!23 Fix CVE-2021-33391

From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

0002-Issue-656-protect-against-NULL-node-set-in-loop.patch

@@ -1,29 +0,0 @@
-From a0414d65a69927808240e41c1235145413978c43 Mon Sep 17 00:00:00 2001
-From: Geoff McLane <ubuntu@geoffair.info>
-Date: Sat, 16 Dec 2017 20:54:29 +0100
-Subject: [PATCH 02/12] Issue #656 - protect against NULL node set in loop
-
----
- src/clean.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/clean.c b/src/clean.c
-index de4caf5..e96dd3f 100644
---- a/src/clean.c
-+++ b/src/clean.c
-@@ -2211,8 +2211,10 @@ Bool TY_(TidyMetaCharset)(TidyDocImpl* doc)
-     tidyBufAppend(&charsetString, "charset=", 8);
-     tidyBufAppend(&charsetString, (char*)enc, TY_(tmbstrlen)(enc));
-     tidyBufAppend(&charsetString, "\0", 1); /* zero terminate the buffer */
--                                            /* process the children of the head */
--    for (currentNode = head->content; currentNode; currentNode = currentNode->next)
-+    /* process the children of the head */
-+    /* Issue #656 - guard against 'currentNode' being set NULL in loop */
-+    for (currentNode = head->content; currentNode; 
-+        currentNode = (currentNode ? currentNode->next : NULL))
-     {
-         if (!nodeIsMETA(currentNode))
-             continue;   /* not a meta node */
--- 
-2.14.3
-

