packages/tidy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!23 Fix CVE-2021-33391

Browse Source 
From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2023-12-29 01:21:45 +00:00 committed by Gitee
commit c4e78546f8
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 282 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

213
CVE-2021-33391-pre.patch Normal file
View File

@ -0,0 +1,213 @@
Origin: https://launchpadlibrarian.net/697070499/tidy-html5_2%3A5.6.0-11_2%3A5.6.0-11ubuntu0.20.04.1.diff.gz
Partial backport of:
From e56716f154f13b14fc5585146a85000fdd26d319 Mon Sep 17 00:00:00 2001
From: Jim Derry <balthisar@gmail.com>
Date: Wed, 28 Jul 2021 19:45:57 -0400
Subject: [PATCH] Improve internal documentation. Start general conversion to
eliminate and/or reduce recursion.
---
src/clean.c | 83 +-
src/lexer.c | 122 +-
src/lexer.h | 698 +++++---
src/parser.c | 4554 ++++++++++++++++++++++++++++++++++--------------
src/parser.h | 71 +-
src/tags.c | 4 +-
src/tags.h | 7 +-
src/tidy-int.h | 16 +-
src/tidylib.c | 2 +
9 files changed, 3873 insertions(+), 1684 deletions(-)
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -4425,6 +4425,106 @@ static Node *ParseDocTypeDecl(TidyDocImp
return NULL;
}
+
+/****************************************************************************//*
+ ** MARK: - Node Stack
+ ***************************************************************************/
+
+
+/**
+ * Create a new stack with a given starting capacity. If memory allocation
+ * fails, then the allocator will panic the program automatically.
+ */
+Stack* TY_(newStack)(TidyDocImpl *doc, uint capacity)
+{
+ Stack *stack = (Stack *)TidyAlloc(doc->allocator, sizeof(Stack));
+ stack->top = -1;
+ stack->capacity = capacity;
+ stack->firstNode = (Node **)TidyAlloc(doc->allocator, stack->capacity * sizeof(Node**));
+ stack->allocator = doc->allocator;
+ return stack;
+}
+
+
+/**
+ * Increase the stack size. This will be called automatically when the
+ * current stack is full. If memory allocation fails, then the allocator
+ * will panic the program automatically.
+ */
+void TY_(growStack)(Stack *stack)
+{
+ uint new_capacity = stack->capacity * 2;
+
+ Node **firstNode = (Node **)TidyAlloc(stack->allocator, new_capacity);
+
+ memcpy( firstNode, stack->firstNode, sizeof(Node**) * (stack->top + 1) );
+ TidyFree(stack->allocator, stack->firstNode);
+
+ stack->firstNode = firstNode;
+ stack->capacity = new_capacity;
+}
+
+
+/**
+ * Stack is full when top is equal to the last index.
+ */
+Bool TY_(stackFull)(Stack *stack)
+{
+ return stack->top == stack->capacity - 1;
+}
+
+
+/**
+ * Stack is empty when top is equal to -1
+ */
+Bool TY_(stackEmpty)(Stack *stack)
+{
+ return stack->top == -1;
+}
+
+
+/**
+ * Push an item to the stack.
+ */
+void TY_(push)(Stack *stack, Node *node)
+{
+ if (TY_(stackFull)(stack))
+ TY_(growStack)(stack);
+
+ if (node)
+ stack->firstNode[++stack->top] = node;
+}
+
+
+/**
+ * Pop an item from the stack.
+ */
+Node* TY_(pop)(Stack *stack)
+{
+ return TY_(stackEmpty)(stack) ? NULL : stack->firstNode[stack->top--];
+}
+
+
+/**
+ * Peek at the stack.
+ */
+FUNC_UNUSED Node* TY_(peek)(Stack *stack)
+{
+ return TY_(stackEmpty)(stack) ? NULL : stack->firstNode[stack->top--];
+}
+
+/**
+ * Frees the stack when done.
+ */
+void TY_(freeStack)(Stack *stack)
+{
+ TidyFree( stack->allocator, stack->firstNode );
+ stack->top = -1;
+ stack->capacity = 0;
+ stack->firstNode = NULL;
+ stack->allocator = NULL;
+}
+
/*
* local variables:
* mode: c
--- a/src/lexer.h
+++ b/src/lexer.h
@@ -594,6 +594,78 @@ Node* TY_(InsertedToken)( TidyDocImpl* d
Bool TY_(SwitchInline)( TidyDocImpl* doc, Node* element, Node* node );
Bool TY_(InlineDup1)( TidyDocImpl* doc, Node* node, Node* element );
+/** @}
+ * @name Generic stack of nodes.
+ * @{
+ */
+
+
+/**
+ * This typedef represents a stack of addresses to nodes. Tidy uses these to
+ * try to limit recursion by pushing nodes to a stack when possible instead
+ * of recursing.
+ */
+typedef struct _Stack {
+ int top; /**< Current top position. */
+ unsigned capacity; /**< Current capacity. Can be expanded. */
+ Node **firstNode; /** A pointer to the first pointer to a Node in an array of node addresses. */
+ TidyAllocator* allocator; /**< Tidy's allocator, used at instantiation and expanding. */
+} Stack;
+
+
+/**
+ * Create a new stack with a given starting capacity. If memory allocation
+ * fails, then the allocator will panic the program automatically.
+ */
+Stack* TY_(newStack)(TidyDocImpl *doc, uint capacity);
+
+
+/**
+ * Increase the stack size. This will be called automatically when the
+ * current stack is full. If memory allocation fails, then the allocator
+ * will panic the program automatically.
+ */
+void TY_(growStack)(Stack *stack);
+
+
+/**
+ * Stack is full when top is equal to the last index.
+ */
+Bool TY_(stackFull)(Stack *stack);
+
+
+/**
+ * Stack is empty when top is equal to -1
+ */
+Bool TY_(stackEmpty)(Stack *stack);
+
+
+/**
+ * Push an item to the stack.
+ */
+void TY_(push)(Stack *stack, Node *node);
+
+
+/**
+ * Pop an item from the stack.
+ */
+Node* TY_(pop)(Stack *stack);
+
+
+/**
+ * Peek at the stack.
+ */
+Node* TY_(peek)(Stack *stack);
+
+/**
+ * Frees the stack when done.
+ */
+void TY_(freeStack)(Stack *stack);
+
+
+/** @}
+ */
+
#ifdef __cplusplus
}
#endif

