summaryrefslogtreecommitdiff
path: root/libexslt
diff options
context:
space:
mode:
authorDaniel Veillard <veillard@src.gnome.org>2008-08-01 05:55:20 +0000
committerDaniel Veillard <veillard@src.gnome.org>2008-08-01 05:55:20 +0000
commita85673c19dcc57071c0ade9208a09da76f8d16f5 (patch)
treef112bf017b9ebb3371f1b5958d915c10a31bfdc4 /libexslt
parent73d438dce82c26b5ed2c44e1e8dd02f88e6791f6 (diff)
downloadlibxslt-a85673c19dcc57071c0ade9208a09da76f8d16f5.tar.gz
libxslt-a85673c19dcc57071c0ade9208a09da76f8d16f5.tar.bz2
libxslt-a85673c19dcc57071c0ade9208a09da76f8d16f5.zip
fix for CVE-2008-2935 libexslt RC4 encryption/decryption functions Daniel
* libexslt/crypto.c: fix for CVE-2008-2935 libexslt RC4 encryption/decryption functions Daniel svn path=/trunk/; revision=1487
Diffstat (limited to 'libexslt')
-rw-r--r--libexslt/crypto.c84
1 files changed, 69 insertions, 15 deletions
diff --git a/libexslt/crypto.c b/libexslt/crypto.c
index cef80e82..f88f6e96 100644
--- a/libexslt/crypto.c
+++ b/libexslt/crypto.c
@@ -317,13 +317,13 @@ exsltCryptoCryptoApiRc4Decrypt (xmlXPathParserContextPtr ctxt,
#define PLATFORM_MD5 GCRY_MD_MD5
#define PLATFORM_SHA1 GCRY_MD_SHA1
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#ifdef HAVE_STDINT_H
-# include <stdint.h>
-#endif
-
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h> /* needed by gcrypt.h 4 Jul 04 */
#endif
@@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
int str_len = 0, bin_len = 0, hex_len = 0;
xmlChar *key = NULL, *str = NULL, *padkey = NULL;
xmlChar *bin = NULL, *hex = NULL;
+ xsltTransformContextPtr tctxt = NULL;
- if ((nargs < 1) || (nargs > 3)) {
+ if (nargs != 2) {
xmlXPathSetArityError (ctxt);
return;
}
+ tctxt = xsltXPathGetTransformContext(ctxt);
str = xmlXPathPopString (ctxt);
str_len = xmlUTF8Strlen (str);
@@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
}
key = xmlXPathPopString (ctxt);
- key_len = xmlUTF8Strlen (str);
+ key_len = xmlUTF8Strlen (key);
if (key_len == 0) {
xmlXPathReturnEmptyString (ctxt);
@@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
return;
}
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+ if (padkey == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
+
key_size = xmlUTF8Strsize (key, key_len);
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
memcpy (padkey, key, key_size);
- memset (padkey + key_size, '\0', sizeof (padkey));
/* encrypt it */
bin_len = str_len;
bin = xmlStrdup (str);
if (bin == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+ tctxt->state = XSLT_STATE_STOPPED;
xmlXPathReturnEmptyString (ctxt);
goto done;
}
@@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
hex_len = str_len * 2 + 1;
hex = xmlMallocAtomic (hex_len);
if (hex == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+ tctxt->state = XSLT_STATE_STOPPED;
xmlXPathReturnEmptyString (ctxt);
goto done;
}
@@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
int str_len = 0, bin_len = 0, ret_len = 0;
xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin =
NULL, *ret = NULL;
+ xsltTransformContextPtr tctxt = NULL;
- if ((nargs < 1) || (nargs > 3)) {
+ if (nargs != 2) {
xmlXPathSetArityError (ctxt);
return;
}
+ tctxt = xsltXPathGetTransformContext(ctxt);
str = xmlXPathPopString (ctxt);
str_len = xmlUTF8Strlen (str);
@@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
}
key = xmlXPathPopString (ctxt);
- key_len = xmlUTF8Strlen (str);
+ key_len = xmlUTF8Strlen (key);
if (key_len == 0) {
xmlXPathReturnEmptyString (ctxt);
@@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
return;
}
- padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
+ padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1);
+ if (padkey == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
+ memset(padkey, 0, RC4_KEY_LENGTH + 1);
key_size = xmlUTF8Strsize (key, key_len);
+ if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: key size too long or key broken\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
memcpy (padkey, key, key_size);
- memset (padkey + key_size, '\0', sizeof (padkey));
/* decode hex to binary */
bin_len = str_len;
bin = xmlMallocAtomic (bin_len);
+ if (bin == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate string\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len);
/* decrypt the binary blob */
ret = xmlMallocAtomic (ret_len);
+ if (ret == NULL) {
+ xsltTransformError(tctxt, NULL, tctxt->inst,
+ "exsltCryptoRc4EncryptFunction: Failed to allocate result\n");
+ tctxt->state = XSLT_STATE_STOPPED;
+ xmlXPathReturnEmptyString (ctxt);
+ goto done;
+ }
PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len);
xmlXPathReturnString (ctxt, ret);
+done:
if (key != NULL)
xmlFree (key);
if (str != NULL)