CVE-2021-33391-pre.patch

@@ -0,0 +1,213 @@
+Origin: https://launchpadlibrarian.net/697070499/tidy-html5_2%3A5.6.0-11_2%3A5.6.0-11ubuntu0.20.04.1.diff.gz
+
+Partial backport of:
+
+From e56716f154f13b14fc5585146a85000fdd26d319 Mon Sep 17 00:00:00 2001
+From: Jim Derry <balthisar@gmail.com>
+Date: Wed, 28 Jul 2021 19:45:57 -0400
+Subject: [PATCH] Improve internal documentation. Start general conversion to
+ eliminate and/or reduce recursion.
+
+---
+ src/clean.c    |   83 +-
+ src/lexer.c    |  122 +-
+ src/lexer.h    |  698 +++++---
+ src/parser.c   | 4554 ++++++++++++++++++++++++++++++++++--------------
+ src/parser.h   |   71 +-
+ src/tags.c     |    4 +-
+ src/tags.h     |    7 +-
+ src/tidy-int.h |   16 +-
+ src/tidylib.c  |    2 +
+ 9 files changed, 3873 insertions(+), 1684 deletions(-)
+
+--- a/src/lexer.c
++++ b/src/lexer.c
+@@ -4425,6 +4425,106 @@ static Node *ParseDocTypeDecl(TidyDocImp
+     return NULL;
+ }
+ 
++
++/****************************************************************************//*
++ ** MARK: - Node Stack
++ ***************************************************************************/
++
++
++/**
++ * Create a new stack with a given starting capacity. If memory allocation
++ * fails, then the allocator will panic the program automatically.
++ */
++Stack* TY_(newStack)(TidyDocImpl *doc, uint capacity)
++{
++    Stack *stack = (Stack *)TidyAlloc(doc->allocator, sizeof(Stack));
++    stack->top = -1;
++    stack->capacity = capacity;
++    stack->firstNode = (Node **)TidyAlloc(doc->allocator, stack->capacity * sizeof(Node**));
++    stack->allocator = doc->allocator;
++    return stack;
++}
++ 
++
++/**
++ *  Increase the stack size. This will be called automatically when the
++ *  current stack is full. If memory allocation fails, then the allocator
++ *  will panic the program automatically.
++ */
++void TY_(growStack)(Stack *stack)
++{
++    uint new_capacity = stack->capacity * 2;
++    
++    Node **firstNode = (Node **)TidyAlloc(stack->allocator, new_capacity);
++    
++    memcpy( firstNode, stack->firstNode, sizeof(Node**) * (stack->top + 1) );
++    TidyFree(stack->allocator, stack->firstNode);
++
++    stack->firstNode = firstNode;
++    stack->capacity = new_capacity;
++}
++
++
++/**
++ * Stack is full when top is equal to the last index.
++ */
++Bool TY_(stackFull)(Stack *stack)
++{
++    return stack->top == stack->capacity - 1;
++}
++
++
++/**
++ * Stack is empty when top is equal to -1
++ */
++Bool TY_(stackEmpty)(Stack *stack)
++{
++    return stack->top == -1;
++}
++ 
++
++/**
++ * Push an item to the stack.
++ */
++void TY_(push)(Stack *stack, Node *node)
++{
++    if (TY_(stackFull)(stack))
++        TY_(growStack)(stack);
++    
++    if (node)
++        stack->firstNode[++stack->top] = node;
++}
++
++
++/**
++ * Pop an item from the stack.
++ */
++Node* TY_(pop)(Stack *stack)
++{
++    return TY_(stackEmpty)(stack) ? NULL : stack->firstNode[stack->top--];
++}
++
++
++/**
++ * Peek at the stack.
++ */
++FUNC_UNUSED Node* TY_(peek)(Stack *stack)
++{
++    return TY_(stackEmpty)(stack) ? NULL : stack->firstNode[stack->top--];
++}
++
++/**
++ *  Frees the stack when done.
++ */
++void TY_(freeStack)(Stack *stack)
++{
++    TidyFree( stack->allocator, stack->firstNode );
++    stack->top = -1;
++    stack->capacity = 0;
++    stack->firstNode = NULL;
++    stack->allocator = NULL;
++}
++
+ /*
+  * local variables:
+  * mode: c
+--- a/src/lexer.h
++++ b/src/lexer.h
+@@ -594,6 +594,78 @@ Node* TY_(InsertedToken)( TidyDocImpl* d
+ Bool TY_(SwitchInline)( TidyDocImpl* doc, Node* element, Node* node );
+ Bool TY_(InlineDup1)( TidyDocImpl* doc, Node* node, Node* element );
+ 
++/** @}
++ *  @name Generic stack of nodes.
++ *  @{
++ */
++
++
++/**
++ * This typedef represents a stack of addresses to nodes. Tidy uses these to
++ * try to limit recursion by pushing nodes to a stack when possible instead
++ * of recursing.
++ */
++typedef struct _Stack {
++    int top;                        /**< Current top position. */
++    unsigned capacity;              /**< Current capacity. Can be expanded. */
++    Node **firstNode;               /** A pointer to the first pointer to a Node in an array of node addresses. */
++    TidyAllocator* allocator;       /**< Tidy's allocator, used at instantiation and expanding. */
++} Stack;
++ 
++
++/**
++ * Create a new stack with a given starting capacity. If memory allocation
++ * fails, then the allocator will panic the program automatically.
++ */
++Stack* TY_(newStack)(TidyDocImpl *doc, uint capacity);
++ 
++
++/**
++ *  Increase the stack size. This will be called automatically when the
++ *  current stack is full. If memory allocation fails, then the allocator
++ *  will panic the program automatically.
++ */
++void TY_(growStack)(Stack *stack);
++
++
++/**
++ * Stack is full when top is equal to the last index.
++ */
++Bool TY_(stackFull)(Stack *stack);
++
++
++/**
++ * Stack is empty when top is equal to -1
++ */
++Bool TY_(stackEmpty)(Stack *stack);
++ 
++
++/**
++ * Push an item to the stack.
++ */
++void TY_(push)(Stack *stack, Node *node);
++
++
++/**
++ * Pop an item from the stack.
++ */
++Node* TY_(pop)(Stack *stack);
++
++
++/**
++ * Peek at the stack.
++ */
++Node* TY_(peek)(Stack *stack);
++
++/**
++ *  Frees the stack when done.
++ */
++void TY_(freeStack)(Stack *stack);
++
++
++/** @}
++ */
++
+ #ifdef __cplusplus
+ }
+ #endif
+