63
CVE-2021-33391.patch Normal file
View File

@ -0,0 +1,63 @@
Origin: https://launchpadlibrarian.net/697070499/tidy-html5_2%3A5.6.0-11_2%3A5.6.0-11ubuntu0.20.04.1.diff.gz
Backport of:
From efa61528aa500a1efbd2768121820742d3bb709b Mon Sep 17 00:00:00 2001
From: Jim Derry <balthisar@gmail.com>
Date: Sat, 31 Jul 2021 08:26:16 -0400
Subject: [PATCH] Fixes #946 by refactoring the recursion into a loop with a
heap-based stack.
---
.../cases/github-cases/case-946.conf | 3 +
.../cases/github-cases/case-946@1.html | Bin 0 -> 11558 bytes
.../cases/github-expects/case-946.html | 44 +++
.../cases/github-expects/case-946.txt | 330 ++++++++++++++++++
src/gdoc.c | 13 +-
version.txt | 4 +-
6 files changed, 388 insertions(+), 6 deletions(-)
create mode 100755 regression_testing/cases/github-cases/case-946.conf
create mode 100644 regression_testing/cases/github-cases/case-946@1.html
create mode 100644 regression_testing/cases/github-expects/case-946.html
create mode 100644 regression_testing/cases/github-expects/case-946.txt
diff --git a/src/gdoc.c b/src/gdoc.c
index 50cd9bc33..8f5f8ffd7 100644
--- a/src/gdoc.c
+++ b/src/gdoc.c
@@ -96,14 +96,15 @@ static void DiscardContainer( TidyDocImpl* doc, Node *element, Node **pnode)
static void CleanNode( TidyDocImpl* doc, Node *node )
{
+ Stack *stack = TY_(newStack)(doc, 16);
Node *child, *next;
- if (node->content)
+ if ( (child = node->content) )
{
- for (child = node->content; child != NULL; child = next)
+ while (child)
{
next = child->next;
-
+
if (TY_(nodeIsElement)(child))
{
if (nodeIsSTYLE(child))
@@ -131,10 +132,14 @@ static void CleanNode( TidyDocImpl* doc, Node *node )
if (child->attributes)
TY_(DropAttrByName)( doc, child, "class" );
- CleanNode(doc, child);
+ TY_(push)(stack,next);
+ child = child->content;
+ continue;
}
}
+ child = next ? next : TY_(pop)(stack);
}
+ TY_(freeStack)(stack);
}
}

7
tidy.spec
View File

@ -3,7 +3,7 @@
Name: tidy
Version: 5.7.28
Release: 1
Release: 2
Summary: Utility to clean up and pretty print HTML/XHTML/XML
License: W3C
URL: http://www.html-tidy.org/
@ -11,6 +11,8 @@ Source0: https://github.com/htacg/%{upname}/archive/%{version}.tar.gz#/%{u
Patch0: fix-memleak-in-GetTokenFromStream.patch
Patch1: free-attributes-before-return-NULL.patch
Patch2: CVE-2021-33391-pre.patch
Patch3: CVE-2021-33391.patch
BuildRequires: gcc-c++ cmake gcc libxslt pkgconfig
Provides: tidy-html5 = %{version}-%{release}
@ -81,6 +83,9 @@ ln -s tidyplatform.h $RPM_BUILD_ROOT%{_includedir}/platform.h
%{_mandir}/*
%changelog
* Thu Dec 28 2023 wangkai <13474090681@163.com> - 5.7.28-2
- Fix CVE-2021-33391
* Tue Jan 26 2021 fuanan <fuanan3@huawei.com> - 5.7.28-1
- Update to version 5.7.28