From 216a4745f0aa2921d2682fa576f8de77645d2f86 Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Wed, 14 Sep 2022 16:55:13 +0200
Subject: Import more fixes for Expat security vulnerabilities

CVE-2022-25314
CVE-2022-40674
---
 libxsde/xsde/c/expat/xmlparse.c | 57 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 7 deletions(-)

diff --git a/libxsde/xsde/c/expat/xmlparse.c b/libxsde/xsde/c/expat/xmlparse.c
index 45d6803..f97f285 100644
--- a/libxsde/xsde/c/expat/xmlparse.c
+++ b/libxsde/xsde/c/expat/xmlparse.c
@@ -438,6 +438,9 @@ static ELEMENT_TYPE *
 getElementType(XML_Parser parser, const ENCODING *enc,
                const char *ptr, const char *end);
 
+static XML_Char *copyString(const XML_Char *s,
+                            const XML_Memory_Handling_Suite *memsuite);
+
 static size_t generate_hash_secret_salt(XML_Parser parser);
 static XML_Bool startParsing(XML_Parser parser);
 
@@ -761,6 +764,8 @@ parserCreate(const XML_Char *encodingName,
   parser->m_nsAttsVersion = 0;
   parser->m_nsAttsPower = 0;
 
+  parser->m_protocolEncodingName = NULL;
+
   poolInit(&parser->m_tempPool, &(parser->m_mem));
   poolInit(&parser->m_temp2Pool, &(parser->m_mem));
   parserInit(parser, encodingName);
@@ -787,9 +792,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName)
 {
   parser->m_processor = prologInitProcessor;
   XmlPrologStateInit(&parser->m_prologState);
-  parser->m_protocolEncodingName = (encodingName != NULL
-                          ? poolCopyString(&parser->m_tempPool, encodingName)
-                          : NULL);
+  if (encodingName != NULL) {
+    parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem));
+  }
   parser->m_curBase = NULL;
   XmlInitEncoding(&parser->m_initEncoding, &parser->m_encoding, 0);
   parser->m_userData = NULL;
@@ -898,6 +903,8 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName)
     parser->m_unknownEncodingRelease(parser->m_unknownEncodingData);
   poolClear(&parser->m_tempPool);
   poolClear(&parser->m_temp2Pool);
+  FREE(parser, (void *)parser->m_protocolEncodingName);
+  parser->m_protocolEncodingName = NULL;
   parserInit(parser, encodingName);
   dtdReset(parser->m_dtd, &parser->m_mem);
   return XML_TRUE;
@@ -910,12 +917,19 @@ XML_SetEncoding(XML_Parser parser, const XML_Char *encodingName)
      XXX There's no way for the caller to determine which of the
      XXX possible error cases caused the XML_STATUS_ERROR return.
   */
-  if (parser->m_parsingStatus.parsing == XML_PARSING || parser->m_parsingStatus.parsing == XML_SUSPENDED)
+  if (parser->m_parsingStatus.parsing == XML_PARSING
+      || parser->m_parsingStatus.parsing == XML_SUSPENDED)
     return XML_STATUS_ERROR;
+
+  /* Get rid of any previous encoding name */
+  FREE(parser, (void *)parser->m_protocolEncodingName);
+
   if (encodingName == NULL)
+    /* No new encoding name */
     parser->m_protocolEncodingName = NULL;
   else {
-    parser->m_protocolEncodingName = poolCopyString(&parser->m_tempPool, encodingName);
+    /* Copy the new encoding name into allocated memory */
+    parser->m_protocolEncodingName = copyString(encodingName, &(parser->m_mem));
     if (!parser->m_protocolEncodingName)
       return XML_STATUS_ERROR;
   }
@@ -1106,6 +1120,7 @@ XML_ParserFree(XML_Parser parser)
   destroyBindings(parser->m_inheritedBindings, parser);
   poolDestroy(&parser->m_tempPool);
   poolDestroy(&parser->m_temp2Pool);
+  FREE(parser, (void *)parser->m_protocolEncodingName);
 #ifdef XML_DTD
   /* external parameter entity parsers share the DTD structure
      parser->m_dtd with the root parser, so we must not destroy it
@@ -3614,6 +3629,7 @@ initializeEncoding(XML_Parser parser)
   const char *s;
 #ifdef XML_UNICODE
   char encodingBuf[128];
+  /* See comments about `protocolEncodingName` in parserInit() */
   if (!parser->m_protocolEncodingName)
     s = NULL;
   else {
@@ -5161,8 +5177,14 @@ internalEntityProcessor(XML_Parser parser,
   {
     parser->m_processor = contentProcessor;
     /* see externalEntityContentProcessor vs contentProcessor */
-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, s, end,
-                     nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+    result = doContent(parser, parser->m_parentParser ? 1 : 0,
+                       parser->m_encoding, s, end, nextPtr,
+                       (XML_Bool)!parser->m_parsingStatus.finalBuffer);
+    if (result == XML_ERROR_NONE) {
+      if (! storeRawNames(parser))
+        return XML_ERROR_NO_MEMORY;
+    }
+    return result;
   }
 }
 
@@ -6771,4 +6793,25 @@ getElementType(XML_Parser parser,
   return ret;
 }
 
+static XML_Char *
+copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+  size_t charsRequired = 0;
+  XML_Char *result;
+
+  /* First determine how long the string is */
+  while (s[charsRequired] != 0) {
+    charsRequired++;
+  }
+  /* Include the terminator */
+  charsRequired++;
+
+  /* Now allocate space for the copy */
+  result = memsuite->malloc_fcn(charsRequired * sizeof(XML_Char));
+  if (result == NULL)
+    return NULL;
+  /* Copy the original into place */
+  memcpy(result, s, charsRequired * sizeof(XML_Char));
+  return result;
+}
+
 #include <xsde/c/post.h>
-- 
cgit v1.1