Rollback patch for CVE-2018-1311 which mitigate issue at expense of a memory leak

author: Karen Arutyunov <karen@codesynthesis.com> 2023-12-01 14:17:39 +0300
committer: Karen Arutyunov <karen@codesynthesis.com> 2023-12-01 14:17:39 +0300
commit: c7eff75c76cebdc8aab02af11251b51d072f3397 (patch)
tree: 4983973204b41c710db0572efaf36dc716438a08
parent: 7683a8b7a9e8f4be61a5dee67667db54646d80d3 (diff)
4 files changed, 43 insertions, 77 deletions
diff --git a/libxerces-c/README-DEV b/libxerces-c/README-DEV
index 5321a20..cb7bc86 100644
--- a/libxerces-c/README-DEV
+++ b/libxerces-c/README-DEV
@@ -50,21 +50,7 @@ $ ln -s ../../../upstream/samples/src/PSVIWriter tests/psvi-writer/
 
 We also apply the following patches:
 
-1) Fix of the use-after-free error (CVE-2018-1311) triggered during the
-   scanning of external DTDs (see https://security-tracker.debian.org/tracker/CVE-2018-1311
-   for details).
-
-   There is no upstream fix and only suggested mitigations, at time of this
-   writing (see https://issues.apache.org/jira/browse/XERCESC-2188 for
-   details). Thus, we mitigate the issue at the expense of a memory leak, as
-   it is done by Debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947431).
-
-   $ cp --remove-destination ../upstream/src/xercesc/internal/IGXMLScanner.cpp \
-     xercesc/internal/
-
-   $ git apply xercesc/dtd-decl-use-after-free.patch
-
-2) The explicit template instantiation declarations and definitions patch (see
+1) The explicit template instantiation declarations and definitions patch (see
    xercesc/util/Xerces_autoconf_config.hpp for details):
 
    $ cp --remove-destination ../upstream/src/xercesc/util/{Janitor.hpp,JanitorExports.cpp} \
@@ -72,7 +58,7 @@ We also apply the following patches:
 
    $ git apply xercesc/export-template-instantiations.patch
 
-3) The inline functions definition/usage order change to prevent MinGW GCC
+2) The inline functions definition/usage order change to prevent MinGW GCC
    from complaining when compile code that uses libxerces-c:
 
    $ cp --remove-destination ../upstream/src/xercesc/util/KVStringPair.hpp \
@@ -80,7 +66,7 @@ We also apply the following patches:
 
    $ git apply xercesc/inline-funcs-def-usage-order.patch
 
-4) Patch source files, so that they are properly UTF-8-encoded:
+3) Patch source files, so that they are properly UTF-8-encoded:
 
    $ cp --remove-destination ../upstream/src/xercesc/validators/schema/TraverseSchema.cpp \
      xercesc/validators/schema/
@@ -90,7 +76,7 @@ We also apply the following patches:
 
    $ git apply xercesc/utf-8.patch
 
-5) Patch of the net accessor test, which by some reason exits with the zero
+4) Patch of the net accessor test, which by some reason exits with the zero
    status printing the diagnostics to stdout for some errors:
 
    $ cp ../upstream/tests/src/NetAccessorTest/NetAccessorTest.cpp \
diff --git a/libxerces-c/tests/net-accessor/NetAccessorTest.cpp b/libxerces-c/tests/net-accessor/NetAccessorTest.cpp
index c2affbd..376e47a 100644
--- a/libxerces-c/tests/net-accessor/NetAccessorTest.cpp
+++ b/libxerces-c/tests/net-accessor/NetAccessorTest.cpp
@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -42,9 +42,9 @@ XERCES_CPP_NAMESPACE_USE
 inline XERCES_STD_QUALIFIER ostream& operator<<(XERCES_STD_QUALIFIER ostream& os, const XMLCh* xmlStr)
 {
 	char* transcoded = XMLString::transcode(xmlStr);
-    os << transcoded;
-    XMLString::release(&transcoded);
-    return os;
+  os << transcoded;
+  XMLString::release(&transcoded);
+  return os;
 }
 
 
@@ -53,7 +53,7 @@ exercise(BinInputStream& stream)
 {
 	static float percents[] = { 1.0, 0.5, 0.25, 0.1, 0.15, 0.113, 0.333, 0.0015, 0.0013 };
 	int numPercents = sizeof(percents) / sizeof(float);
-	
+
 	const unsigned int bufferMax = 4096;
 	XMLByte buffer[bufferMax];
 
@@ -64,13 +64,13 @@ exercise(BinInputStream& stream)
 		// them round-robin
 		float percent = percents[iteration % numPercents];
 		unsigned int bufCnt = (unsigned int)(bufferMax * percent);
-		
+
 		// Check to make sure we didn't go out of bounds
 		if (bufCnt <= 0)
 			bufCnt = 1;
 		if (bufCnt > bufferMax)
 			bufCnt = bufferMax;
-		
+
 		// Read bytes into our buffer
 		bytesRead = stream.readBytes(buffer, bufCnt);
 		//XERCES_STD_QUALIFIER cerr << "Read " << bytesRead << " bytes into a " << bufCnt << " byte buffer\n";
@@ -80,7 +80,7 @@ exercise(BinInputStream& stream)
 			// Write the data to standard out
 			XERCES_STD_QUALIFIER cout.write((char*)buffer, bytesRead);
 		}
-		
+
 		++iteration;
 	} while (bytesRead > 0);
 }
@@ -97,14 +97,13 @@ main(int argc, char** argv)
     {
         XMLPlatformUtils::Initialize();
     }
-
     catch(const XMLException& toCatch)
     {
         XERCES_STD_QUALIFIER cout << "Error during platform init! Message:\n"
              << toCatch.getMessage() << XERCES_STD_QUALIFIER endl;
         return 1;
     }
-    
+
     // Look for our one and only parameter
     if (argc != 2)
     {
@@ -118,45 +117,45 @@ main(int argc, char** argv)
     			;
     	exit(1);
     }
-    
+
     // Get the URL
     char* url = argv[1];
-    
+
     int r = 1;
 
