summaryrefslogtreecommitdiff
blob: 635fb576d3de2ecc079d68b1747a3839af528d74 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
https://gitlab.gnome.org/GNOME/libxslt/-/commit/9ae2f94df1721e002941b40665efb762aefcea1a
https://gitlab.gnome.org/GNOME/libxslt/-/commit/824657768aea2cce9c23e72ba8085cb5e44350c7
https://gitlab.gnome.org/GNOME/libxslt/-/commit/77c26bad0433541f486b1e7ced44ca9979376908

From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 17 Aug 2020 03:42:11 +0200
Subject: [PATCH] Stop using maxParserDepth XPath limit

This will be removed again from libxml2.
--- a/tests/fuzz/fuzz.c
+++ b/tests/fuzz/fuzz.c
@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
     xpctxt = tctxt->xpathCtxt;
 
     /* Resource limits to avoid timeouts and call stack overflows */
-    xpctxt->maxParserDepth = 15;
-    xpctxt->maxDepth = 100;
+    xpctxt->maxDepth = 500;
     xpctxt->opLimit = 500000;
 
     /* Test namespaces used in xpath.xml */
@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
 
 static void
 xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
-    ctxt->maxParserDepth = 15;
-    ctxt->maxDepth = 100;
+    ctxt->maxDepth = 200;
     ctxt->opLimit = 100000;
 }
 
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 17 Aug 2020 04:27:13 +0200
Subject: [PATCH] Transfer XPath limits to XPtr context

Expressions like document('doc.xml#xpointer(evil_expr)') ignored the
XPath limits.
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
 	goto out_fragment;
     }
 
+#if LIBXML_VERSION >= 20911 || \
+    defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+    xptrctxt->opLimit = ctxt->context->opLimit;
+    xptrctxt->opCount = ctxt->context->opCount;
+    xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
+
+    resObj = xmlXPtrEval(fragment, xptrctxt);
+
+    ctxt->context->opCount = xptrctxt->opCount;
+#else
     resObj = xmlXPtrEval(fragment, xptrctxt);
-    xmlXPathFreeContext(xptrctxt);
 #endif
 
+    xmlXPathFreeContext(xptrctxt);
+#endif /* LIBXML_XPTR_ENABLED */
+
     if (resObj == NULL)
 	goto out_fragment;
 
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 26 Aug 2020 00:34:38 +0200
Subject: [PATCH] Don't set maxDepth in XPath contexts

The maximum recursion depth is hardcoded in libxml2 now.
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
     defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
     xptrctxt->opLimit = ctxt->context->opLimit;
     xptrctxt->opCount = ctxt->context->opCount;
-    xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth;
+    xptrctxt->depth = ctxt->context->depth;
 
     resObj = xmlXPtrEval(fragment, xptrctxt);
 
--- a/tests/fuzz/fuzz.c
+++ b/tests/fuzz/fuzz.c
@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
     xpctxt = tctxt->xpathCtxt;
 
     /* Resource limits to avoid timeouts and call stack overflows */
-    xpctxt->maxDepth = 500;
     xpctxt->opLimit = 500000;
 
     /* Test namespaces used in xpath.xml */
@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
     return 0;
 }
 
-static void
-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
-    ctxt->maxDepth = 200;
-    ctxt->opLimit = 100000;
-}
-
 xmlChar *
 xsltFuzzXslt(const char *data, size_t size) {
     xmlDocPtr xsltDoc;
@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) {
         xmlFreeDoc(xsltDoc);
         return NULL;
     }
-    xsltSetXPathResourceLimits(sheet->xpathCtxt);
+    sheet->xpathCtxt->opLimit = 100000;
     sheet->xpathCtxt->opCount = 0;
     if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) {
         xsltFreeStylesheet(sheet);
@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) {
     xsltSetCtxtSecurityPrefs(sec, ctxt);
     ctxt->maxTemplateDepth = 100;
     ctxt->opLimit = 20000;
-    xsltSetXPathResourceLimits(ctxt->xpathCtxt);
+    ctxt->xpathCtxt->opLimit = 100000;
     ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount;
 
     result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt);