Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package expat for openSUSE:Factory checked in at 2024-03-17 22:13:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/expat (Old) and /work/SRC/openSUSE:Factory/.expat.new.1905 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "expat" Sun Mar 17 22:13:33 2024 rev:75 rq:1158280 version:2.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/expat/expat.changes 2024-03-05 18:46:49.792694823 +0100 +++ /work/SRC/openSUSE:Factory/.expat.new.1905/expat.changes 2024-03-17 22:13:35.583092924 +0100 @@ -1,0 +2,9 @@ +Wed Mar 13 22:23:20 UTC 2024 - Andreas Stieger <[email protected]> + +- update to 2.6.2: + * CVE-2024-28757 -- Prevent billion laughs attacks with isolated + use of external parsers (boo#1221289) + * Reject direct parameter entity recursion and avoid the related + undefined behavior + +------------------------------------------------------------------- Old: ---- expat-2.6.1.tar.xz expat-2.6.1.tar.xz.asc New: ---- expat-2.6.2.tar.xz expat-2.6.2.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ expat.spec ++++++ --- /var/tmp/diff_new_pack.ZxZzbP/_old 2024-03-17 22:13:36.235116780 +0100 +++ /var/tmp/diff_new_pack.ZxZzbP/_new 2024-03-17 22:13:36.235116780 +0100 @@ -2,6 +2,7 @@ # spec file for package expat # # Copyright (c) 2024 SUSE LLC +# Copyright (c) 2024 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,9 +17,10 @@ # -%global unversion 2_6_1 +%global unversion 2_6_2 +%define sover 1 Name: expat -Version: 2.6.1 +Version: 2.6.2 Release: 0 Summary: XML Parser Toolkit License: MIT @@ -39,11 +41,11 @@ parser in which an application registers handlers for things the parser might find in the XML document (like start tags). -%package -n libexpat1 +%package -n libexpat%{sover} Summary: XML Parser Toolkit Group: System/Libraries -%description -n libexpat1 +%description -n libexpat%{sover} Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). @@ -52,7 +54,7 @@ Summary: Development files for expat, an XML parser toolkit Group: Development/Libraries/C and C++ Requires: glibc-devel -Requires: libexpat1 = %{version} +Requires: libexpat%{sover} = %{version} %description -n libexpat-devel Expat is an XML parser library written in C. It is a stream-oriented @@ -89,8 +91,7 @@ %make_install find %{buildroot} -type f -name "*.la" -delete -print -%post -n libexpat1 -p /sbin/ldconfig -%postun -n libexpat1 -p /sbin/ldconfig +%ldconfig_scriptlets -n libexpat%{sover} %files %license COPYING @@ -102,9 +103,12 @@ %{_mandir}/man1/xmlwf.1%{?ext_man} %files -n libexpat1 -%{_libdir}/libexpat.so.* +%license COPYING +%{_libdir}/libexpat.so.%{sover} +%{_libdir}/libexpat.so.%{sover}.* %files -n libexpat-devel +%license COPYING %{_includedir}/* %{_libdir}/libexpat.so %{_libdir}/pkgconfig/expat.pc ++++++ expat-2.6.1.tar.xz -> expat-2.6.2.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/CMake.README new/expat-2.6.2/CMake.README --- old/expat-2.6.1/CMake.README 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/CMake.README 2024-03-13 17:38:11.000000000 +0100 @@ -3,25 +3,25 @@ The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual Studio) and should work on all other platform cmake supports. -Assuming ~/expat-2.6.1 is the source directory of expat, add a subdirectory +Assuming ~/expat-2.6.2 is the source directory of expat, add a subdirectory build and change into that directory: -~/expat-2.6.1$ mkdir build && cd build -~/expat-2.6.1/build$ +~/expat-2.6.2$ mkdir build && cd build +~/expat-2.6.2/build$ From that directory, call cmake first, then call make, make test and make install in the usual way: -~/expat-2.6.1/build$ cmake .. +~/expat-2.6.2/build$ cmake .. -- The C compiler identification is GNU -- The CXX compiler identification is GNU .... -- Configuring done -- Generating done --- Build files have been written to: /home/patrick/expat-2.6.1/build +-- Build files have been written to: /home/patrick/expat-2.6.2/build If you want to specify the install location for your files, append -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call. -~/expat-2.6.1/build$ make && make test && make install +~/expat-2.6.2/build$ make && make test && make install Scanning