     // Do the test
     try
     {
     	XMLURL xmlURL(url);
-    	
-		// Get the netaccessor
-		XMLNetAccessor* na = XMLPlatformUtils::fgNetAccessor;
-		if (na == 0)
-		{
-			XERCES_STD_QUALIFIER cerr <<  "No netaccessor is available. Aborting.\n";
-			exit(2);
-		}
-		
-		// Build a binary input stream
-		BinInputStream* is = na->makeNew(xmlURL);
-		if (is == 0)
-		{
-			XERCES_STD_QUALIFIER cerr <<  "No binary input stream created. Aborting.\n";
-			exit(3);
+
+      // Get the netaccessor
+      XMLNetAccessor* na = XMLPlatformUtils::fgNetAccessor;
+      if (na == 0)
+      {
+        XERCES_STD_QUALIFIER cerr <<  "No netaccessor is available. Aborting.\n";
+        exit(2);
 		}
-		
-		// Exercise the inputstream
-		exercise(*is);
-		
-		// Delete the is
-		delete is;
-		r = 0;
+
+      // Build a binary input stream
+      BinInputStream* is = na->makeNew(xmlURL);
+      if (is == 0)
+      {
+        XERCES_STD_QUALIFIER cerr <<  "No binary input stream created. Aborting.\n";
+        exit(3);
+      }
+
+      // Exercise the inputstream
+      exercise(*is);
+
+      // Delete the is
+      delete is;
+      r = 0;
     }
     catch(const XMLException& toCatch)
     {
-        XERCES_STD_QUALIFIER cerr << "Exception during test:\n    "
-             << toCatch.getMessage()
-             << XERCES_STD_QUALIFIER endl;
+      XERCES_STD_QUALIFIER cerr << "Exception during test:\n    "
+                                << toCatch.getMessage()
+                                << XERCES_STD_QUALIFIER endl;
     }
 
     // And call the termination method
@@ -164,4 +163,3 @@ main(int argc, char** argv)
 
     return r;
 }
-
diff --git a/libxerces-c/xercesc/dtd-decl-use-after-free.patch b/libxerces-c/xercesc/dtd-decl-use-after-free.patch
deleted file mode 100644
index 4a48a96..0000000
--- a/libxerces-c/xercesc/dtd-decl-use-after-free.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/libxerces-c/xercesc/internal/IGXMLScanner.cpp b/libxerces-c/xercesc/internal/IGXMLScanner.cpp
-index 0062400..aa344be 100644
---- a/libxerces-c/xercesc/internal/IGXMLScanner.cpp
-+++ b/libxerces-c/xercesc/internal/IGXMLScanner.cpp
-@@ -1532,7 +1532,6 @@ void IGXMLScanner::scanDocTypeDecl()
-             DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
-             declDTD->setSystemId(sysId);
-             declDTD->setIsExternal(true);
--            Janitor<DTDEntityDecl> janDecl(declDTD);
- 
-             // Mark this one as a throw at end
-             reader->setThrowAtEnd(true);
-@@ -3095,7 +3094,6 @@ Grammar* IGXMLScanner::loadDTDGrammar(const InputSource& src,
-     DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
-     declDTD->setSystemId(src.getSystemId());
-     declDTD->setIsExternal(true);
--    Janitor<DTDEntityDecl> janDecl(declDTD);
- 
-     // Mark this one as a throw at end
-     newReader->setThrowAtEnd(true);
diff --git a/libxerces-c/xercesc/internal/IGXMLScanner.cpp b/libxerces-c/xercesc/internal/IGXMLScanner.cpp
index 246a46a..912ec0c 100644
--- a/libxerces-c/xercesc/internal/IGXMLScanner.cpp
+++ b/libxerces-c/xercesc/internal/IGXMLScanner.cpp
@@ -1535,6 +1535,7 @@ void IGXMLScanner::scanDocTypeDecl()
             DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
             declDTD->setSystemId(sysId);
             declDTD->setIsExternal(true);
+            Janitor<DTDEntityDecl> janDecl(declDTD);
 
             // Mark this one as a throw at end
             reader->setThrowAtEnd(true);
@@ -3097,6 +3098,7 @@ Grammar* IGXMLScanner::loadDTDGrammar(const InputSource& src,
     DTDEntityDecl* declDTD = new (fMemoryManager) DTDEntityDecl(gDTDStr, false, fMemoryManager);
     declDTD->setSystemId(src.getSystemId());
     declDTD->setIsExternal(true);
+    Janitor<DTDEntityDecl> janDecl(declDTD);
 
     // Mark this one as a throw at end
     newReader->setThrowAtEnd(true);
author	Karen Arutyunov <karen@codesynthesis.com>	2023-12-01 14:17:39 +0300
committer	Karen Arutyunov <karen@codesynthesis.com>	2023-12-01 14:17:39 +0300
commit	c7eff75c76cebdc8aab02af11251b51d072f3397 (patch)
tree	4983973204b41c710db0572efaf36dc716438a08
parent	7683a8b7a9e8f4be61a5dee67667db54646d80d3 (diff)