (contextNode == NULL) || (inst == NULL) ||
+         (inst->type != XML_ELEMENT_NODE))
+@@ -233,12 +235,18 @@ xsltEvalTemplateString(xsltTransformContextPtr ctxt,
+     }
+     oldInsert = ctxt->insert;
+     ctxt->insert = insert;
+    oldLastText = ctxt->lasttext;
+    oldLastTextSize = ctxt->lasttsize;
+    oldLastTextUse = ctxt->lasttuse;
+     /*
+     * OPTIMIZE TODO: if inst->children consists only of text-nodes.
+     */
+     xsltApplyOneTemplate(ctxt, contextNode, inst->children, NULL, NULL);
+ 
+     ctxt->insert = oldInsert;
+    ctxt->lasttext = oldLastText;
+    ctxt->lasttsize = oldLastTextSize;
+    ctxt->lasttuse = oldLastTextUse;
+ 
+     ret = xmlNodeGetContent(insert);
+     if (insert != NULL)
+-- 
+1.8.3.1
+
--- a/libxslt.spec
+++ b/libxslt.spec
@ -1,16 +1,17 @@
 Name:     libxslt
 Version:  1.1.34
-Release:  2
+Release:  3
 Summary:  XSLT Transformation Library
 License:  MIT
 URL:      http://xmlsoft.org/libxslt/
 Source0:  https://github.com/GNOME/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM bug-fix https://github.com/GNOME/libxslt/
-Patch0000: CVE-2015-9019.patch
-Patch0001: Fix-variable-syntax-in-Python-configuration.patch
-Patch0002: Fix-clang-Wconditional-uninitialized-warning-in-libx.patch
-Patch0003: Fix-clang-Wimplicit-int-conversion-warning.patch
-Patch0004: Fix-implicit-int-conversion-warning-in-exslt-crypto..patch
+Patch0: CVE-2015-9019.patch
+Patch1: Fix-variable-syntax-in-Python-configuration.patch
+Patch2: Fix-clang-Wconditional-uninitialized-warning-in-libx.patch
+Patch3: Fix-clang-Wimplicit-int-conversion-warning.patch
+Patch4: Fix-implicit-int-conversion-warning-in-exslt-crypto..patch
+Patch5: Fix-quadratic-runtime-with-text-and-xsl-message.patch

 BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27

@ -100,6 +101,9 @@ make check
 %doc python/tests/*.xsl

 %changelog
+* Wed Sep 23 2020 yangzhuangzhuang<yangzhuangzhuang1@huawei.com> - 1.1.34-3
+- Fix the large loop found in xsltApplyStylesheetUser through fuzzing testcase xslt.
+
 * Tue Jun 23 2020 openEuler xuping<xuping21@huawei.com> - 1.1.34-2
 - quality enhancement synchronization github patch