dependencies of target expat [ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/CMakeLists.txt new/expat-2.6.2/CMakeLists.txt --- old/expat-2.6.1/CMakeLists.txt 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/CMakeLists.txt 2024-03-13 17:38:11.000000000 +0100 @@ -38,7 +38,7 @@ project(expat VERSION - 2.6.1 + 2.6.2 LANGUAGES C ) @@ -466,7 +466,7 @@ endforeach() set(LIBCURRENT 10) # sync -set(LIBREVISION 1) # with +set(LIBREVISION 2) # with set(LIBAGE 9) # configure.ac! math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/Changes new/expat-2.6.2/Changes --- old/expat-2.6.1/Changes 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/Changes 2024-03-13 17:38:11.000000000 +0100 @@ -1,6 +1,59 @@ -NOTE: We are looking for help with a few things: - https://github.com/libexpat/libexpat/labels/help%20wanted - If you can help, please get in touch. Thanks! + __ __ _ + ___\ \/ /_ __ __ _| |_ + / _ \\ /| '_ \ / _` | __| + | __// \| |_) | (_| | |_ + \___/_/\_\ .__/ \__,_|\__| + |_| XML parser + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !! +!! ~~~~~~~~~~~~ !! +!! The following topics need *additional skilled C developers* to progress !! +!! in a timely manner or at all (loosely ordered by descending priority): !! +!! !! +!! - <blink>fixing a complex non-public security issue</blink>, !! +!! - teaming up on researching and fixing future security reports and !! +!! ClusterFuzz findings with few-days-max response times in communication !! +!! in order to (1) have a sound fix ready before the end of a 90 days !! +!! grace period and (2) in a sustainable manner, !! +!! - implementing and auto-testing XML 1.0r5 support !! +!! (needs discussion before pull requests), !! +!! - smart ideas on fixing the Autotools CMake files generation issue !! +!! without breaking CI (needs discussion before pull requests), !! +!! - the Windows binaries topic (needs requirements engineering first), !! +!! - pushing migration from `int` to `size_t` further !! +!! including edge-cases test coverage (needs discussion before anything). !! +!! !! +!! For details, please reach out via e-mail to [email protected] so we !! +!! can schedule a voice call on the topic, in English or German. !! +!! !! +!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +Release 2.6.2 Wed March 13 2024 + Security fixes: + #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with + isolated use of external parsers. Please see the commit + message of commit 1d50b80cf31de87750103656f6eb693746854aa8 + for details. + + Bug fixes: + #839 #841 Reject direct parameter entity recursion + and avoid the related undefined behavior + + Other changes: + #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces + #837 Add missing #821 and #824 to 2.6.1 change log + #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) + to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ + for what these numbers do + + Special thanks to: + Philippe Antoine + Tomas Korbar + and + Clang UndefinedBehaviorSanitizer + OSS-Fuzz / ClusterFuzz Release 2.6.1 Thu February 29 2024 Bug fixes: @@ -11,6 +64,8 @@ Other changes: #829 Hide test-only code behind new internal macro #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P + #821 #824 Autotools: Fix "make clean" for case: + ./configure --without-docbook && make clean all #819 Address compiler warnings #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/README.md new/expat-2.6.2/README.md --- old/expat-2.6.1/README.md 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/README.md 2024-03-13 17:38:11.000000000 +0100 @@ -5,7 +5,7 @@ [](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.6.1 +# Expat, Release 2.6.2 This is Expat, a C99 library for parsing [XML 1.0 Fourth Edition](https://www.w3.org/TR/2006/REC-xml-20060816/), started by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/configure new/expat-2.6.2/configure --- old/expat-2.6.1/configure 2024-02-29 21:36:36.000000000 +0100 +++ new/expat-2.6.2/configure 2024-03-13 17:49:06.