1From d038d7177668030f0c54fa1772d3f174cf6527f1 Mon Sep 17 00:00:00 2001 2From: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk> 3Date: Thu, 1 Dec 2022 12:58:11 +0000 4Subject: [PATCH 26/28] Correctly relocate internal pointers after realloc() 5 6Adding an offset to a deallocated pointer and assuming that it can be 7dereferenced is undefined behaviour. When running libxml2 on CHERI-enabled 8systems such as Arm Morello this results in the creation of an out-of-bounds 9pointer that cannot be dereferenced and therefore crashes at runtime. 10 11The effect of this UB is not just limited to architectures such as CHERI, 12incorrect relocation of pointers after realloc can in fact cause 13FORTIFY_SOURCE errors with recent GCC: 14https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level 15 16Reference: https://github.com/GNOME/libxml2/commit/c62c0d82ccacc2000c45f211166f008687fb97a0 17Conflict: NA 18--- 19 parser.c | 6 +++--- 20 1 file changed, 3 insertions(+), 3 deletions(-) 21 22diff --git a/parser.c b/parser.c 23index 9d50138..adc449c 100644 24--- a/parser.c 25+++ b/parser.c 26@@ -9514,10 +9514,10 @@ next_attr: 27 * Arithmetic on dangling pointers is technically undefined 28 * behavior, but well... 29 */ 30- ptrdiff_t offset = ctxt->input->base - atts[i+2]; 31+ const xmlChar *old = atts[i+2]; 32 atts[i+2] = NULL; /* Reset repurposed namespace URI */ 33- atts[i+3] += offset; /* value */ 34- atts[i+4] += offset; /* valuend */ 35+ atts[i+3] = ctxt->input->base + (atts[i+3] - old); /* value */ 36+ atts[i+4] = ctxt->input->base + (atts[i+4] - old); /* valuend */ 37 } 38 } 39 40-- 412.27.0 42 43