diff options
| author | Daniel Veillard <veillard@src.gnome.org> | 2008-08-01 05:55:20 +0000 |
|---|---|---|
| committer | Daniel Veillard <veillard@src.gnome.org> | 2008-08-01 05:55:20 +0000 |
| commit | a85673c19dcc57071c0ade9208a09da76f8d16f5 (patch) | |
| tree | f112bf017b9ebb3371f1b5958d915c10a31bfdc4 /libexslt | |
| parent | 73d438dce82c26b5ed2c44e1e8dd02f88e6791f6 (diff) | |
| download | libxslt-a85673c19dcc57071c0ade9208a09da76f8d16f5.tar.gz libxslt-a85673c19dcc57071c0ade9208a09da76f8d16f5.tar.bz2 libxslt-a85673c19dcc57071c0ade9208a09da76f8d16f5.zip | |
fix for CVE-2008-2935 libexslt RC4 encryption/decryption functions Daniel
* libexslt/crypto.c: fix for CVE-2008-2935 libexslt RC4
encryption/decryption functions
Daniel
svn path=/trunk/; revision=1487
Diffstat (limited to 'libexslt')
| -rw-r--r-- | libexslt/crypto.c | 84 |
1 files changed, 69 insertions, 15 deletions
diff --git a/libexslt/crypto.c b/libexslt/crypto.c index cef80e82..f88f6e96 100644 --- a/libexslt/crypto.c +++ b/libexslt/crypto.c @@ -317,13 +317,13 @@ exsltCryptoCryptoApiRc4Decrypt (xmlXPathParserContextPtr ctxt, #define PLATFORM_MD5 GCRY_MD_MD5 #define PLATFORM_SHA1 GCRY_MD_SHA1 -#ifdef HAVE_SYS_TYPES_H -# include <sys/types.h> -#endif -#ifdef HAVE_STDINT_H -# include <stdint.h> -#endif - +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif + #ifdef HAVE_SYS_SELECT_H #include <sys/select.h> /* needed by gcrypt.h 4 Jul 04 */ #endif @@ -595,11 +595,13 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { int str_len = 0, bin_len = 0, hex_len = 0; xmlChar *key = NULL, *str = NULL, *padkey = NULL; xmlChar *bin = NULL, *hex = NULL; + xsltTransformContextPtr tctxt = NULL; - if ((nargs < 1) || (nargs > 3)) { + if (nargs != 2) { xmlXPathSetArityError (ctxt); return; } + tctxt = xsltXPathGetTransformContext(ctxt); str = xmlXPathPopString (ctxt); str_len = xmlUTF8Strlen (str); @@ -611,7 +613,7 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { } key = xmlXPathPopString (ctxt); - key_len = xmlUTF8Strlen (str); + key_len = xmlUTF8Strlen (key); if (key_len == 0) { xmlXPathReturnEmptyString (ctxt); @@ -620,15 +622,33 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { return; } - padkey = xmlMallocAtomic (RC4_KEY_LENGTH); + padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); + if (padkey == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } + memset(padkey, 0, RC4_KEY_LENGTH + 1); + key_size = xmlUTF8Strsize (key, key_len); + if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } memcpy (padkey, key, key_size); - memset (padkey + key_size, '\0', sizeof (padkey)); /* encrypt it */ bin_len = str_len; bin = xmlStrdup (str); if (bin == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); + tctxt->state = XSLT_STATE_STOPPED; xmlXPathReturnEmptyString (ctxt); goto done; } @@ -638,6 +658,9 @@ exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { hex_len = str_len * 2 + 1; hex = xmlMallocAtomic (hex_len); if (hex == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); + tctxt->state = XSLT_STATE_STOPPED; xmlXPathReturnEmptyString (ctxt); goto done; } @@ -670,11 +693,13 @@ exsltCryptoRc4DecryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { int str_len = 0, bin_len = 0, ret_len = 0; xmlChar *key = NULL, *str = NULL, *padkey = NULL, *bin = NULL, *ret = NULL; + xsltTransformContextPtr tctxt = NULL; - if ((nargs < 1) || (nargs > 3)) { + if (nargs != 2) { xmlXPathSetArityError (ctxt); return; } + tctxt = xsltXPathGetTransformContext(ctxt); str = xmlXPathPopString (ctxt); str_len = xmlUTF8Strlen (str); @@ -686,7 +711,7 @@ exsltCryptoRc4DecryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { } key = xmlXPathPopString (ctxt); - key_len = xmlUTF8Strlen (str); + key_len = xmlUTF8Strlen (key); if (key_len == 0) { xmlXPathReturnEmptyString (ctxt); @@ -695,22 +720,51 @@ exsltCryptoRc4DecryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { return; } - padkey = xmlMallocAtomic (RC4_KEY_LENGTH); + padkey = xmlMallocAtomic (RC4_KEY_LENGTH + 1); + if (padkey == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate padkey\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } + memset(padkey, 0, RC4_KEY_LENGTH + 1); key_size = xmlUTF8Strsize (key, key_len); + if ((key_size > RC4_KEY_LENGTH) || (key_size < 0)) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: key size too long or key broken\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } memcpy (padkey, key, key_size); - memset (padkey + key_size, '\0', sizeof (padkey)); /* decode hex to binary */ bin_len = str_len; bin = xmlMallocAtomic (bin_len); + if (bin == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate string\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } ret_len = exsltCryptoHex2Bin (str, str_len, bin, bin_len); /* decrypt the binary blob */ ret = xmlMallocAtomic (ret_len); + if (ret == NULL) { + xsltTransformError(tctxt, NULL, tctxt->inst, + "exsltCryptoRc4EncryptFunction: Failed to allocate result\n"); + tctxt->state = XSLT_STATE_STOPPED; + xmlXPathReturnEmptyString (ctxt); + goto done; + } PLATFORM_RC4_DECRYPT (ctxt, padkey, bin, ret_len, ret, ret_len); xmlXPathReturnString (ctxt, ret); +done: if (key != NULL) xmlFree (key); if (str != NULL) |