CVE-2021-33391.patch

@@ -0,0 +1,63 @@
+Origin: https://launchpadlibrarian.net/697070499/tidy-html5_2%3A5.6.0-11_2%3A5.6.0-11ubuntu0.20.04.1.diff.gz
+
+Backport of:
+
+From efa61528aa500a1efbd2768121820742d3bb709b Mon Sep 17 00:00:00 2001
+From: Jim Derry <balthisar@gmail.com>
+Date: Sat, 31 Jul 2021 08:26:16 -0400
+Subject: [PATCH] Fixes #946 by refactoring the recursion into a loop with a
+ heap-based stack.
+
+---
+ .../cases/github-cases/case-946.conf          |   3 +
+ .../cases/github-cases/case-946@1.html        | Bin 0 -> 11558 bytes
+ .../cases/github-expects/case-946.html        |  44 +++
+ .../cases/github-expects/case-946.txt         | 330 ++++++++++++++++++
+ src/gdoc.c                                    |  13 +-
+ version.txt                                   |   4 +-
+ 6 files changed, 388 insertions(+), 6 deletions(-)
+ create mode 100755 regression_testing/cases/github-cases/case-946.conf
+ create mode 100644 regression_testing/cases/github-cases/case-946@1.html
+ create mode 100644 regression_testing/cases/github-expects/case-946.html
+ create mode 100644 regression_testing/cases/github-expects/case-946.txt
+
+diff --git a/src/gdoc.c b/src/gdoc.c
+index 50cd9bc33..8f5f8ffd7 100644
+--- a/src/gdoc.c
++++ b/src/gdoc.c
+@@ -96,14 +96,15 @@ static void DiscardContainer( TidyDocImpl* doc, Node *element, Node **pnode)
+ 
+ static void CleanNode( TidyDocImpl* doc, Node *node )
+ {
++    Stack *stack = TY_(newStack)(doc, 16);
+     Node *child, *next;
+ 
+-    if (node->content)
++    if ( (child = node->content) )
+     {
+-        for (child = node->content; child != NULL; child = next)
++        while (child)
+         {
+             next = child->next;
+-
++            
+             if (TY_(nodeIsElement)(child))
+             {
+                 if (nodeIsSTYLE(child))
+@@ -131,10 +132,14 @@ static void CleanNode( TidyDocImpl* doc, Node *node )
+                     if (child->attributes)
+                         TY_(DropAttrByName)( doc, child, "class" );
+ 
+-                    CleanNode(doc, child);
++                    TY_(push)(stack,next);
++                    child = child->content;
++                    continue;
+                 }
+             }
++            child = next ? next : TY_(pop)(stack);
+         }
++        TY_(freeStack)(stack);
+     }
+ }
+ 
+

