1From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001 2From: Sebastian Pipping <sebastian@pipping.org> 3Date: Tue, 8 Feb 2022 04:32:20 +0100 4Subject: [PATCH] lib: Add missing validation of encoding (CVE-2022-25235) 5 6--- 7 lib/xmltok_impl.c | 8 ++++++-- 8 1 file changed, 6 insertions(+), 2 deletions(-) 9 10diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c 11index 0430591b4..64a3b2c15 100644 12--- a/lib/xmltok_impl.c 13+++ b/lib/xmltok_impl.c 14@@ -69,7 +69,7 @@ 15 case BT_LEAD##n: \ 16 if (end - ptr < n) \ 17 return XML_TOK_PARTIAL_CHAR; \ 18- if (! IS_NAME_CHAR(enc, ptr, n)) { \ 19+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \ 20 *nextTokPtr = ptr; \ 21 return XML_TOK_INVALID; \ 22 } \ 23@@ -98,7 +98,7 @@ 24 case BT_LEAD##n: \ 25 if (end - ptr < n) \ 26 return XML_TOK_PARTIAL_CHAR; \ 27- if (! IS_NMSTRT_CHAR(enc, ptr, n)) { \ 28+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \ 29 *nextTokPtr = ptr; \ 30 return XML_TOK_INVALID; \ 31 } \ 32@@ -1142,6 +1142,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end, 33 case BT_LEAD##n: \ 34 if (end - ptr < n) \ 35 return XML_TOK_PARTIAL_CHAR; \ 36+ if (IS_INVALID_CHAR(enc, ptr, n)) { \ 37+ *nextTokPtr = ptr; \ 38+ return XML_TOK_INVALID; \ 39+ } \ 40 if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ 41 ptr += n; \ 42 tok = XML_TOK_NAME; \ 43