• R/O
  • SSH

GM: Commit

Main GraphicsMagick source repository


Commit MetaInfo

Revision88699a41798cbd58171218c1c99237aa7b18f6ab (tree)
Time2022-08-13 23:51:50
AuthorBob Friesenhahn <bfriesen@Grap...>
CommiterBob Friesenhahn

Log Message

SVG: Check parser context alloc. Disable parse internal subset.

Change Summary

Incremental Difference

diff -r 5de8e986e4c4 -r 88699a41798c ChangeLog
--- a/ChangeLog Thu Aug 11 08:31:14 2022 -0500
+++ b/ChangeLog Sat Aug 13 09:51:50 2022 -0500
@@ -1,3 +1,13 @@
1+2022-08-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
2+
3+ * coders/svg.c (ReadSVGImage): Address concern from SourceForge
4+ issue #669 "Segmentation fault caused by null pointer dereference
5+ by checking return from xmlCreatePushParserCtxt(). Address
6+ oss-fuzz 48340 "graphicsmagick:coder_SVG_fuzzer:
7+ Heap-use-after-free in xmlParseInternalSubset" by disabling
8+ internal subset handling until the parser context handling is
9+ fixed.
10+
111 2022-08-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
212
313 * NEWS.txt: Updated the news.
diff -r 5de8e986e4c4 -r 88699a41798c VisualMagick/installer/inc/version.isx
--- a/VisualMagick/installer/inc/version.isx Thu Aug 11 08:31:14 2022 -0500
+++ b/VisualMagick/installer/inc/version.isx Sat Aug 13 09:51:50 2022 -0500
@@ -10,5 +10,5 @@
1010
1111 #define public MagickPackageName "GraphicsMagick"
1212 #define public MagickPackageVersion "1.4"
13-#define public MagickPackageVersionAddendum ".020220811"
14-#define public MagickPackageReleaseDate "snapshot-20220811"
13+#define public MagickPackageVersionAddendum ".020220813"
14+#define public MagickPackageReleaseDate "snapshot-20220813"
diff -r 5de8e986e4c4 -r 88699a41798c coders/svg.c
--- a/coders/svg.c Thu Aug 11 08:31:14 2022 -0500
+++ b/coders/svg.c Sat Aug 13 09:51:50 2022 -0500
@@ -494,13 +494,17 @@
494494
495495 static int SVGIsStandalone(void *context);
496496
497+#if defined(ENABLE_XML_INTERNAL_SUBSET)
497498 static int SVGHasInternalSubset(void *context);
499+#endif /* ENABLE_XML_INTERNAL_SUBSET */
498500
499501 static int SVGHasExternalSubset(void *context);
500502
503+#if defined(ENABLE_XML_INTERNAL_SUBSET)
501504 static void SVGInternalSubset(void *context,const xmlChar *name,
502505 const xmlChar *external_id,
503506 const xmlChar *system_id);
507+#endif /* ENABLE_XML_INTERNAL_SUBSET */
504508
505509 static xmlParserInputPtr SVGResolveEntity(void *context,
506510 const xmlChar *public_id,
@@ -587,6 +591,7 @@
587591 return(svg_info->document->standalone == 1);
588592 }
589593
594+#if defined(ENABLE_XML_INTERNAL_SUBSET) && ENABLE_XML_INTERNAL_SUBSET
590595 static int
591596 SVGHasInternalSubset(void *context)
592597 {
@@ -601,6 +606,7 @@
601606 svg_info=(SVGInfo *) context;
602607 return(svg_info->document->intSubset != NULL);
603608 }
609+#endif /* ENABLE_XML_INTERNAL_SUBSET */
604610
605611 static int
606612 SVGHasExternalSubset(void *context)
@@ -617,6 +623,8 @@
617623 return(svg_info->document->extSubset != NULL);
618624 }
619625
626+#if defined(ENABLE_XML_INTERNAL_SUBSET) && ENABLE_XML_INTERNAL_SUBSET
627+/* FIXME: Parser context allocation/handling is apparently wrong for internal subset */
620628 static void
621629 SVGInternalSubset(void *context,const xmlChar *name,
622630 const xmlChar *external_id,const xmlChar *system_id)
@@ -634,6 +642,7 @@
634642 svg_info=(SVGInfo *) context;
635643 (void) xmlCreateIntSubset(svg_info->document,name,external_id,system_id);
636644 }
645+#endif /* ENABLE_XML_INTERNAL_SUBSET */
637646
638647 static xmlParserInputPtr
639648 SVGResolveEntity(void *context,
@@ -4077,9 +4086,13 @@
40774086 (void) xmlSubstituteEntitiesDefault(0);
40784087
40794088 (void) memset(&SAXModules,0,sizeof(SAXModules));
4089+#if defined(ENABLE_XML_INTERNAL_SUBSET) && ENABLE_XML_INTERNAL_SUBSET
40804090 SAXModules.internalSubset=SVGInternalSubset;