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for expat 2.6.1. +# Generated by GNU Autoconf 2.71 for expat 2.6.2. # # Report bugs to <https://github.com/libexpat/libexpat/issues>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='expat' PACKAGE_TARNAME='expat' -PACKAGE_VERSION='2.6.1' -PACKAGE_STRING='expat 2.6.1' +PACKAGE_VERSION='2.6.2' +PACKAGE_STRING='expat 2.6.2' PACKAGE_BUGREPORT='https://github.com/libexpat/libexpat/issues' PACKAGE_URL='' @@ -1424,7 +1424,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures expat 2.6.1 to adapt to many kinds of systems. +\`configure' configures expat 2.6.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1495,7 +1495,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of expat 2.6.1:";; + short | recursive ) echo "Configuration of expat 2.6.2:";; esac cat <<\_ACEOF @@ -1632,7 +1632,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -expat configure 2.6.1 +expat configure 2.6.2 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2263,7 +2263,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by expat $as_me 2.6.1, which was +It was created by expat $as_me 2.6.2, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3829,7 +3829,7 @@ # Define the identity of the package. PACKAGE='expat' - VERSION='2.6.1' + VERSION='2.6.2' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -3960,7 +3960,7 @@ LIBCURRENT=10 # sync -LIBREVISION=1 # with +LIBREVISION=2 # with LIBAGE=9 # CMakeLists.txt! ac_config_headers="$ac_config_headers expat_config.h" @@ -20977,7 +20977,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by expat $as_me 2.6.1, which was +This file was extended by expat $as_me 2.6.2, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21045,7 +21045,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -expat config.status 2.6.1 +expat config.status 2.6.2 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/configure.ac new/expat-2.6.2/configure.ac --- old/expat-2.6.1/configure.ac 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/configure.ac 2024-03-13 17:38:11.000000000 +0100 @@ -83,7 +83,7 @@ dnl LIBCURRENT=10 # sync -LIBREVISION=1 # with +LIBREVISION=2 # with LIBAGE=9 # CMakeLists.txt! AC_CONFIG_HEADERS([expat_config.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/doc/Makefile.am new/expat-2.6.2/doc/Makefile.am --- old/expat-2.6.1/doc/Makefile.am 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/doc/Makefile.am 2024-03-13 17:38:03.000000000 +0100 @@ -37,7 +37,7 @@ xmlwf.1: xmlwf.xml -rm -f $@ - test x$(DOCBOOK_TO_MAN) != x && $(DOCBOOK_TO_MAN) $< + test "x$(DOCBOOK_TO_MAN)" != x && $(DOCBOOK_TO_MAN) $< test -f $@ || mv XMLWF.1 $@ endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/doc/Makefile.in new/expat-2.6.2/doc/Makefile.in --- old/expat-2.6.1/doc/Makefile.in 2024-02-29 21:36:37.000000000 +0100 +++ new/expat-2.6.2/doc/Makefile.in 2024-03-13 17:49:07.000000000 +0100 @@ -605,7 +605,7 @@ @[email protected]: xmlwf.xml @WITH_MANPAGE_TRUE@ -rm -f $@ -@WITH_MANPAGE_TRUE@ test x$(DOCBOOK_TO_MAN) != x && $(DOCBOOK_TO_MAN) $< +@WITH_MANPAGE_TRUE@ test "x$(DOCBOOK_TO_MAN)" != x && $(DOCBOOK_TO_MAN) $< @WITH_MANPAGE_TRUE@ test -f $@ || mv XMLWF.1 $@ @WITH_DISTRIBUTABLE_MANPAGE_FALSE@dist-hook: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/doc/reference.html new/expat-2.6.2/doc/reference.html --- old/expat-2.6.1/doc/reference.html 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/doc/reference.html 2024-03-13 17:38:11.000000000 +0100 @@ -52,7 +52,7 @@ <div> <h1> The Expat XML Parser - <small>Release 2.6.1</small> + <small>Release 2.6.2</small> </h1> </div> <div class="content"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/doc/xmlwf.1 new/expat-2.6.2/doc/xmlwf.1 --- old/expat-2.6.1/doc/xmlwf.1 2024-02-29 21:36:43.000000000 +0100 +++ new/expat-2.6.2/doc/xmlwf.1 2024-03-13 17:49:13.000000000 +0100 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH XMLWF 1 "February 29, 2024" "" "" +.TH XMLWF 1 "March 13, 2024" "" "" .SH NAME xmlwf \- Determines if an XML document is well-formed .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/doc/xmlwf.xml new/expat-2.6.2/doc/xmlwf.xml --- old/expat-2.6.1/doc/xmlwf.xml 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/doc/xmlwf.xml 2024-03-13 17:38:11.000000000 +0100 @@ -21,7 +21,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"; [ <!ENTITY dhfirstname "<firstname>Scott</firstname>"> <!ENTITY dhsurname "<surname>Bronson</surname>"> - <!ENTITY dhdate "<date>February 29, 2024</date>"> + <!ENTITY dhdate "<date>March 13, 2024</date>"> <!