43 lines
1.7 KiB
Diff
43 lines
1.7 KiB
Diff
From d038d7177668030f0c54fa1772d3f174cf6527f1 Mon Sep 17 00:00:00 2001
|
|
From: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
|
|
Date: Thu, 1 Dec 2022 12:58:11 +0000
|
|
Subject: [PATCH 26/28] Correctly relocate internal pointers after realloc()
|
|
|
|
Adding an offset to a deallocated pointer and assuming that it can be
|
|
dereferenced is undefined behaviour. When running libxml2 on CHERI-enabled
|
|
systems such as Arm Morello this results in the creation of an out-of-bounds
|
|
pointer that cannot be dereferenced and therefore crashes at runtime.
|
|
|
|
The effect of this UB is not just limited to architectures such as CHERI,
|
|
incorrect relocation of pointers after realloc can in fact cause
|
|
FORTIFY_SOURCE errors with recent GCC:
|
|
https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
|
|
|
|
Reference: https://github.com/GNOME/libxml2/commit/c62c0d82ccacc2000c45f211166f008687fb97a0
|
|
Conflict: NA
|
|
---
|
|
parser.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/parser.c b/parser.c
|
|
index 9d50138..adc449c 100644
|
|
--- a/parser.c
|
|
+++ b/parser.c
|
|
@@ -9514,10 +9514,10 @@ next_attr:
|
|
* Arithmetic on dangling pointers is technically undefined
|
|
* behavior, but well...
|
|
*/
|
|
- ptrdiff_t offset = ctxt->input->base - atts[i+2];
|
|
+ const xmlChar *old = atts[i+2];
|
|
atts[i+2] = NULL; /* Reset repurposed namespace URI */
|
|
- atts[i+3] += offset; /* value */
|
|
- atts[i+4] += offset; /* valuend */
|
|
+ atts[i+3] = ctxt->input->base + (atts[i+3] - old); /* value */
|
|
+ atts[i+4] = ctxt->input->base + (atts[i+4] - old); /* valuend */
|
|
}
|
|
}
|
|
|
|
--
|
|
2.27.0
|
|
|