user/raptor2/CVE-2020-25713.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
From: Dave Beckett <dave@dajobe.org>
Date: Sat, 18 Sep 2021 17:40:00 -0700
Subject: [PATCH] XML Writer : compare namespace declarations correctly

Apply patch from
0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
which overwrote heap during XML writing in parse type literal
content.  This was detected with clang asan.

Thanks to Michael Stahl / mst2 for the fix.
---
 src/raptor_xml_writer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
index 56993dc38..4426d38cf 100644
--- a/src/raptor_xml_writer.c
+++ b/src/raptor_xml_writer.c
@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
           
           /* check it wasn't an earlier declaration too */
           for(j = 0; j < nspace_declarations_count; j++)
-            if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
+            if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
               declare_me = 0;
               break;
             }