-- Please adjust this^^ date whenever cutting a new release. --> <!ENTITY dhsection "<manvolnum>1</manvolnum>"> <!ENTITY dhemail "<email>[email protected]</email>"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/expat_config.h new/expat-2.6.2/expat_config.h --- old/expat-2.6.1/expat_config.h 2024-02-29 21:36:43.000000000 +0100 +++ new/expat-2.6.2/expat_config.h 2024-03-13 17:49:12.000000000 +0100 @@ -83,7 +83,7 @@ #define PACKAGE_NAME "expat" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "expat 2.6.1" +#define PACKAGE_STRING "expat 2.6.2" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "expat" @@ -92,7 +92,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.6.1" +#define PACKAGE_VERSION "2.6.2" /* Define to 1 if all of the C90 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for @@ -100,7 +100,7 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "2.6.1" +#define VERSION "2.6.2" /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/lib/expat.h new/expat-2.6.2/lib/expat.h --- old/expat-2.6.1/lib/expat.h 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/lib/expat.h 2024-03-13 17:38:11.000000000 +0100 @@ -1066,7 +1066,7 @@ */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 6 -#define XML_MICRO_VERSION 1 +#define XML_MICRO_VERSION 2 #ifdef __cplusplus } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/lib/xmlparse.c new/expat-2.6.2/lib/xmlparse.c --- old/expat-2.6.1/lib/xmlparse.c 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/lib/xmlparse.c 2024-03-13 17:38:11.000000000 +0100 @@ -1,4 +1,4 @@ -/* dd2a9703e301882afe16d198a82689ab225277057f5eab9d079d8606eab736b4 (2.6.1+) +/* 2a14271ad4d35e82bde8ba210b4edb7998794bcbae54deab114046a300f9639a (2.6.2+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -6240,7 +6240,7 @@ dtd->keepProcessing = dtd->standalone; goto endEntityValue; } - if (entity->open) { + if (entity->open || (entity == parser->m_declEntity)) { if (enc == parser->m_encoding) parser->m_eventPtr = entityTextPtr; result = XML_ERROR_RECURSIVE_ENTITY_REF; @@ -7787,6 +7787,8 @@ static float accountingGetCurrentAmplification(XML_Parser rootParser) { + // 1.........1.........12 => 22 + const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1; const XmlBigCount countBytesOutput = rootParser->m_accounting.countBytesDirect + rootParser->m_accounting.countBytesIndirect; @@ -7794,7 +7796,9 @@ = rootParser->m_accounting.countBytesDirect ? (countBytesOutput / (float)(rootParser->m_accounting.countBytesDirect)) - : 1.0f; + : ((lenOfShortestInclude + + rootParser->m_accounting.countBytesIndirect) + / (float)lenOfShortestInclude); assert(! rootParser->m_parentParser); return amplificationFactor; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/tests/acc_tests.c new/expat-2.6.2/tests/acc_tests.c --- old/expat-2.6.1/tests/acc_tests.c 2024-02-28 15:11:57.000000000 +0100 +++ new/expat-2.6.2/tests/acc_tests.c 2024-03-13 17:38:03.000000000 +0100 @@ -378,6 +378,63 @@ fail("unsignedCharToPrintable result mistaken"); } END_TEST + +START_TEST(test_amplification_isolated_external_parser) { + // NOTE: Length 44 is precisely twice the length of "<!ENTITY a SYSTEM 'b'>" + // (22) that is used in function accountingGetCurrentAmplification in + // xmlparse.c. + // 1.........1.........1.........1.........1..4 => 44 + const char doc[] = "<!ENTITY % p1 '123456789_123456789_1234567'>"; + const int docLen = (int)sizeof(doc) - 1; + const float maximumToleratedAmplification = 2.0f; + + struct TestCase { + int offsetOfThreshold; + enum XML_Status expectedStatus; + }; + + struct TestCase cases[] = { + {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR}, + {+1, XML_STATUS_OK}, {+2, XML_STATUS_OK}, + }; + + for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { + const int offsetOfThreshold = cases[i].offsetOfThreshold; + const enum XML_Status expectedStatus = cases[i].expectedStatus; + const unsigned long long activationThresholdBytes + = docLen + offsetOfThreshold; + + set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold, + expectedStatus); + + XML_Parser parser = XML_ParserCreate(NULL); + assert_true(parser != NULL); + + assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification( + parser, maximumToleratedAmplification) + == XML_TRUE); + assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser, activationThresholdBytes) + == XML_TRUE); + + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + assert_true(ext_parser != NULL); + + const enum XML_Status actualStatus + = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE); + + assert_true(actualStatus == expectedStatus); + if (actualStatus != XML_STATUS_OK) { + assert_true(XML_GetErrorCode(ext_parser) + == XML_ERROR_AMPLIFICATION_LIMIT_BREACH); + } + + XML_ParserFree(ext_parser); + XML_ParserFree(parser); + } +} +END_TEST + #endif // XML_GE == 1 void @@ -390,6 +447,8 @@ tcase_add_test(tc_accounting, test_accounting_precision); tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api); tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable); + tcase_add_test__ifdef_xml_dtd(tc_accounting, + test_amplification_isolated_external_parser); #else UNUSED_P(s); #endif /* XML_GE == 1 */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/tests/basic_tests.c new/expat-2.6.2/tests/basic_tests.c --- old/expat-2.6.1/tests/basic_tests.c 2024-02-28 15:11:57.000000000 +0100 +++ new/expat-2.6.2/tests/basic_tests.c 2024-03-13 17:38:03.000000000 +0100 @@ -1202,6 +1202,49 @@ } END_TEST +START_TEST(test_recursive_external_parameter_entity_2) { + struct TestCase { + const char *doc; + enum XML_Status expectedStatus; + }; + + struct TestCase cases[] = { + {"<!ENTITY % p1 '%p1;'>", XML_STATUS_ERROR}, + {"<!ENTITY % p1 '%p1;'>" + "<!ENTITY % p1 'first declaration wins'>", + XML_STATUS_ERROR}, + {"<!ENTITY % p1 'first declaration wins'>" + "<!ENTITY % p1 '%p1;'>", + XML_STATUS_OK}, + {"<!ENTITY % p1 '%p1;'>", XML_STATUS_OK}, + }; + + for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { + const char *const doc = cases[i].doc; + const enum XML_Status expectedStatus = cases[i].expectedStatus; + set_subtest("%s", doc); + + XML_Parser parser = XML_ParserCreate(NULL); + assert_true(parser != NULL); + + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + assert_true(ext_parser != NULL); + + const enum XML_Status actualStatus + = _XML_Parse_SINGLE_BYTES(ext_parser, doc, (int)strlen(doc), XML_TRUE); + + assert_true(actualStatus == expectedStatus); + if (actualStatus != XML_STATUS_OK) { + assert_true(XML_GetErrorCode(ext_parser) + == XML_ERROR_RECURSIVE_ENTITY_REF); + } + + XML_ParserFree(ext_parser); + XML_ParserFree(parser); + } +} +END_TEST + /* Test incomplete external entities are faulted */ START_TEST(test_ext_entity_invalid_parse) { const char *text = "<!DOCTYPE doc [\n" @@ -5944,6 +5987,8 @@ tcase_add_test__ifdef_xml_dtd(tc_basic, test_skipped_parameter_entity); tcase_add_test__ifdef_xml_dtd(tc_basic, test_recursive_external_parameter_entity); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_recursive_external_parameter_entity_2); tcase_add_test(tc_basic, test_undefined_ext_entity_in_external_dtd); tcase_add_test(tc_basic, test_suspend_xdecl); tcase_add_test(tc_basic, test_abort_epilog); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/tests/misc_tests.c new/expat-2.6.2/tests/misc_tests.c --- old/expat-2.6.1/tests/misc_tests.c 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/tests/misc_tests.c 2024-03-13 17:38:11.000000000 +0100 @@ -208,7 +208,7 @@ if (! versions_equal(&read_version, &parsed_version)) fail("Version mismatch"); - if (xcstrcmp(version_text, XCS("expat_2.6.1"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.6.2"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); } END_TEST diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.6.1/win32/expat.iss new/expat-2.6.2/win32/expat.iss --- old/expat-2.6.1/win32/expat.iss 2024-02-29 21:19:18.000000000 +0100 +++ new/expat-2.6.2/win32/expat.iss 2024-03-13 17:38:11.000000000 +0100 @@ -37,7 +37,7 @@ ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ; USE OR OTHER DEALINGS IN THE SOFTWARE. -#define expatVer "2.6.1" +#define expatVer "2.6.2" [Setup] AppName=Expat