4091+#endif /* ENABLE_XML_INTERNAL_SUBSET */
40814092 SAXModules.isStandalone=SVGIsStandalone;
4093+#if defined(ENABLE_XML_INTERNAL_SUBSET) && ENABLE_XML_INTERNAL_SUBSET
40824094 SAXModules.hasInternalSubset=SVGHasInternalSubset;
4095+#endif /* ENABLE_XML_INTERNAL_SUBSET */
40834096 SAXModules.hasExternalSubset=SVGHasExternalSubset;
40844097 SAXModules.resolveEntity=SVGResolveEntity;
40854098 SAXModules.getEntity=SVGGetEntity;
@@ -4110,28 +4123,32 @@
41104123 image->filename);
41114124 if (svg_info.parser == (xmlParserCtxtPtr) NULL)
41124125 {
4113- /* FIXME: Handle failure! */
4114- }
4115- while ((n=ReadBlob(image,MaxTextExtent-1,message)) != 0)
4116- {
4117- message[n]='\0';
4118- status=xmlParseChunk(svg_info.parser,message,(int) n,False);
4119- if (status != 0)
4120- break;
4126+ ThrowException(exception,DrawError,UnableToDrawOnImage,
4127+ "Failed to push XML parser context");
41214128 }
4122- (void) xmlParseChunk(svg_info.parser,message,0,True);
4123- /*
4124- Assure that our private context is freed, even if we abort before
4125- seeing the document end.
4126- */
4127- SVGEndDocument(&svg_info);
4128- if (svg_info.parser->myDoc != (xmlDocPtr) NULL)
4129- xmlFreeDoc(svg_info.parser->myDoc);
4130- /*
4131- Free all the memory used by a parser context. However the parsed
4132- document in ctxt->myDoc is not freed (so we just did that).
4133- */
4134- xmlFreeParserCtxt(svg_info.parser);
4129+ if (svg_info.parser != (xmlParserCtxtPtr) NULL)
4130+ {
4131+ while ((n=ReadBlob(image,MaxTextExtent-1,message)) != 0)
4132+ {
4133+ message[n]='\0';
4134+ status=xmlParseChunk(svg_info.parser,message,(int) n,False);
4135+ if (status != 0)
4136+ break;
4137+ }
4138+ (void) xmlParseChunk(svg_info.parser,message,0,True);
4139+ /*
4140+ Assure that our private context is freed, even if we abort before
4141+ seeing the document end.
4142+ */
4143+ SVGEndDocument(&svg_info);
4144+ if (svg_info.parser->myDoc != (xmlDocPtr) NULL)
4145+ xmlFreeDoc(svg_info.parser->myDoc);
4146+ /*
4147+ Free all the memory used by a parser context. However the parsed
4148+ document in ctxt->myDoc is not freed (so we just did that).
4149+ */
4150+ xmlFreeParserCtxt(svg_info.parser);
4151+ }
41354152 (void) LogMagickEvent(CoderEvent,GetMagickModule(),"end SAX");
41364153 (void) fclose(file);
41374154 CloseBlob(image);
diff -r 5de8e986e4c4 -r 88699a41798c magick/version.h
--- a/magick/version.h Thu Aug 11 08:31:14 2022 -0500
+++ b/magick/version.h Sat Aug 13 09:51:50 2022 -0500
@@ -38,8 +38,8 @@
3838 #define MagickLibVersion 0x272400
3939 #define MagickLibVersionText "1.4"
4040 #define MagickLibVersionNumber 27,24,0
41-#define MagickChangeDate "20220811"
42-#define MagickReleaseDate "snapshot-20220811"
41+#define MagickChangeDate "20220813"
42+#define MagickReleaseDate "snapshot-20220813"
4343
4444 /*
4545 The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff -r 5de8e986e4c4 -r 88699a41798c www/Changelog.html
--- a/www/Changelog.html Thu Aug 11 08:31:14 2022 -0500
+++ b/www/Changelog.html Sat Aug 13 09:51:50 2022 -0500
@@ -35,6 +35,18 @@
3535 <div class="document">
3636
3737
38+<p>2022-08-13 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
39+<blockquote>
40+<ul class="simple">
41+<li>coders/svg.c (ReadSVGImage): Address concern from SourceForge
42+issue #669 &quot;Segmentation fault caused by null pointer dereference
43+by checking return from xmlCreatePushParserCtxt(). Address
44+oss-fuzz 48340 &quot;graphicsmagick:coder_SVG_fuzzer:
45+Heap-use-after-free in xmlParseInternalSubset&quot; by disabling
46+internal subset handling until the parser context handling is
47+fixed.</li>
48+</ul>
49+</blockquote>
3850 <p>2022-08-11 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
3951 <blockquote>
4052 <ul class="simple">
Show on old repository browser