fix-memleak-in-GetTokenFromStream.patch

@@ -0,0 +1,40 @@
+From 4377ab84a4a2748d72be91d26210567cc933c760 Mon Sep 17 00:00:00 2001
+From: lutianxiong <lutianxiong@huawei.com>
+Date: Sat, 20 Jun 2020 09:19:17 +0800
+Subject: [PATCH 095/109] fix memleak in GetTokenFromStream
+
+check asp & php if ParseAttribute return NULL
+---
+ src/lexer.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/lexer.c b/src/lexer.c
+index ca66aee..bbc1e15 100644
+--- a/src/lexer.c
++++ b/src/lexer.c
+@@ -3263,6 +3263,22 @@ static Node* GetTokenFromStream( TidyDocImpl* doc, GetTokenMode mode )
+ 
+                     if (!name)
+                     {
++                        /* check if attributes are created by ASP markup */
++                        if (asp)
++                        {
++                            av = TY_(NewAttribute)(doc);
++                            av->asp = asp;
++                            AddAttrToList( &attributes, av ); 
++                        }
++
++                        /* check if attributes are created by PHP markup */
++                        if (php)
++                        {
++                            av = TY_(NewAttribute)(doc);
++                            av->php = php;
++                            AddAttrToList( &attributes, av ); 
++                        }
++                      
+                         /* fix for http://tidy.sf.net/bug/788031 */
+                         lexer->lexsize -= 1;
+                         lexer->txtend = lexer->txtstart;
+-- 
+1.8.3.1
+

free-attributes-before-return-NULL.patch

@@ -0,0 +1,27 @@
+From 8f0e7aa22a854add9e6082ca5136e82f032a236a Mon Sep 17 00:00:00 2001
+From: lutianxiong <lutianxiong@huawei.com>
+Date: Sun, 22 Nov 2020 00:10:12 +0800
+Subject: [PATCH] Free attributes before return NULL (#899)
+
+---
+ src/lexer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/lexer.c b/src/lexer.c
+index 49b74f5..16a8fef 100644
+--- a/src/lexer.c
++++ b/src/lexer.c
+@@ -3469,6 +3469,10 @@ static Node* GetTokenFromStream( TidyDocImpl* doc, GetTokenMode mode )
+         return node;  /* the COMMENT token */
+     }
+ 
++    /* check attributes before return NULL */
++    if (attributes)
++        TY_(FreeAttribute)( doc, attributes );
++
+     DEBUG_LOG(SPRTF("Returning NULL...\n"));
+     return NULL;
+ }
+-- 
+1.8.3.1
+

tidy.spec

@@ -2,14 +2,17 @@
 %global upname tidy-html5
 
 Name:          tidy
-Version:       5.6.0
-Release:       1
+Version:       5.7.28
+Release:       2
 Summary:       Utility to clean up and pretty print HTML/XHTML/XML
 License:       W3C
 URL:           http://www.html-tidy.org/
-Source0:       https://github.com/htacg/%{upname}/archive/%{upname}-%{version}.tar.gz
+Source0:       https://github.com/htacg/%{upname}/archive/%{version}.tar.gz#/%{upname}-%{version}.tar.gz
 
-Patch0001:     0002-Issue-656-protect-against-NULL-node-set-in-loop.patch
+Patch0:        fix-memleak-in-GetTokenFromStream.patch
+Patch1:        free-attributes-before-return-NULL.patch
+Patch2:        CVE-2021-33391-pre.patch
+Patch3:        CVE-2021-33391.patch
 
 BuildRequires: gcc-c++ cmake gcc libxslt pkgconfig
 Provides:      tidy-html5 = %{version}-%{release}
@@ -80,5 +83,27 @@ ln -s tidyplatform.h $RPM_BUILD_ROOT%{_includedir}/platform.h
 %{_mandir}/*
 
 %changelog
+* Thu Dec 28 2023 wangkai <13474090681@163.com> - 5.7.28-2
+- Fix CVE-2021-33391
+
+* Tue Jan 26 2021 fuanan <fuanan3@huawei.com> - 5.7.28-1
+- Update to version 5.7.28
+
+* Thu Nov 26 2020 yuboyun <yuboyun@huawei.com> - 5.6.0-4
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix memleak in tidyParseBuffer
+
+* Fri Nov 20 2020 lunankun <lunankun@huawei.com> - 5.6.0-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix memleak
+
+* Wed Sep 02 2020 gaihuiying <gaihuiying1@huawei.com> - 5.6.0-2
+- Type:bugfix
+- DESC:change Source0 to correct URL
+
 * Wed Feb 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 5.6.0-1
 - Package init