bba68d
bba68d
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15903
bba68d
bba68d
https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
bba68d
bba68d
--- expat-2.1.0/lib/xmlparse.c.cve15903
bba68d
+++ expat-2.1.0/lib/xmlparse.c
bba68d
@@ -331,7 +331,7 @@
bba68d
 static enum XML_Error
bba68d
 doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
bba68d
          const char *end, int tok, const char *next, const char **nextPtr,
bba68d
-         XML_Bool haveMore);
bba68d
+         XML_Bool haveMore, XML_Bool allowClosingDoctype);
bba68d
 static enum XML_Error
bba68d
 processInternalEntity(XML_Parser parser, ENTITY *entity,
bba68d
                       XML_Bool betweenDecl);
bba68d
@@ -3699,7 +3699,7 @@
bba68d
 
bba68d
   processor = prologProcessor;
bba68d
   return doProlog(parser, encoding, s, end, tok, next,
bba68d
-                  nextPtr, (XML_Bool)!ps_finalBuffer);
bba68d
+                  nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
bba68d
 }
bba68d
 
bba68d
 static enum XML_Error PTRCALL
bba68d
@@ -3749,7 +3749,7 @@
bba68d
   const char *next = s;
bba68d
   int tok = XmlPrologTok(encoding, s, end, &next;;
bba68d
   return doProlog(parser, encoding, s, end, tok, next,
bba68d
-                  nextPtr, (XML_Bool)!ps_finalBuffer);
bba68d
+                  nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
bba68d
 }
bba68d
 
bba68d
 static enum XML_Error
bba68d
@@ -3760,7 +3760,8 @@
bba68d
          int tok,
bba68d
          const char *next,
bba68d
          const char **nextPtr,
bba68d
-         XML_Bool haveMore)
bba68d
+         XML_Bool haveMore,
bba68d
+         XML_Bool allowClosingDoctype)
bba68d
 {
bba68d
 #ifdef XML_DTD
bba68d
   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
bba68d
@@ -3936,6 +3937,11 @@
bba68d
       }
bba68d
       break;
bba68d
     case XML_ROLE_DOCTYPE_CLOSE:
bba68d
+      if (allowClosingDoctype != XML_TRUE) {
bba68d
+        /* Must not close doctype from within expanded parameter entities */
bba68d
+        return XML_ERROR_INVALID_TOKEN;
bba68d
+      }
bba68d
+
bba68d
       if (doctypeName) {
bba68d
         startDoctypeDeclHandler(handlerArg, doctypeName,
bba68d
                                 doctypeSysid, doctypePubid, 0);
bba68d
@@ -4837,7 +4843,7 @@
bba68d
   if (entity->is_param) {
bba68d
     int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next;;
bba68d
     result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
bba68d
-                      next, &next, XML_FALSE);
bba68d
+                      next, &next, XML_FALSE, XML_FALSE);
bba68d
   }
bba68d
   else
bba68d
 #endif /* XML_DTD */
bba68d
@@ -4882,7 +4888,7 @@
bba68d
   if (entity->is_param) {
bba68d
     int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next;;
bba68d
     result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
bba68d
-                      next, &next, XML_FALSE);
bba68d
+                      next, &next, XML_FALSE, XML_TRUE);
bba68d
   }
bba68d
   else
bba68d
 #endif /* XML_DTD */
bba68d
@@ -4909,7 +4915,7 @@
bba68d
     processor = prologProcessor;
bba68d
     tok = XmlPrologTok(encoding, s, end, &next;;
bba68d
     return doProlog(parser, encoding, s, end, tok, next, nextPtr,
bba68d
-                    (XML_Bool)!ps_finalBuffer);
bba68d
+                    (XML_Bool)!ps_finalBuffer, XML_TRUE);
bba68d
   }
bba68d
   else
bba68d
 #endif /* XML_DTD */
bba68d
--- expat-2.1.0/tests/runtests.c.cve15903
bba68d
+++ expat-2.1.0/tests/runtests.c
bba68d
@@ -1157,6 +1157,69 @@
bba68d
     CharData_AppendString(storage, "\n");
bba68d
 }
bba68d
 
bba68d
+#ifdef XML_DTD
bba68d
+START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
bba68d
+  const char *const inputOne = "
bba68d
+                               "<d/>'>\n"
bba68d
+                               "\n"
bba68d
+                               "%e;";
bba68d
+  const char *const inputTwo = "
bba68d
+                               "<d/>'>\n"
bba68d
+                               "\n"
bba68d
+                               "%e2;";
bba68d
+  const char *const inputThree = "
bba68d
+                                 "<d'>\n"
bba68d
+                                 "\n"
bba68d
+                                 "%e;";
bba68d
+  const char *const inputIssue317 = "
bba68d
+                                    "\n"
bba68d
+                                    "<doc>Hell<oc (#PCDATA)*>'>\n"
bba68d
+                                    "%foo;\n"
bba68d
+                                    "]>\n"
bba68d
+                                    "<doc>Hello, world</dVc>";
bba68d
+
bba68d
+  const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
bba68d
+  size_t inputIndex = 0;
bba68d
+
bba68d
+  for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
bba68d
+    XML_Parser parser;
bba68d
+    enum XML_Status parseResult;
bba68d
+    int setParamEntityResult;
bba68d
+    XML_Size lineNumber;
bba68d
+    XML_Size columnNumber;
bba68d
+    const char *const input = inputs[inputIndex];
bba68d
+
bba68d
+    parser = XML_ParserCreate(NULL);
bba68d
+    setParamEntityResult
bba68d
+        = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
bba68d
+    if (setParamEntityResult != 1)
bba68d
+      fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
bba68d
+
bba68d
+    parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
bba68d
+    if (parseResult != XML_STATUS_ERROR) {
bba68d
+      parseResult = XML_Parse(parser, "", 0, 1);
bba68d
+      if (parseResult != XML_STATUS_ERROR) {
bba68d
+        fail("Parsing was expected to fail but succeeded.");
bba68d
+      }
bba68d
+    }
bba68d
+
bba68d
+    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
bba68d
+      fail("Error code does not match XML_ERROR_INVALID_TOKEN");
bba68d
+
bba68d
+    lineNumber = XML_GetCurrentLineNumber(parser);
bba68d
+    if (lineNumber != 4)
bba68d
+      fail("XML_GetCurrentLineNumber does not work as expected.");
bba68d
+
bba68d
+    columnNumber = XML_GetCurrentColumnNumber(parser);
bba68d
+    if (columnNumber != 0)
bba68d
+      fail("XML_GetCurrentColumnNumber does not work as expected.");
bba68d
+
bba68d
+    XML_ParserFree(parser);
bba68d
+  }
bba68d
+}
bba68d
+END_TEST
bba68d
+#endif
bba68d
+
bba68d
 static void
bba68d
 run_ns_tagname_overwrite_test(char *text, char *result)
bba68d
 {
bba68d
@@ -1479,6 +1542,11 @@
bba68d
     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_attribute);
bba68d
     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element);
bba68d
 
bba68d
+#ifdef XML_DTD
bba68d
+    tcase_add_test(tc_basic,
bba68d
+                   test_misc_deny_internal_entity_closing_doctype_issue_317);
bba68d
+#endif
bba68d
+
bba68d
     return s;
bba68d
 }
bba68d